196 comments

[ 2.9 ms ] story [ 250 ms ] thread
(comment deleted)
Can also use our auditable terminal so no need for an SSH client: https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-...
Thank you for the link.

Do you have a Cloudflare on first page of HN alert?

And will Cloudflare Tunnel stay free and included for free accounts?

I have code that monitors Hacker News comments for mentions of various things (including cloudflare, my username). It runs once a minute and uses https://hn.algolia.com/ to find new comments. I actually saw this was on Hacker New via Twitter.

https://blog.cloudflare.com/tunnel-for-everyone/

Genuine question; I’ve got a static IP (v4) to my only server that I run at home. Are there any real benefits I gain to using tools like this one (or Tailscale et al)?
> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.

I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:

  ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz
It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.
Use -J or ProxyJump in .SSH/config for a modern equivalent
I guess my bash aliases are a bit oldfashioned :P
Yes, please only use this!

The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.

I use this alias in my .ssh/config to connect through a gateway machine:

    Host myserver
        User user
        ProxyCommand ssh -q public-server nc -q0 private-server 22
I can't remember what these flags actually do but they seem to get the job done
ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.
Thanks, I see that it's a fairly recent addition to OpenSSH

I wrote that alias about a decade ago when it wasn't available for me yet

Yeah, it's a new parameter, based on exactly this common use case.
Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`

ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.

Can we stop posting stuff that makes even more people give the keys of their house to the BigCorp cartel?
(comment deleted)
Most people here work for BigCorp cartel or aspire to do so
I'd take a big pay cut to work for a co-op, green energy focused or other social/ecological good company. I just don't wanna work for a startup.
This configured system, unlike the rest of the way CloudFlare works with http, is actually end to end encrypted.
Maybe an improvement:

s/http/https/

-or-

s/http/SSL/

since http is technically often referring to unencrypted port 80 transport.

Hacker News hasn't been very "hacker" in a long time. Still a decent place for tech news.
the cf tunnel key was separate than your sshd key, there is no leak here. It's just a way of port forwarding upon a CDN network.
Why is it always the free software people who are the most judgemental about what I do with my software and who I trust with my time and money? AWS and Microsoft never gave a shit about what other vendors I'm in bed with.

I like your GNU license, I do not like your GNU license people.

The crazy thing the OSS people have been right about the invasion of privacy and money grab of the modern internet.
The free software people care about your privacy, AWS and Microsoft don't.

They're not forcing you to do anything, just giving you advice.

What are you giving Cloudflare here? You're running a tunnel daemon and piping a network process to it. There's no exchange of for example your private SSH keys.

If anything this is letting people more easily self host their own version of 'BigCorp cartel' apps like mail, code hosting, etc.

Sure. Just make IPv6 work everywhere flawlessly, and then all of our devices can easily access all of our other devices, we can use whatever DNS scheme we want to return the IPv6 addresses to those devices, and then we won't need to punch through NAT firewalls and routers to reflect off corp-owned servers just to access machines trapped behind NAT firewalls! What could possibly go wrong?
> Question: do you use a different tool which require no maintenance or cost to run?

Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android

I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.

IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.

Downsides I'm aware of:

- Less attention to their encryption implementation than the current hotness (WireGuard).

- Did not work with minimal effort from the local public library.

- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.

- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).

Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.

Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.

Same, zerotier on everything. Router, laptops, servers, phone. It makes things very easy to connect without public addresses.
I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.
Thanks for sharing this insight, it's good to have even an inkling of how the sausage is made.
Which router support ZeroTier? Or are you using a custom router firmware?
I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.
The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.

Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.

Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.

I updated re:free, thanks.

Their appear to be two (Node.js/GPL3) control panels: https://github.com/key-networks/ztncui and https://github.com/dec0dOS/zero-ui

Managing expectations re:v2 has been a total failure on our part. We put far too many things in one basket. But the work is still happening.

Learning moment for us: don't give timelines and don't reveal too much. Just say "when it's finished." Only Elon Musk can use Elon Time(tm). :)

Edit: we also promised some things that are just brutally hard, like fully decentralizing the root backplane via full data set replication. We are still working on that but it proved tougher than we originally thought, especially in light of scaling needs and security concerns. Some interesting technology in development but still in private repos.

