SSH into private machines from anywhere using Cloudflare Tunnel

Can also use our auditable terminal so no need for an SSH client: https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-...

Thank you for the link.

Do you have a Cloudflare on first page of HN alert?

And will Cloudflare Tunnel stay free and included for free accounts?

> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.

I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:

  ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz

It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.

I have code that monitors Hacker News comments for mentions of various things (including cloudflare, my username). It runs once a minute and uses https://hn.algolia.com/ to find new comments. I actually saw this was on Hacker New via Twitter.

https://blog.cloudflare.com/tunnel-for-everyone/

Use -J or ProxyJump in .SSH/config for a modern equivalent

I guess my bash aliases are a bit oldfashioned :P

Can we stop posting stuff that makes even more people give the keys of their house to the BigCorp cartel?

> Question: do you use a different tool which require no maintenance or cost to run?

Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android

I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.

IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.

Downsides I'm aware of:

- Less attention to their encryption implementation than the current hotness (WireGuard).

- Did not work with minimal effort from the local public library.

- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.

- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).

Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.

Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.

You can also do this using the Tor network, by setting up onion services.

Tailscale (https://tailscale.com) is a great solution for this use-case. It's also just an absolutely excellent experience overall and I can't say enough nice things about it.

Wow, that commenting system is so nice. I was looking for something like that! Amazing :)

Edit: it sees https://utteranc.es/ is used.

Unfortunately the cloudflared software, while the source is available on GitHub, and there are pull requests open and accepted for it, is not under an open source license, and the license it is under does not allow modifications, so any modifications (including the aformentioned pull requests) are contrary to the license and thus copyright law and thus illegal. The issue I filed about this is still waiting for action since October 2021.

https://github.com/cloudflare/cloudflared/issues/464

If you like this, you’re gonna love Tailscale https://tailscale.com/

Correct link: https://utteranc.es/

Their documentation is excellent too. Also worth mentioning the open-source derivative: https://github.com/juanfont/headscale

Can be used for the same, but serve kind of a different usecase.

Tailscale scan your host for all open ports and open a WireGuard connection between the installed machines. Like every machine is on the same network, even if they are not. Way harder to have a good access control compared to plain SSH. And you don't need extra SW for just SSH.

Thanks for pointing this out as it does appear even taking the source and applying a pull request ones self does break the license.

Just to clarify: many pull requests have been accepted and would thus from my perspective be covered by the license as having become part of the software.

Caveat: did not dig deeply enough to check if it's mostly Cloudflare employees developing publicly, etc.

Edit: worth mentioning here on HN customer support as well that 'opensource@cloudflare.com' is misconfigured.

Why would I use someone elses tool to just do the same thing I have autossh running (in a script that gets restarted if it dies) doing? You can do this if you own a server on the net, or with a free tier at AWS/GCE/Azure. I feel, not sure, "dirty"? pulling down some client that I am unsure exactly what it is doing from cloudflare just to enable a reverse ssh tunnel.

Same, zerotier on everything. Router, laptops, servers, phone. It makes things very easy to connect without public addresses.

PS: I note cloudflared uses some form of telemetry, although I have not looked at what data is transmitted and didn't try to remove it after seeing the above license.

PPS: I wish cloudflared were split up into client and server instead of one binary for both, it would be easier to audit and understand that way.

PPPS: I noted while auditing that cloudflared embeds its dependencies instead of depending on them and uses some golang libraries that are obsoleted.

Personally I’m happier to use wireguard to access my network. I don’t know when I’d ever want a pure SSH tunnelling solution.

This article is specifically about using cloudflared to implement a tunnel without exposing anything to the public internet, which is definitionally extra software. Agreed however that Tailscale offers a much wider feature set—while also covering the basic "I want to access my machine from anywhere" use-case—at the cost of exposing an entire machine instead of a single port.

Most people here work for BigCorp cartel or aspire to do so

hearing this I'm not sure I want cloudflared inside my network at all

it's already vast... and telemetry always seems to be the thin end of the wedge

a minimal version, not maintained by the company, under a proper open source license with no bullshit and a vastly smaller attack service would seem like a easy win...

(and even better if it supported more service providers than just cloudflare... killing their lock-in)

I've been using tmate for quite a while and it works great, minimal setup needed.

Can anyone shed some light on the pros/cons of each?

Aaaand rate limited.

Breaking a contract is not illegal. Seems to be a common misconception.

Cloudflare Tunnel uses Wireguard under the hood.

Or just use a Tor Onion Service.

