How to set up cloudflare tunnels

cloudflare-tunnels.md

How to set up multiple domains in a single server using Cloudflare

Just repeat this procedure for every domain.

Install cloudflared

Find your distro: https://pkg.cloudflare.com/

For Ubuntu:

Ubuntu 24.04 (Noble Numbat)

# Add cloudflare gpg key
sudo mkdir -p --mode=0755 /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-public-v2.gpg | sudo tee /usr/share/keyrings/cloudflare-public-v2.gpg >/dev/null

# Add this repo to your apt repositories
# Stable
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-public-v2.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
# Nightly
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-public-v2.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list

# install cloudflared
sudo apt-get update && sudo apt-get install cloudflared

Create folder

mkdir ~/.cloudflare
mkdir ~/.cloudflare/mydomain

Login

cloudflared tunnel login
mv ~/.cloudflared/cert.pem .cloudflared/mydomain

Create tunnel

TUNNEL_ORIGIN_CERT=~/.cloudflared/mydomain/cert.pem cloudflared tunnel create mydomain-tunnel

Create config

cat << EOF > ~/.cloudflared/mydomain/config.yml
tunnel: <tunnel-id>
credentials-file: ~/.cloudflared/mydomain/<tunnel-id>.json
origincert: ~/.cloudflared/mydomain/cert.pem
ingress:
  - hostname: mydomain.com
    service: http://localhost:8080
  - hostname: ssh.mydomain.com
    service: ssh://localhost:22
  - service: http_status:404
EOF

Create DNS records

TUNNEL_ORIGIN_CERT=~/.cloudflared/mydomain/cert.pem cloudflared tunnel route dns mydomain-tunnel mydomain.com
TUNNEL_ORIGIN_CERT=~/.cloudflared/mydomain/cert.pem cloudflared tunnel route dns mydomain-tunnel ssh.mydomain.com

Create service

cat << EOF > /etc/systemd/system/cloudflared-mydomain.service
[Unit]
Description=Cloudflared Tunnel - mydomain.com
After=network.target

[Service]
TimeoutStartSec=0
Type=simple
ExecStart=/usr/local/bin/cloudflared --config /home/user/.cloudflared/mydomain/config.yml tunnel run mydomain-tunnel
Restart=on-failure
RestartSec=5s
User=oscar

[Install]
WantedBy=multi-user.target
EOF

Run service

sudo systemctl daemon-reload
sudo systemctl enable cloudflared-mydomain
sudo systemctl start cloudflared-mydomain

To ssh login remotely

Install cloudflared on your local host, and to login remotely to ssh.mydomain.com, do this:

ssh -v -o ProxyCommand="cloudflared access ssh --hostname sssh.mydomain.com" username@sssh.mydomain.com
# Or also
cat << EOF > ~/.ssh/config
Host ssh.mydomain.com
    ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
    User username
EOF
ssh username@ssh.mydomain.com

Block port 22

This way you will only be able to login through cloudflare. This also keeps your IP private.

sudo ufw allow from 127.0.0.1 to any port 22
sudo ufw allow 22
sudo ufw enable
sudo ufw delete allow 22
sudo ufw status numbered

For extra security

Generate a new ssh key on your local host with ssh-keygen -t ed25519 and paste the contents of the generated local ~/.ssh/id_ed25519.pub to the remote ~/.ssh/authorized_keys

Then disable ssh password login and login through ssh key instead.

 sudo nano /etc/ssh/sshd_config
 ...
 PasswordAuthentication no
 PermitRootLogin without-password # Or "no" for extra security. Create user with sudo powers beforehand!
 ChallengeResponseAuthentication no
 UsePAM no 
 GSSAPIAuthentication no
 ...
 rm /etc/ssh/sshd_config.d/*.conf # as it might override sshd_config
 # Check for overrides
 sudo sshd -T | grep -i passwordauthentication
 sudo systemctl restart ssh