π― Purpose & Use Cases
Primary Purpose
Provide secure, certificate-based SSH access for system administrators using native SSH clients with WARP integration for enhanced security and network isolation.
Top 3 Use Cases
- Administrative Server Access
Provide secure, certificate-based SSH access for system administrators using native SSH clients - Automated Tool Integration
Enable tools like Ansible, Terraform, and CI/CD pipelines to access servers securely - Developer Workflow
Support development workflows requiring direct SSH access with full feature support (port forwarding, SCP, rsync)
Key Benefits
- Native SSH client support
- Full SSH feature compatibility
- WARP network integration
- Certificate-based authentication
- Infrastructure-level access control
π Prerequisites
Required Accounts & Services
- Cloudflare Account with domain management
- Cloudflare Zero Trust subscription (free tier available)
- AWS Account with EC2 instance running Ubuntu
- Domain registered and managed through Cloudflare
- WARP Client installed on devices requiring Infrastructure Access
Client Requirements
- SSH client (OpenSSH, PuTTY, etc.)
- WARP client (for Infrastructure Access)
- curl/wget (for testing)
- Device enrolled in Zero Trust organization
Server Requirements
- Ubuntu 20.04+ (other Linux distributions supported)
- cloudflared binary (latest version)
- OpenSSH Server with certificate authentication
- SSH CA certificate from Cloudflare Zero Trust
- sudo access on target server
ποΈ Architecture Overview
SSH Infrastructure Tunnel Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLIENT DEVICES β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β Web Browser β β Web Browser β β WARP + SSH Client β β
β β (Any Device) β β (Any Device) β β (Admin Device) β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β HTTPS β HTTPS β WARP Tunnel
β β β
βββββββββββββΌβββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββΌββββββββββββββ
β CLOUDFLARE EDGE NETWORK β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β Web App β β SSH Browser β β SSH Infrastructure β β
β β DNS Route β β DNS Route β β IP Route β β
β βwebapp.ztn.*****.comβ βssh.ztn.*****.com β β172.31.***.***/31 β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β βSelf-hosted App β βSelf-hosted App β βInfrastructure App β β
β βAccess Policy β βAccess Policy β βAccess Policy β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
β Tunnel 1 β Tunnel 2 β Tunnel 3
β β β
βββββββββββββΌβββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββΌββββββββββββββ
β AWS UBUNTU SERVER β
β 172.31.***.*** β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β Tunnel 1 β β Tunnel 2 β β Tunnel 3 β β
β β Port 8080 β β Port 8081 β β Port 8082 β β
β β Web App β β SSH Browser β β SSH Infrastructure β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β Web Server β β SSH Daemon β β SSH Daemon β β
β β Port 80 β β Port 22 β β Port 22 β β
β β (nginx/app) β β (Browser CA) β β (Infrastructure CA) β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Infrastructure Access Components
| Component | Description | Status |
|---|---|---|
| WARP Client | Device enrolled in Zero Trust organization | Required |
| SSH Client | Native SSH client (OpenSSH, PuTTY, etc.) | Required |
| Infrastructure Access | IP-based routing with certificate authentication | Active |
| SSH Certificate | Short-lived certificate with 3-minute auth window | Auto-generated |
π¦ Detailed Traffic Flow
SSH Infrastructure Access Flow
Step 1: WARP Connection
- Admin device with WARP client connected
- Device enrolled in Zero Trust organization
- WARP routes 172.31.***.*** through Cloudflare
- Split tunneling configured for private IP
Step 2: SSH Command Execution
- User runs: ssh ubuntu@172.31.***.***
- WARP intercepts traffic to 172.31.***.***
- Traffic routed to Cloudflare edge
- Edge identifies Infrastructure Access policy
Step 3: Policy Evaluation & Certificate Issuance
- Device identity verification (WARP session)
- User identity verification (email/SSO)
- Infrastructure Access policy evaluation
- Short-lived SSH certificate generated (3-min auth window)
- Certificate includes SSH user permissions
Step 4: SSH Connection
- Certificate forwarded through tunnel to server
- SSH daemon validates certificate against ca.pub
- Certificate principal matches SSH user (ubuntu)
- Direct SSH session established
- Full SSH features available (port forwarding, SCP, etc.)