Hello from the Cloudflare team - thanks for the nudge. We're in the process of migrating away from the proprietary license to an Apache license. We'll update the GitHub issue too; should be wrapped up in the next couple of weeks but likely sooner.

Its copyright law that is being broken here that makes it illegal, not breaking the license/contract.

In civil law countries it is. Also you can be sued for it.

Excellent, thanks for the update. Apache isn't what I would have chosen but is reasonable enough.

No, pull requests are not illegal, at least when done on Github, because by posting code on Github (that you are allowed to post) you grant Github and its users certain rights:

https://docs.github.com/en/github/site-policy/github-terms-o...

> By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).

That license doesn't allow modifications, which is what pull requests are. The forking thing is only about making copies, not modifications.

I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.

wasn't that the idea of ssh to begin with?

This configured system, unlike the rest of the way CloudFlare works with http, is actually end to end encrypted.

Could you also provide an update on this issue about the Cloudflare open source contact address?

https://github.com/cloudflare/.github/issues/13

I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.

If you are all about self hosting, here’s my method (disclosure, I made this tool):

1. Run https://github.com/antoniomika/sish on any free tier instance or fly

2. On server, ssh -R anythinghere:22:localhost:22 sishinstance

3. On client, ssh -J anythinghere sishinstance

The tunnel is kept internal to sish, meaning it isn’t exposed to the open internet. You need to auth first to sish (using SSH) and then auth with your server (using SSH) as well before you can gain access.

You can get virtual server for $4/month. Installing proprietary software and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.

You mean, like just login to a server without going through layers of cloud providers? How would that work?

For real, I can't imagine running a straight port 22 ssh service on the modern internet, but I'm usually happy just moving it to an unprivileged port for obscurity on personal equipment (plus some other common sense hardening of course). For work stuff, I'd feel naked without some sort of VPN and it seems that's essentially what these services are.

Please explain? I've googled your sentiment and have found some links but not many answers. Breaking a contract is just as illegal (~ against the law) as breaking the law? This follows trivially from contract law being a part of law. More substantive: Both contracts and laws proscribe actions. One can find remedy for breaking either via the legal system. (Obviously the severity of punishment can differ several orders of magnitude.) Only if you limit 'illegal' to criminal law you might be right in some jurisdictions.

shameless self-promotion: https://sshreach.me

We have a ssh reverse-forwarding based solution. And unlike the Cloudflare solution you don't need to "give the keys of your house" (as someone here commented) to reach your private machines.

You can remotely open and close the tunnels through our web interface or our web API.

Plus, we have web API-based automated deployment solution if you have many clients.

If they upgrade to premium tier, set up your virtual server then. Your total cost, $0 for the duration it's free + $4 * the rest is still lower than $4 * lifetime, and the cost for switching is only going to be marginal.

you can get them for even less: https://lowendbox.com/

I suppose you can modify the code, but not use it (compile) as such?

It's much easier, much cheaper, and does not rely on a centralized cloud vendor. Here's how to do it in a few lines:

    apt install tor
    echo HiddenServiceDir /var/lib/tor/myserver\
    HiddenServicePort 22 127.0.0.1:22 >> /etc/tor/torrc
    systemctl restart tor

Now tor is generating the keypair for the server. It will take a few seconds: once that's done, read the onion address from /var/lib/tor/myserver/hostname and you can start using it from the client, either with explicit ssh proxy config or with global client SSH config AutomapHostsOnResolve which enables to transparently map .onion domains to local IPs that the tor daemon will tunnel right over to the onion.

Bonus point: you get automatic certificate verification as part of the onion name itself, and you can also restrict the tor server configuration to allow only specific public keys (those who don't have them will not even reach sshd).

The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.

Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.

Maybe an improvement:

s/http/https/

-or-

s/http/SSL/

since http is technically often referring to unencrypted port 80 transport.

That's how we do it where I work. We have a bastion server we SSH into to access other systems in the network.

Pretty easy to setup SSH to use it to hop through with just one command.

https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump

Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.

I updated re:free, thanks.

Their appear to be two (Node.js/GPL3) control panels: https://github.com/key-networks/ztncui and https://github.com/dec0dOS/zero-ui

I think the misconception is between civil law and criminal law.

Why use a virtual server if you want to connect to your home network?

Never heard of Wireguard, so I went to their website and for a half second. I thought I cracked the screen on my new phone, because of their freaking background image....

But, it looks interesting. I'll have to check it out more.

Genuine question; I’ve got a static IP (v4) to my only server that I run at home. Are there any real benefits I gain to using tools like this one (or Tailscale et al)?