Our competition just builds SaaS with a single controller run by a single entity. That's easy. We make it hard on ourselves by trying to keep going on the decentralization and control your own security boundary mission. Part of why everything is getting centralized into silos is that that's just so easy to engineer.

FWIW your "decentralize until it hurts, then centralize until it works" is one of my favorite slogans, and I appreciate y'all making the effort.
It's nice to hear that someone cares about this. I feel like a lunatic howling at the moon. We think decentralization (actual decentralization) is a good thing, but it would be so easy to just run a cloud silo. Everything becomes totally straightforward and simple.

I also hate the way scammy cryptocurrency shonk has sucked all the air out of the room on this topic, especially since most of "web3" is not even decentralized. Most of it goes through a few companies' centralized hubs. Total hot air. I'm thinking about trying to coin a new term for actual decentralization.

You might be into howling at moonshots, but when it’s dark outside you need a true luminary to reflect any light back to the rest of us. Many thanks for your continued lunacy.
Make sure you pay for the product/donate!
> Question: do you use a different tool which require no maintenance or cost to run?

I run Wireguard, Tailscale and Yggdrasil on my home network.

I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.

So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.

Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.

[1] https://linux.die.net/man/1/autossh

What about mosh?
>> maintain a persistent ssh tunnel

SSH agent forwarding was merged 3 months ago (after the patch waited 7+ years in one form or another), but per https://unix.stackexchange.com/a/437299https://github.com/mobile-shell/mosh/issues/337 (2012), mosh does not yet officially support port forwarding, despite https://github.com/mobile-shell/mosh/pull/583 (2013 → 2015 → 2017). It appears the initiator of the original patch has maintained their fork: https://github.com/rinne/mosh (disclaimer: I don't use mosh and have not tried or reviewed the differences from the official version).

Perhaps https://github.com/MisterTea/EternalTerminal is a viable alternative. Per https://github.com/MisterTea/EternalTerminal/issues/473#issu..., 'Several security teams have reviewed ET.'

Have you tried using Tailscale. It does similar to Zerotier and I would interested to know if their NAT workaround is better than ZT in your use case
My issue with their zerotier was their slow relay server, which is only used when NAT hole punching doesn't work. I got this impression that zerotier doesn't really seem to be interested to invest more into their relay servers (adding more location and increasing capacity). Tailscale might has better relay servers but I haven't tested it yet, but I plan to test them later when I got some free time.
I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.

Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.

Another ZeroTier user. Runs on few devices flawless.
You can also do this using the Tor network, by setting up onion services.
It's much easier, much cheaper, and does not rely on a centralized cloud vendor. Here's how to do it in a few lines:

    apt install tor
    echo HiddenServiceDir /var/lib/tor/myserver\
    HiddenServicePort 22 127.0.0.1:22 >> /etc/tor/torrc
    systemctl restart tor
Now tor is generating the keypair for the server. It will take a few seconds: once that's done, read the onion address from /var/lib/tor/myserver/hostname and you can start using it from the client, either with explicit ssh proxy config or with global client SSH config AutomapHostsOnResolve which enables to transparently map .onion domains to local IPs that the tor daemon will tunnel right over to the onion.

Bonus point: you get automatic certificate verification as part of the onion name itself, and you can also restrict the tor server configuration to allow only specific public keys (those who don't have them will not even reach sshd).

Tailscale (https://tailscale.com) is a great solution for this use-case. It's also just an absolutely excellent experience overall and I can't say enough nice things about it.
Can be used for the same, but serve kind of a different usecase.

Tailscale scan your host for all open ports and open a WireGuard connection between the installed machines. Like every machine is on the same network, even if they are not. Way harder to have a good access control compared to plain SSH. And you don't need extra SW for just SSH.

This article is specifically about using cloudflared to implement a tunnel without exposing anything to the public internet, which is definitionally extra software. Agreed however that Tailscale offers a much wider feature set—while also covering the basic "I want to access my machine from anywhere" use-case—at the cost of exposing an entire machine instead of a single port.
Wow, that commenting system is so nice. I was looking for something like that! Amazing :)

Edit: it sees https://utteranc.es/ is used.

