Cloudflared on Taras' Blog on AI, Perf, Hacks /tags/cloudflared/ Recent content in Cloudflared on Taras' Blog on AI, Perf, Hacks Taras' Blog on AI, Perf, Hacks /images/papermod-cover.png /images/papermod-cover.png Hugo -- 0.147.0 en Taras Glek Sun, 10 Mar 2024 14:29:26 +0200 ssh-via-cloudflare-tunnel: Alternative way to expose machines behind NAT /posts/cloudflare-ssh/ Sun, 10 Mar 2024 14:29:26 +0200 /posts/cloudflare-ssh/ <p>I have an intermittent issue where one of my machines on a specifc network seems to be operational locally on network but not accessible over <a href="https://netbird.io/">netbird</a> some of the time. I could not tell if the problem was due to the network the problematic machine was on or due to netbird.</p> <p>So to debug this I:</p> <ol> <li> <p>Setup a grafana node agent to report journald logs to <a href="grafana.com">https://grafana.com/</a></p> </li> <li> <p>Setup to docker to log to journald</p> </li> <li> <p>Wrote <a href="https://github.com/tarasglek/ssh-via-cloudflare-tunnel">ssh-via-cloudflare-tunnel</a> docker-compose stack to tunnel ssh over websocat to internet over <a href="https://github.com/cloudflare/cloudflared">cloudflared</a>. Set docker compose to restart-on-failure.</p> </li> </ol> <p>Today netbird had some downtime (tailscale had theirs just a few days before that). I was able to log into grafana, look up the temporary hostname cloudflare assigned to me and ssh in using</p> <p><code>ssh -o ProxyCommand=&quot;websocat -E --binary - -v %h&quot; -o ServerAliveInterval=10 wss://library-won-nt-gauge.trycloudflare.com</code></p> <h1 id="architecture">Architecture</h1> <pre><code class="language-mermaid">graph TD; A[ssh client] &lt;--&gt;|Invoke websocat over ProxyCommand| B[websocat client-mode] B &lt;--&gt;|WebSocket to Stdio| D(Cloudflare) D &lt;--&gt;|HTTPS to WebSocket| E[cloudflared Server] E &lt;--&gt;|Reverse proxy over HTTPS| F[websocat server-mode] F &lt;--&gt;|Stdio to SSH| G[sshd server] style A fill:#f9f,stroke:#333,stroke-width:2px style B fill:#dfd,stroke:#333,stroke-width:2px style D fill:#bbf,stroke:#333,stroke-width:2px, style E fill:#ddf,stroke:#333,stroke-width:2px, style F fill:#dfd,stroke:#333,stroke-width:2px style G fill:#f9f,stroke:#333,stroke-width:2px </code></pre> <h1 id="conclusion">Conclusion</h1> <p>This turned out trivial to do. However it took me over 5 years of pondering, discovering ssh ProxyCommand, cloudflared, websocat and deciding to combine them to conveniently expose ssh over web.</p> <p>I think it&rsquo;s pretty cool how Cloudflare allows one expose geographically distributed tunnels without requiring any signups. I wish their UX simpler so it was equally easy to expose tunnels with fixed dns. Cloudflare actually has something similar as an <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-cloudflared-access">official ssh feature</a>, but it requires more hoop jumping.</p> <p><a href="https://github.com/vi/websocat">websocat</a> is amazing. I use websockets a lot more now that I have a robust way to utilize them without writing any code.</p> <h1 id="why-would-i-want-to-do-this">Why Would I Want To Do This?</h1> <ul> <li>As a fallback to tailscale/netbird that uses a completely different network topology as in this case</li> <li>To temporarily grant ssh to some machine without requiring end-users to install a vpn</li> <li>To bypass restrictive gsm/wifi networks that block access to ssh</li> <li>As an alternative to port-knocking to obscure ssh (eg hide ssh behind http basic-auth)</li> </ul> <h1 id="how-would-you-improve-this">How would you improve this?</h1> <p>Checkout <a href="https://github.com/tarasglek/ssh-via-cloudflare-tunnel">ssh-via-cloudflare-tunnel</a> on github.</p>