Thanks, I was struggling to do this 2 weeks ago, since I use cloudflare tunnel for everything. Had to resort to another service. This will be super helpfull.

> By the end of this post, you'll be able to run: ssh $machine_name from anywhere ... a service by Cloudflare ... will filter traffic to your machines through Cloudflare's network, including authenticating you ... your machines won't directly be exposed to threat actors and "1337 haxors".

Won't they be exposed to CloudFlare?

CloudFlare CEO has personally said:

https://www.bizjournals.com/sanjose/news/2013/09/12/cloudfla...

that the company may be required to hand over data to the NSA, and would not be able to tell clients/users about it.

I have IPv6 at home with port 22 opened for one of my home server's IP's. But my work internet connection does not have IPv6 at all (lol) so I use one of my VPSes as a jump host.

Neither copyright law nor the license allow modification, so probably not.

That's unfair! Many of us also own stock in them.

So will cloudflare be able to ssh into my machine from anywhere? I dunno I just use ssh to ssh into my machines works pretty well so far but I have only been using it for the past 20 years.

I'd take a big pay cut to work for a co-op, green energy focused or other social/ecological good company. I just don't wanna work for a startup.

Uh, so I just realized how we are discussing how developers submitting pull requests to this project with this license are basically demonstrating publicly performance art style that they've broken copyright law. Or we give the benefit of the doubt and assume they are not testing their changes at all.

And then some people will come to rely on it, and then some will eventually get blocked due to protection rules misfiring, but it's all free service so not much point in blaming the company. Gmail story waiting to repeat?

what do you mean by public channels? if I was trying to ssh into my machines it works wonderfully for dns resolution.

In this specific case you might be correct but in the general case this is not true. The uploader agreeing to something does not affect the rights of other authors than the uploader.

So easy to set up too with docker. You can even generate a QR code to easily set up a mobile device. You do need a domain name, DDNS, or a static IP and the ability to port forward from the router

My home network has a dynamic IP. I'm using a home-baked dynamic DNS thingie, but a virtual server with a fixed IP could work too. Would update for the new IP much faster now that I think about it.

> This follows trivially from contract law being a part of law

That does not follow trivially. Contracts themselves are not articles of contract law.

“Your server creates a forwarding ssh tunnel to one of our publicly visible forwarding servers” seems like a huge risk for somebody else to own these “forwarding servers”. Worse than giving keys to your house? I dunno.

you may be interested on zSSH then. apache v2.

https://github.com/openziti-incubator

enables ssh without exposing sshd ports to the networks.

disclosure: founder of company who builds products on OpenZiti open source

Not a lawyer, but it seems like it could be implied-in-fact that you're allowing people to submit pull requests if you publish on GitHub. https://en.wikipedia.org/wiki/Implied-in-fact_contract

I'm under the impression that this is against CloudFlare's ToS, otherwise I'd probably be doing it myself.

See section 2.8 "Limitation on Serving Non-HTML Content." of their subscriber agreement:

use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.

Last I checked, SSH is non-html content. I even opened a support ticket with their support, specifically asking about SSH and other traffic and this is what I received: So if no matter what service you use, Once you breach this rule it will be applied.

EDIT: Looks like the CloudFlare CTO has clarified things below that this usage does not in fact violate the ToS.

I use this alias in my .ssh/config to connect through a gateway machine:

    Host myserver
        User user
        ProxyCommand ssh -q public-server nc -q0 private-server 22

I can't remember what these flags actually do but they seem to get the job done

everyone believes that statement because?

> Question: do you use a different tool which require no maintenance or cost to run?

I run Wireguard, Tailscale and Yggdrasil on my home network.

That's for Cloudflare's CDN/reverse-proxy service.

This is the correct one for Cloudflare Tunnel: https://developers.cloudflare.com/cloudflare-one/connections...

Because in two weeks time if it's not done you can come back here and yell at me.

Cloudflare tunnels expose ports publicly.

Tailscale must be properly configured on your client machine to access machines/ports on their respective private Tailscale network(s), setup of which typically requires administrative intervention. Without bridging to a public network, services exposed to the Tailscale network are not accessible publicly.

Tailscale does offer user-mode clients so it can be used similarly to SSH by those allowed to connect (I don't know how difficult user-mode Tailscale is without admin setup on various operating systems).

It was strange reading this comment on Hacker News..

You will also find comments from CloudFlare folks here which suggests this use-case is sanctified.