Aaaand rate limited.
Hey mono-bob :), it really is cool, I only added it last night. I used to use utteranc.es, but now I use https://giscus.app. It's like utterances, but allows comment threads and reactions to the page (likes/emojis).
Unfortunately the cloudflared software, while the source is available on GitHub, and there are pull requests open and accepted for it, is not under an open source license, and the license it is under does not allow modifications, so any modifications (including the aformentioned pull requests) are contrary to the license and thus copyright law and thus illegal. The issue I filed about this is still waiting for action since October 2021.

https://github.com/cloudflare/cloudflared/issues/464

Thanks for pointing this out as it does appear even taking the source and applying a pull request ones self does break the license.

Just to clarify: many pull requests have been accepted and would thus from my perspective be covered by the license as having become part of the software.

Caveat: did not dig deeply enough to check if it's mostly Cloudflare employees developing publicly, etc.

Edit: worth mentioning here on HN customer support as well that 'opensource@cloudflare.com' is misconfigured.

PS: I note cloudflared uses some form of telemetry, although I have not looked at what data is transmitted and didn't try to remove it after seeing the above license.

PPS: I wish cloudflared were split up into client and server instead of one binary for both, it would be easier to audit and understand that way.

PPPS: I noted while auditing that cloudflared embeds its dependencies instead of depending on them and uses some golang libraries that are obsoleted.

hearing this I'm not sure I want cloudflared inside my network at all

it's already vast... and telemetry always seems to be the thin end of the wedge

a minimal version, not maintained by the company, under a proper open source license with no bullshit and a vastly smaller attack service would seem like a easy win...

(and even better if it supported more service providers than just cloudflare... killing their lock-in)

Breaking a contract is not illegal. Seems to be a common misconception.
Its copyright law that is being broken here that makes it illegal, not breaking the license/contract.
In civil law countries it is. Also you can be sued for it.
Please explain? I've googled your sentiment and have found some links but not many answers. Breaking a contract is just as illegal (~ against the law) as breaking the law? This follows trivially from contract law being a part of law. More substantive: Both contracts and laws proscribe actions. One can find remedy for breaking either via the legal system. (Obviously the severity of punishment can differ several orders of magnitude.) Only if you limit 'illegal' to criminal law you might be right in some jurisdictions.
> This follows trivially from contract law being a part of law

That does not follow trivially. Contracts themselves are not articles of contract law.

Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.

'Illegal' ~ 'against the law'. What is doing something against the law? Doing something the law states you are not allowed to do. So in practice under continental law (Napoleonic / Germanic) a law states "do X" or "leave Y" and doing the opposite is illegal. Then, if the law states "you must (under good faith) fulfill your contract" and you do not fulfill your contract ... that's illegal. A legally binding contract has the force of law for the signing parties.

> Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.

Of 'inheritance'? What does this mean? Are you trying to apply the rules of OOP to contract law, as if an individual contract were an instance of contract law...?

In civil law countries, a contract is the law between parties.
Yeah I was trying to make an argument the target audience might find persuasive. Inheritance is a nice concept when reasoning about (continental) contracts since a contract is only a contract if and only if it abides by contract law. That's a strict inheritance there. In truth, it's a bit more flexible: a contract could still be a contract if there are illegal provisions in the contract since at first only the illegal provisions will be scrapped by a judge.
> a contract is only a contract if and only if it abides by contract law

That's true, but I don't quite see how that makes a contract the law. Someone who doesn't turn up to work isn't doing something illegal by dint of breaking their employment contract. IME, 'illegal' generally refers to breaking the criminal law, whereas I wouldn't say this even breaks civil law, sensu stricto. https://malesculaw.com/is-breach-of-contract-a-tort/

Also, there's some casual discussion by lawyers of this exact terminological question here: https://www.quora.com/How-should-a-breach-of-contract-be-qua...

I think the misconception is between civil law and criminal law.
Hello from the Cloudflare team - thanks for the nudge. We're in the process of migrating away from the proprietary license to an Apache license. We'll update the GitHub issue too; should be wrapped up in the next couple of weeks but likely sooner.
Excellent, thanks for the update. Apache isn't what I would have chosen but is reasonable enough.
Curious about this; is it the patent clause? What would you have picked - mit/bsd?
As mentioned in the issue, I would have picked a copyleft license like AGPLv3 or GPLv3.
As someone who watches this space closely and recommends Cloudflare Tunnel regularly, this is fantastic news.