Timeline: ~1-2s for authenticated WARP users
WARP Status and Configuration
WARP Client Status
# Check WARP status
warp-cli status
# Output example:
Status update: Connected
Success - your device is connected to Cloudflare Zero Trust
# Check tunnel routes
warp-cli tunnel route list
# Output example:
Included routes:
172.31.***.***/31
Excluded routes:
0.0.0.0/0
βοΈ Configuration
Tunnel Configuration
Tunnel Config (~/.cloudflared/tunnels/ssh-infra/config.yml):
tunnel: <ssh-infra-tunnel-id>
credentials-file: /home/ubuntu/.cloudflared/<ssh-infra-tunnel-id>.json
logfile: /home/ubuntu/.cloudflared/logs/ssh-infra.log
loglevel: info
ingress:
- service: http_status:404
Infrastructure Access Application
Target Configuration:
Target Configuration:
hostname: ec2-server
ip_address: 172.31.***.***
virtual_network: default
Application Configuration:
name: SSH Infrastructure Access
type: infrastructure
target_criteria:
- hostname: ec2-server
protocol: SSH
port: 22
Policy Configuration:
name: SSH Infrastructure Policy
action: allow
include:
- email: ubuntu@oskarcode.com
connection_rules:
ssh:
usernames: [ubuntu]
IP Route Configuration
Route Setup:
# Command executed during setup
cloudflared tunnel route ip add 172.31.***.***/31 <ssh-infra-tunnel-id>
# Verification
cloudflared tunnel route ip list
# Output example:
IP Route: 172.31.***.***/31
Tunnel ID: <ssh-infra-tunnel-id>
π§ SSH Server Configuration
SSH Daemon Configuration
SSH Daemon Config (/etc/ssh/sshd_config):
# Core SSH settings
Port 22
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
# Cloudflare Zero Trust integration
TrustedUserCAKeys /etc/ssh/ca.pub /etc/ssh/ca-browser.pub
# Security settings
MaxAuthTries 3
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 2
# Logging
SyslogFacility AUTH
LogLevel INFO
Certificate Authority Files
Certificate Locations:
# Infrastructure Access CA (/etc/ssh/ca.pub)
ecdsa-sha2-nistp256 AAAAE2VjZHNhLX... open-ssh-ca@cloudflareaccess.org
# Browser SSH CA (/etc/ssh/ca-browser.pub)
ecdsa-sha2-nistp256 AAAAE2VjZHNhLX... open-ssh-ca@cloudflareaccess.org
Systemd Service
Service File (/etc/systemd/system/cloudflared-ssh-infra.service):
[Unit]
Description=Cloudflare Tunnel - SSH Infrastructure
After=network.target
Wants=network.target
[Service]
Type=simple
User=ubuntu
Group=ubuntu
ExecStart=/usr/local/bin/cloudflared tunnel --config /home/ubuntu/.cloudflared/tunnels/ssh-infra/config.yml run
Restart=always
RestartSec=5
TimeoutStartSec=0
KillMode=mixed
StandardOutput=journal
StandardError=journal
SyslogIdentifier=cloudflared-ssh-infra
[Install]
WantedBy=multi-user.target
π Network Topology
Infrastructure Access Network
WARP Client
β
Cloudflare Edge
β
Infrastructure Tunnel
β
SSH Server
172.31.***.***/31
IP Route
tunnel-****-****-****-****
Access Policies
| Policy Name | Target | Protocol | Users | Status |
|---|---|---|---|---|
| SSH Infrastructure Access | 172.31.***.***/31 | SSH:22 | user1@*****.com, admin@*****.com | Active |
| Database Access | 172.31.***.***/31 | MySQL:3306 | user1@*****.com, admin@*****.com | Active |
| Web Server Access | 172.31.***.***/31 | HTTPS:443 | admin@*****.com | Active |
| Redis Cache Access | 172.31.***.***/31 | Redis:6379 | user1@*****.com | Active |
π§ Common Issues & Solutions
Issue 1: WARP Not Routing Private IPs
Problem:
# From WARP device
ping 172.31.***.***
# ping: cannot resolve 172.31.***.***: Name or service not known
Solution:
# Configure split tunneling to include private IP
# Option 1: WARP Settings UI
# Settings > Gateway > Split Tunnels > Include: 172.31.***.***/31
# Option 2: Command line (if available)
warp-cli tunnel exclude rm 172.16.0.0/12
warp-cli tunnel include add 172.31.***.***/31
# Verify routing
warp-cli tunnel route list
Issue 2: Certificate Trust Chain Issues
Problem:
ssh ubuntu@172.31.***.***
# Permission denied (publickey)
Solution:
# Check which CAs are trusted
grep TrustedUserCAKeys /etc/ssh/sshd_config
# Verify CA files exist and contain valid keys
ls -la /etc/ssh/ca*.pub
cat /etc/ssh/ca.pub
# Check certificate format
ssh-keygen -L -f /etc/ssh/ca.pub
# Monitor SSH authentication logs
sudo journalctl -u ssh -f
# Look for certificate validation messages
# Test certificate generation
# From WARP device, run SSH with verbose logging
ssh -v ubuntu@172.31.16.209
Issue 3: WARP Connection Failures
Problem:
WARP client cannot connect to Zero Trust organization.
Solution:
# Check WARP status
warp-cli status
# Restart WARP service
sudo systemctl restart warp-svc
# Check WARP logs
sudo journalctl -u warp-svc -f
# Verify organization enrollment
warp-cli account
# Re-enroll device if needed
warp-cli register <organization-token>
π Future Plans
Phase 1: Advanced Infrastructure Monitoring
Objective
Implement comprehensive infrastructure monitoring and automated management capabilities.
Features to Implement
- Infrastructure Dashboard: Real-time monitoring of all infrastructure components
- Automated Scaling: Dynamic resource allocation based on demand
- Health Checks: Automated monitoring and alerting for service health
- Performance Metrics: Detailed performance tracking and optimization
Timeline: 8 weeks with comprehensive infrastructure management
Phase 2: Enterprise Security Integration
Objective
Integrate with enterprise security tools and implement advanced threat detection.
Security Enhancements
- SIEM Integration: Splunk, ELK Stack, or Azure Sentinel integration
- Threat Detection: Real-time threat analysis and response
- Compliance Reporting: Automated compliance monitoring and reporting
- Security Analytics: Advanced behavioral analysis and anomaly detection
Timeline: 10 weeks with enterprise-grade security
Phase 3: Infrastructure as Code (IaC)
Objective
Automate the entire infrastructure deployment and management using Terraform and configuration management tools.
Automation Features
- Terraform Infrastructure: Version-controlled infrastructure deployment
- Ansible Configuration: Automated configuration management
- Disaster Recovery: Infrastructure recreation capabilities
- Standardized Configurations: Consistent setups across all servers
π References
Official Documentation
- Cloudflare Tunnel Documentation
- SSH with Access for Infrastructure
- WARP Client Documentation
- Short-lived Certificates
Technical Specifications
- RFC 4253 - SSH Transport Layer Protocol
- RFC 4252 - SSH Authentication Protocol
- OpenSSH Certificate Documentation