Why not just run Wireguard on a raspberry pi, set up DDNS to send your home IP to a Dynamic DNS provider (if you're on a dynamic IP), and then SSH to your machines at home using keys (instead of passwords)?

Setting up a Pi and running the Wireguard install script is about half an hour of work.

I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.

No firewall holes.

Managing expectations re:v2 has been a total failure on our part. We put far too many things in one basket. But the work is still happening.

Learning moment for us: don't give timelines and don't reveal too much. Just say "when it's finished." Only Elon Musk can use Elon Time(tm). :)

Edit: we also promised some things that are just brutally hard, like fully decentralizing the root backplane via full data set replication. We are still working on that but it proved tougher than we originally thought, especially in light of scaling needs and security concerns. Some interesting technology in development but still in private repos.

Our competition just builds SaaS with a single controller run by a single entity. That's easy. We make it hard on ourselves by trying to keep going on the decentralization and control your own security boundary mission. Part of why everything is getting centralized into silos is that that's just so easy to engineer.

Which router support ZeroTier? Or are you using a custom router firmware?

Have you seen http://cactus.chat?

Hacker News hasn't been very "hacker" in a long time. Still a decent place for tech news.

This seems to be the license for cloudflared. But when you use cloudflared to create a tunnel via cloudflare network, aren't you also bound to Cloudflare's ToS because the software itself is useless without using the service provided by Cloudflare?

I am literally Cloudflare's CTO. I'm pretty sure I know that using Cloudflare Tunnel for SSH isn't a violation of our service.

I knew cloudflared could support https but never knew it works with other protocol as well.

TIL `ProxyCommand cloudflared access ssh --hostname %h`

I assume in this way we can even host mincraft servers (or any binary TCP protocol service) with cloudflared?

I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.

So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.

Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.

[1] https://linux.die.net/man/1/autossh

best reply ever, totally made my day.

I'm using Deviceplane for this right now - it's designed for embedded linux machines but could be used on any linux distro. Is anyone else using Deviceplane still? It seems the project has gone dead, though the website and github pages are still up.

I like it because of the easy web interface, and ability to tag / organize machines. Authentication is really simple.

https://deviceplane.com/

the cf tunnel key was separate than your sshd key, there is no leak here. It's just a way of port forwarding upon a CDN network.

Ah, good to know. Thanks!

Thanks for the clarification! Might want to educate your support staff a bit more so they can provide the same clarification.

This was my assumption as well given the tutorials and such available on your site. I was confused though and so reached out for clarification.

Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.

'Illegal' ~ 'against the law'. What is doing something against the law? Doing something the law states you are not allowed to do. So in practice under continental law (Napoleonic / Germanic) a law states "do X" or "leave Y" and doing the opposite is illegal. Then, if the law states "you must (under good faith) fulfill your contract" and you do not fulfill your contract ... that's illegal. A legally binding contract has the force of law for the signing parties.

Nice! Thanks for the tip

Thanks for sharing this insight, it's good to have even an inkling of how the sausage is made.

Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`

ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.

I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.

Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.

IPv6 tunnels also help

Hey mono-bob :), it really is cool, I only added it last night. I used to use utteranc.es, but now I use https://giscus.app. It's like utterances, but allows comment threads and reactions to the page (likes/emojis).

I use an SSH key to connect, so I assumed the traffic itself is end-to-end encrypted. However, I would like to be surer of this.

Curious about this; is it the patent clause? What would you have picked - mit/bsd?

This sounds a lot like https://tunnelto.dev/, which I've used and generally like. I'm not knowledgeable enough to know what, if any, the differences are, though.

goteleport.com is OSS, does this with certificates, not keys, and has a free community edition. No contracts to break.

My virtual server is $1.67 a month (buyvm.net)

My home firewall blocks all traffic except for incoming SSH from 3 IP addresses in the world. One of those is my virtual server.

If I'm in a hotel with my laptop I run the first command to set up an SSH tunnel to my "home" computer through the cloud virtual server. That listens on my laptop to port 8888 and forwards it through the cloud virtual server to my home computer's SSH daemon listening on port 22

ssh -X -f -C -L 8888:home.mydomain.com:22 -N user@cloud.mydomain.com

ssh -p 8888 user@localhost

not sure where you're getting the idea you need admin intervention for tailscale. I've never needed to do anything beyond authenticate the machine with my account. tailscale has NAT traversal built into it.

If your network firewall is preventing the tunneling process, then that's on you. and if its not on you and its a company decision then its VERY unlikely they'd be okay with cloudflare's publicly exposed ports.

Another ZeroTier user. Runs on few devices flawless.