Do you know if it will be feasible to add Cloudflare tunneling to 3rd party Golang apps?

No, pull requests are not illegal, at least when done on Github, because by posting code on Github (that you are allowed to post) you grant Github and its users certain rights:

https://docs.github.com/en/github/site-policy/github-terms-o...

> By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).

That license doesn't allow modifications, which is what pull requests are. The forking thing is only about making copies, not modifications.
I suppose you can modify the code, but not use it (compile) as such?
Neither copyright law nor the license allow modification, so probably not.
Uh, so I just realized how we are discussing how developers submitting pull requests to this project with this license are basically demonstrating publicly performance art style that they've broken copyright law. Or we give the benefit of the doubt and assume they are not testing their changes at all.
In this specific case you might be correct but in the general case this is not true. The uploader agreeing to something does not affect the rights of other authors than the uploader.
you may be interested on zSSH then. apache v2.

https://github.com/openziti-incubator

enables ssh without exposing sshd ports to the networks.

disclosure: founder of company who builds products on OpenZiti open source

If you like this, you’re gonna love Tailscale https://tailscale.com/
I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.
what do you mean by public channels? if I was trying to ssh into my machines it works wonderfully for dns resolution.
Cloudflare tunnels expose ports publicly.

Tailscale must be properly configured on your client machine to access machines/ports on their respective private Tailscale network(s), setup of which typically requires administrative intervention. Without bridging to a public network, services exposed to the Tailscale network are not accessible publicly.

Tailscale does offer user-mode clients so it can be used similarly to SSH by those allowed to connect (I don't know how difficult user-mode Tailscale is without admin setup on various operating systems).

not sure where you're getting the idea you need admin intervention for tailscale. I've never needed to do anything beyond authenticate the machine with my account. tailscale has NAT traversal built into it.

If your network firewall is preventing the tunneling process, then that's on you. and if its not on you and its a company decision then its VERY unlikely they'd be okay with cloudflare's publicly exposed ports.

tailscale user here.

the tailscale devices you see are only accessible by other devices on the same tailscale network.

S/he's talking about accessing those machines from OUTSIDE that network. That's what would require admin intervention. So for example if I have a webserver on my home LAN that has Tailscale installed and authenticated, then sure, I can access that webserver from any of my other Tailscale devices from anywhere. But if I want a friend to be able to access that webserver without first being authenticated to the Tailscale network... Do you see the problem, yet?

I clearly understand that problem. but I'm just going to assert its not what you actually want. nor is it related to accessing ssh where you most definitely don't want to expose the port.

for starters, what you're describing is a load balancer. those already exist and are trivial to setup.

I'm talking about the one-time initial setup of the Tailscale client software.

Can you download and run Tailscale on a Windows client without Administrative access to install the software (setup the virtual NIC)? An SSH client is just a user-space app.

no but you also wouldn't want to allow that. just like you wouldn't want to expose a SSH socket to the world in most cases.
I have explained why I stated that 'setup of [Tailscale] typically requires administrative intervention'.

I appreciate that your approach is the more secure standard practice, yet want to make others aware of the edge cases here on a site called Hacker News rather than something like StackOverflow, where 'this is the way' reigns supreme.

A core offering of Cloudflare Tunnel is the ability to host web servers through tunnels. Tailscale requires you to run your own reverse proxy on a publicly-accessible node in order to accomplish this.
This is not my experience having recently set up web servers in a cloud virtual network with no inbound ports open. I can tailscale in and connect to web servers behind traefik configured to use the dns-01 challenge. The only way to access these webaps is through tailscale.
Sorry I meant specifically public web servers, ie hosting a website or sharing a Jellyfin server with your family without requiring them to have Tailscale accounts.
I mean if I wanted to host a public blog on my private infrastructure, Tailscale alone isn’t going to cut it. I would have to make a instance on a cloud provider to allow public ingress, and I have to setup and configure Tailscale on it to allow it to punch a hole into my walled garden. If I just want plain VPN access to my instances from wherever, then that’s when Tailscale really shines.
you want a load balancer for that use case. not a VPN. this article is about SSH not a public blog.
Why would I use someone elses tool to just do the same thing I have autossh running (in a script that gets restarted if it dies) doing? You can do this if you own a server on the net, or with a free tier at AWS/GCE/Azure. I feel, not sure, "dirty"? pulling down some client that I am unsure exactly what it is doing from cloudflare just to enable a reverse ssh tunnel.
Personally I’m happier to use wireguard to access my network. I don’t know when I’d ever want a pure SSH tunnelling solution.
Cloudflare Tunnel uses Wireguard under the hood.
Never heard of Wireguard, so I went to their website and for a half second. I thought I cracked the screen on my new phone, because of their freaking background image....