As someone who watches this space closely and recommends Cloudflare Tunnel regularly, this is fantastic news.

Do you know if it will be feasible to add Cloudflare tunneling to 3rd party Golang apps?

You can build a physical server for $500 once. Relying on proprietary hardware and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.

Why is it always the free software people who are the most judgemental about what I do with my software and who I trust with my time and money? AWS and Microsoft never gave a shit about what other vendors I'm in bed with.

I like your GNU license, I do not like your GNU license people.

FWIW your "decentralize until it hurts, then centralize until it works" is one of my favorite slogans, and I appreciate y'all making the effort.

You can also get a domain name for $4/year and completely own your content, but nobody does that either.

It's nice to hear that someone cares about this. I feel like a lunatic howling at the moon. We think decentralization (actual decentralization) is a good thing, but it would be so easy to just run a cloud silo. Everything becomes totally straightforward and simple.

I also hate the way scammy cryptocurrency shonk has sucked all the air out of the room on this topic, especially since most of "web3" is not even decentralized. Most of it goes through a few companies' centralized hubs. Total hot air. I'm thinking about trying to coin a new term for actual decentralization.

Nobody thought you were figuratively cloudflares CTO.

“I’m literally never going to stop misusing this word.”

The crazy thing the OSS people have been right about the invasion of privacy and money grab of the modern internet.

Hold up. I follow this space closely (I maintain the list of tunneling tools linked in OP). Everybody I've communicated with has been operating under the assumption that section 2.8 applies to Cloudflare Tunnel. See for example my post on another thread yesterday [0]. Are you saying this isn't the case? Is it even possible to use Tunnel without going through the CDN?

[0]: https://news.ycombinator.com/item?id=30259902

If you're using ddns why do you need WireGuard at all?

Your internal computer is still protected by password and/or public/private key-pairs, so even when the tunnel is open nobody can enter your computer without having those.

It is _your_ computer that makes connection to our servers, so you are in control of everything and there is literally nothing on our forwarding servers that would allow anybody to enter your computer.

I believe they use WireGuard internally but the client connections are terminated over HTTP/2 frames, with QUIC support in the works.

https://blog.cloudflare.com/getting-cloudflare-tunnels-to-co...

It's not clear to me what is allowed. Would I risk a termination if I used the service to proxy ~500 GB per month of video content?

(I'm looking for a way to get around bad traffic shaping I get in the afternoon between two locations streaming live TV.)

WireGuard is great and is not too difficult to setup on something like a RPi. I have one running on my home network which lets me access my local network remotely, including access to my local media server. I have another one running at my parents' house for times when I need to RDS into their windows machines for troubleshooting, or if I need to tweak settings on their router. You can also configure your clients (phone, laptop) to forward all traffic through the tunnel, which then secures your connection for when you're over an untrusted/public wifi.

What I'm saying is we specifically allow people to use SSH with Cloudflare for Teams: https://developers.cloudflare.com/cloudflare-one/tutorials/s...

The original comment above implied that using SSH with Cloudflare Tunnel was somehow forbidden.

I set up something similar using ZeroTier "public" networks and the libzt Python userspace library.

My use-case was to allow bitbucket hosted instances to connect to private instances in my infrastructure to push code to as part of the build pipeline. They way they are running Docker at bitbucket, you can't run the normal zerotier processes (IIRC, it wasn't allowed to create a tun/tap device).

The zerotier public networks are networks that anyone can join given the network ID, without requiring an admin to authorize them.

I wrote a python-based "ztproxy" [1] which you can call from SSH as a ProxyCommand like: `ProxyCommand /usr/bin/python3 /path/to/ztproxy /tmp 1234567890abcdef 9994 10.3.2.1 22`. On top of that I had SSH public key authentication of both the remote host and the local user, so even if the network ID was exposed, it wouldn't have been wide open. I also had ZeroTier network level rules that only allowed the SSH traffic.

[1]: https://github.com/linsomniac/ztproxy

What are you giving Cloudflare here? You're running a tunnel daemon and piping a network process to it. There's no exchange of for example your private SSH keys.

If anything this is letting people more easily self host their own version of 'BigCorp cartel' apps like mail, code hosting, etc.

I am utilizing a Tor hidden service to access LAN services from the internet.

It is free, runs on my hardware (Raspi Zero) and I do not have to open ports.

With client authentification, only clients with a certain key can access the service.

How do I achieve the following related task with minimal effort?

I have a domain and VPS. I want to expose a local dev server running on my laptop to something like mydomain.xyz/something temporarily. I want to host it myself and would prefer open-source tools.