But, it looks interesting. I'll have to check it out more.

So easy to set up too with docker. You can even generate a QR code to easily set up a mobile device. You do need a domain name, DDNS, or a static IP and the ability to port forward from the router
WireGuard is great and is not too difficult to setup on something like a RPi. I have one running on my home network which lets me access my local network remotely, including access to my local media server. I have another one running at my parents' house for times when I need to RDS into their windows machines for troubleshooting, or if I need to tweak settings on their router. You can also configure your clients (phone, laptop) to forward all traffic through the tunnel, which then secures your connection for when you're over an untrusted/public wifi.
There was a Cloudflare article posted a couple of days ago, I'll post my comment which agrees with you, Wireguard and a cheap VPS are hard to beat: "Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services."
Wireguard, with dynamically-updated DNS resolution to a residential IP is very solid for a free tier and has the key benefit of zero third-party (i.e. not controlled by you) dependencies, other than the IP provider and the DNS resolver, which is a commodities business with low switching costs. Cloudflare is very nice and will be around for a long time, but it's still a third party dependency.

As it boils down, the OP's solution is "free" as in money but not as in freedom for a certain set of requirements.

Basically, going with CF trades-off some freedom for the considerable/legitimate protection benefits of being under the "cloudflare umbrella". It's probably a good trade for this moment in time. But rational people can disagree about whether it's a good trade when you broaden the time horizon to 5, 10, etc. years.

Like all things, it depends on the requirements you're building for.

I've been using tmate for quite a while and it works great, minimal setup needed.

Can anyone shed some light on the pros/cons of each?

Or just use a Tor Onion Service.
wasn't that the idea of ssh to begin with?
(comment deleted)
You mean, like just login to a server without going through layers of cloud providers? How would that work?

For real, I can't imagine running a straight port 22 ssh service on the modern internet, but I'm usually happy just moving it to an unprivileged port for obscurity on personal equipment (plus some other common sense hardening of course). For work stuff, I'd feel naked without some sort of VPN and it seems that's essentially what these services are.

With passwords disabled and just using key authentication, is there a big risk of just doing a straight port 22 ssh?

Genuine question, my knowledge of server security is low-to-middle.

I've seen servers get hit with so many ssh login attempts that it runs out of resources to respond, effectively DOSing ssh at least. Moving it to a high port usually cuts out all the chatter.
If you are all about self hosting, here’s my method (disclosure, I made this tool):

1. Run https://github.com/antoniomika/sish on any free tier instance or fly

2. On server, ssh -R anythinghere:22:localhost:22 sishinstance

3. On client, ssh -J anythinghere sishinstance

The tunnel is kept internal to sish, meaning it isn’t exposed to the open internet. You need to auth first to sish (using SSH) and then auth with your server (using SSH) as well before you can gain access.

You can get virtual server for $4/month. Installing proprietary software and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
If they upgrade to premium tier, set up your virtual server then. Your total cost, $0 for the duration it's free + $4 * the rest is still lower than $4 * lifetime, and the cost for switching is only going to be marginal.
I get the thought, you can build something now that is guaranteed to have a fixed cost, or you can risk going with a free product that might surprise you, causing you to rush to replace the solution with a tight deadline.

Just look at all the people panicking with the free Google Workspace shutdown.

I can use virtual server for many things (backup, vpn, webservices...) not just port forwarding.

Cost of my time for reading contract and learning new proprietary tool is not worth it for several years.