Ah ok I misread your comment as implying the CDN ToS doesn't apply to Tunnel. It doesn't if you aren't using it (ie SSH), in which case only the Tunnel ToS applies, but otherwise both apply.

Minimal effort is use Cloudflare Tunnel (it supports more than SSH, including HTTPS). For self-hosted alternatives check the list linked in OP.

Lookup SirTunnel and Boringproxy on GitHub

With passwords disabled and just using key authentication, is there a big risk of just doing a straight port 22 ssh?

Genuine question, my knowledge of server security is low-to-middle.

I get the thought, you can build something now that is guaranteed to have a fixed cost, or you can risk going with a free product that might surprise you, causing you to rush to replace the solution with a tight deadline.

Just look at all the people panicking with the free Google Workspace shutdown.

SSH into the VPS from the laptop with port-forwading:

ssh -R 8000:localhost:80 mydomain.xyz

Now you should be able to access your local laptop on port 8000 of the VPS. There are a few easy steps you can add if you want to make it a bit more ergonomic or permanent. If you don't want to use an alternate port, you can just forward the port on the VPS with iptables.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000

If you want the link to be more permanent, I'd suggest using wireguard instead of ssh. That's a little more effort, but not ridiculous.

It's important work. I wish we had better infrastructure for incentivizing things that are beneficial in the long term.

And don't even get me started on web3.

I went ahead and beefed up the ZT entry in the list[0] a bit.

[0]: https://github.com/anderspitman/awesome-tunneling

I feel like CF is conducting a guerrilla marketing campaign on HN. I've seen so many posts about tunnel in the past few weeks.

There was a Cloudflare article posted a couple of days ago, I'll post my comment which agrees with you, Wireguard and a cheap VPS are hard to beat: "Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services."

I think tunneling is going to be the core of the real web3 over the next 10 years, and my current primary side project is banking on it.

Imagine if you could take an old Android phone, install a Nextcloud app, do a quick OAuth2 flow to set up a tunnel, and now you have 100GB of cloud storage, sync, calendar, etc all running from a desk drawer.

Port forwarding is too hard. DNS is too hard. IPv6 is going to take another 10-100 years and people will still have to figure out how to manage firewalls.

IMO web3 is going to come by lowering the barrier of entry to self-hosting.

A core offering of Cloudflare Tunnel is the ability to host web servers through tunnels. Tailscale requires you to run your own reverse proxy on a publicly-accessible node in order to accomplish this.

tailscale user here.

the tailscale devices you see are only accessible by other devices on the same tailscale network.

S/he's talking about accessing those machines from OUTSIDE that network. That's what would require admin intervention. So for example if I have a webserver on my home LAN that has Tailscale installed and authenticated, then sure, I can access that webserver from any of my other Tailscale devices from anywhere. But if I want a friend to be able to access that webserver without first being authenticated to the Tailscale network... Do you see the problem, yet?

I can use virtual server for many things (backup, vpn, webservices...) not just port forwarding.

Cost of my time for reading contract and learning new proprietary tool is not worth it for several years.

Cloudflare is arguably better from big tech. But cost of deployment some binary package on confidential server, keeping up with their marketing bs, etc is simply not worth it.

I mean if I wanted to host a public blog on my private infrastructure, Tailscale alone isn’t going to cut it. I would have to make a instance on a cloud provider to allow public ingress, and I have to setup and configure Tailscale on it to allow it to punch a hole into my walled garden. If I just want plain VPN access to my instances from wherever, then that’s when Tailscale really shines.

Sure. Just make IPv6 work everywhere flawlessly, and then all of our devices can easily access all of our other devices, we can use whatever DNS scheme we want to return the IPv6 addresses to those devices, and then we won't need to punch through NAT firewalls and routers to reflect off corp-owned servers just to access machines trapped behind NAT firewalls! What could possibly go wrong?

I use a similar setup. The VPN is needed because it is the only port accessible outside my network. Wireguard is easy to setup right, and I already need it for accessing other stuff on my home network.

Potentially a dumb question but is it a bad idea to just use port forward 22 and use a (free) dns service? Can then ssh with a key as normal no?

This is not my experience having recently set up web servers in a cloud virtual network with no inbound ports open. I can tailscale in and connect to web servers behind traefik configured to use the dns-01 challenge. The only way to access these webaps is through tailscale.

Sorry I meant specifically public web servers, ie hosting a website or sharing a Jellyfin server with your family without requiring them to have Tailscale accounts.

I clearly understand that problem. but I'm just going to assert its not what you actually want. nor is it related to accessing ssh where you most definitely don't want to expose the port.

for starters, what you're describing is a load balancer. those already exist and are trivial to setup.

you want a load balancer for that use case. not a VPN. this article is about SSH not a public blog.

> Question: do you use a different tool which require no maintenance or cost to run?

Tailscale - does everything outlined here, free for 20 devices plus a full subnet router.

Wireguard needs an endpoint

Yes, please only use this!

The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.

> Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.

Of 'inheritance'? What does this mean? Are you trying to apply the rules of OOP to contract law, as if an individual contract were an instance of contract law...?

ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.

If I understand GP correctly, the goal is to SSH into an RPi on a home network. Since they mention DDNS, it's implied that they're connecting directly to their home router. What I'm saying is why not port forward directly to the RPi?

I'm talking about the one-time initial setup of the Tailscale client software.

Can you download and run Tailscale on a Windows client without Administrative access to install the software (setup the virtual NIC)? An SSH client is just a user-space app.

Please add webhooks for ZeroTier network endpoints coming online or going offline! I think some existing formal feature requests for this already exist?

Absolutely love ZeroTier!

I actually am familiar with takingnames.io and boring proxy! I found it the other day when I was searching for the easiest way to self-host my own side project. I think you've got something promising and I encourage you to keep working on it. Ultimately, for my use case I went with fly.io just because it was so damn easy to use.

I am hesitant to commit to a tunnel-based approach because where I live I get frequent power/internet outages. I feel that tunneling is something I would explore if my application grows to the point where I would need to rent space in a colocation.

Right on. fly.io is awesome.

I don't think tunneling is necessarily a great for hosting large-scale things or businesses that need to stay online 24/7. Self-hosted services for friends and family or maybe small communities seems like the best use case.

It's annoying but ok if your media server goes down once in a while.

Wireguard, with dynamically-updated DNS resolution to a residential IP is very solid for a free tier and has the key benefit of zero third-party (i.e. not controlled by you) dependencies, other than the IP provider and the DNS resolver, which is a commodities business with low switching costs. Cloudflare is very nice and will be around for a long time, but it's still a third party dependency.

As it boils down, the OP's solution is "free" as in money but not as in freedom for a certain set of requirements.

Basically, going with CF trades-off some freedom for the considerable/legitimate protection benefits of being under the "cloudflare umbrella". It's probably a good trade for this moment in time. But rational people can disagree about whether it's a good trade when you broaden the time horizon to 5, 10, etc. years.

Like all things, it depends on the requirements you're building for.

No one uses Nebula [1] developed by Slack?

> Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework.

It's self-hosted and I think it's a great alternative to ZeroTier, or Tailscale.

I believe its been powering Slack's overlay network for ~5+ years.

[1]: https://github.com/slackhq/nebula

I've seen servers get hit with so many ssh login attempts that it runs out of resources to respond, effectively DOSing ssh at least. Moving it to a high port usually cuts out all the chatter.

I used it for a while, but found it to be unreliable. Sometimes my Raspberry Pi’s became unavailable through the nebula network. I had to ssh into the Raspberry from home network and restart the nebula service. This happened once a week or so on Zero W, so I tried Tailscale. It was much easier to set up than Nebula and works better for me so far (3 months).

YMMV, of course.

What about mosh?

no but you also wouldn't want to allow that. just like you wouldn't want to expose a SSH socket to the world in most cases.

This seems to be a cool service, I was actually thinking of creating something similar (but was deterred by the hassle of setting up billing and user management apart from the interesting technical stuff). I sometimes get asked by someone not owning a server/account they can use for ssh -R 0.0.0.0:1234:localhost:22, who are behind NAT and need to publish some service on the internet.

Why is the traffic rather limited? You seem to be hosting it on Linode and they offer like $5/TB traffic, I think you could easily offer several times more traffic, at least with the bigger plans.

In civil law countries, a contract is the law between parties.

You can directly expose the port to the internet, not only localhost, with ssh:

- put "GatewayPorts clientspecified" into /etc/ssh/sshd_config, restart sshd

- ssh -R 0.0.0.0:8000:localhost:80 (the first parameter is the address where the tunnel should listen -- you can also pass something like 192.168.0.123 and expose it only to LAN etc.)

It's then reachable on your_vps:8000.

If you need it on the "correct" port and you are already running some other webserver (so you need to share that port), you need to set up a reverse proxy based on hostname or URL. I personally use haproxy, but for example nginx can do it too.

Because in some countries, like .cz, it is pretty common that your home network is behind NAT, the ISP does not want to forward a port for you, and there is either no option to get a public IP or it costs $5 to $10/month and is a lengthy process to obtain (typical internet connection costs $20 to $30/month here).

I do the same thing! I'm hoping that some day hotels won't send every wireguard packet they see straight to the bit bucket. Until then I'm really grateful for ssh.

If I have to spend an hour or two setting up each solution, I could pay $4 a month many years before I'd feel like it was worth doing that twice. You're not wrong, but I would gladly pay the monthly to only have to set it up once.

not trying to be difficult, but $500 seems like an odd price tier to end up in. If I was going cheap, I'd do something between a rock64/raspberry pi and an Intel Nuc. If I was going powerful, it would be north of $1,500 for sure. That decision would probably be based on what I was running on it. If it's a VPN, the rock64 would be plenty. < $50

You might be into howling at moonshots, but when it’s dark outside you need a true luminary to reflect any light back to the rest of us. Many thanks for your continued lunacy.

As mentioned in the issue, I would have picked a copyleft license like AGPLv3 or GPLv3.

Thanks, I see that it's a fairly recent addition to OpenSSH

I wrote that alias about a decade ago when it wasn't available for me yet

Yeah I was trying to make an argument the target audience might find persuasive. Inheritance is a nice concept when reasoning about (continental) contracts since a contract is only a contract if and only if it abides by contract law. That's a strict inheritance there. In truth, it's a bit more flexible: a contract could still be a contract if there are illegal provisions in the contract since at first only the illegal provisions will be scrapped by a judge.

a risk is server bugs.

What solution is available for smartphone with Android? I would like to setup unused phone with Android system and SSH server (there are apps) to make it a standalone server connected with internet only via LTE/GSM (using simcard). I learnt that it is impossible to connect to a device using LTE connection. It's "public" IP is not so public, LTE providers have a lot of infrastructure configurations (NAT?) to not allow incoming connections initiated outside the phone. What is the best solution here? What are free for fair use (just ssh, maybe a httpd with lightweight script page), what are paid solutions. Thanks!

> a contract is only a contract if and only if it abides by contract law

That's true, but I don't quite see how that makes a contract the law. Someone who doesn't turn up to work isn't doing something illegal by dint of breaking their employment contract. IME, 'illegal' generally refers to breaking the criminal law, whereas I wouldn't say this even breaks civil law, sensu stricto. https://malesculaw.com/is-breach-of-contract-a-tort/

Also, there's some casual discussion by lawyers of this exact terminological question here: https://www.quora.com/How-should-a-breach-of-contract-be-qua...

I have explained why I stated that 'setup of [Tailscale] typically requires administrative intervention'.

I appreciate that your approach is the more secure standard practice, yet want to make others aware of the edge cases here on a site called Hacker News rather than something like StackOverflow, where 'this is the way' reigns supreme.

>> maintain a persistent ssh tunnel

SSH agent forwarding was merged 3 months ago (after the patch waited 7+ years in one form or another), but per https://unix.stackexchange.com/a/437299 → https://github.com/mobile-shell/mosh/issues/337 (2012), mosh does not yet officially support port forwarding, despite https://github.com/mobile-shell/mosh/pull/583 (2013 → 2015 → 2017). It appears the initiator of the original patch has maintained their fork: https://github.com/rinne/mosh (disclaimer: I don't use mosh and have not tried or reviewed the differences from the official version).

Perhaps https://github.com/MisterTea/EternalTerminal is a viable alternative. Per https://github.com/MisterTea/EternalTerminal/issues/473#issu..., 'Several security teams have reviewed ET.'

Make sure you pay for the product/donate!

Yeah, it's a new parameter, based on exactly this common use case.

Have you tried using Tailscale. It does similar to Zerotier and I would interested to know if their NAT workaround is better than ZT in your use case

Yes you are right. If just connecting to the Pi, port forwarding is fine (and I use this).

When adding more devices at home (IP cameras etc.) and not connecting just to the Pi then the Wireguard VPN comes in.

My issue with their zerotier was their slow relay server, which is only used when NAT hole punching doesn't work. I got this impression that zerotier doesn't really seem to be interested to invest more into their relay servers (adding more location and increasing capacity). Tailscale might has better relay servers but I haven't tested it yet, but I plan to test them later when I got some free time.

The free software people care about your privacy, AWS and Microsoft don't.

They're not forcing you to do anything, just giving you advice.

There you go: https://news.ycombinator.com/item?id=30353690