Cloudflare is arguably better from big tech. But cost of deployment some binary package on confidential server, keeping up with their marketing bs, etc is simply not worth it.

If I have to spend an hour or two setting up each solution, I could pay $4 a month many years before I'd feel like it was worth doing that twice. You're not wrong, but I would gladly pay the monthly to only have to set it up once.
Why use a virtual server if you want to connect to your home network?
I have IPv6 at home with port 22 opened for one of my home server's IP's. But my work internet connection does not have IPv6 at all (lol) so I use one of my VPSes as a jump host.
My home network has a dynamic IP. I'm using a home-baked dynamic DNS thingie, but a virtual server with a fixed IP could work too. Would update for the new IP much faster now that I think about it.
Because in some countries, like .cz, it is pretty common that your home network is behind NAT, the ISP does not want to forward a port for you, and there is either no option to get a public IP or it costs $5 to $10/month and is a lengthy process to obtain (typical internet connection costs $20 to $30/month here).
My virtual server is $1.67 a month (buyvm.net)

My home firewall blocks all traffic except for incoming SSH from 3 IP addresses in the world. One of those is my virtual server.

If I'm in a hotel with my laptop I run the first command to set up an SSH tunnel to my "home" computer through the cloud virtual server. That listens on my laptop to port 8888 and forwards it through the cloud virtual server to my home computer's SSH daemon listening on port 22

ssh -X -f -C -L 8888:home.mydomain.com:22 -N user@cloud.mydomain.com

ssh -p 8888 user@localhost

I do the same thing! I'm hoping that some day hotels won't send every wireguard packet they see straight to the bit bucket. Until then I'm really grateful for ssh.
You can build a physical server for $500 once. Relying on proprietary hardware and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
not trying to be difficult, but $500 seems like an odd price tier to end up in. If I was going cheap, I'd do something between a rock64/raspberry pi and an Intel Nuc. If I was going powerful, it would be north of $1,500 for sure. That decision would probably be based on what I was running on it. If it's a VPN, the rock64 would be plenty. < $50
You can also get a domain name for $4/year and completely own your content, but nobody does that either.
shameless self-promotion: https://sshreach.me

We have a ssh reverse-forwarding based solution. And unlike the Cloudflare solution you don't need to "give the keys of your house" (as someone here commented) to reach your private machines.

You can remotely open and close the tunnels through our web interface or our web API.

Plus, we have web API-based automated deployment solution if you have many clients.

“Your server creates a forwarding ssh tunnel to one of our publicly visible forwarding servers” seems like a huge risk for somebody else to own these “forwarding servers”. Worse than giving keys to your house? I dunno.
Your internal computer is still protected by password and/or public/private key-pairs, so even when the tunnel is open nobody can enter your computer without having those.

It is _your_ computer that makes connection to our servers, so you are in control of everything and there is literally nothing on our forwarding servers that would allow anybody to enter your computer.

This seems to be a cool service, I was actually thinking of creating something similar (but was deterred by the hassle of setting up billing and user management apart from the interesting technical stuff). I sometimes get asked by someone not owning a server/account they can use for ssh -R 0.0.0.0:1234:localhost:22, who are behind NAT and need to publish some service on the internet.

Why is the traffic rather limited? You seem to be hosting it on Linode and they offer like $5/TB traffic, I think you could easily offer several times more traffic, at least with the bigger plans.

Thanks, I was struggling to do this 2 weeks ago, since I use cloudflare tunnel for everything. Had to resort to another service. This will be super helpfull.
> By the end of this post, you'll be able to run: ssh $machine_name from anywhere ... a service by Cloudflare ... will filter traffic to your machines through Cloudflare's network, including authenticating you ... your machines won't directly be exposed to threat actors and "1337 haxors".

Won't they be exposed to CloudFlare?

CloudFlare CEO has personally said:

https://www.bizjournals.com/sanjose/news/2013/09/12/cloudfla...

that the company may be required to hand over data to the NSA, and would not be able to tell clients/users about it.

I use an SSH key to connect, so I assumed the traffic itself is end-to-end encrypted. However, I would like to be surer of this.
So will cloudflare be able to ssh into my machine from anywhere? I dunno I just use ssh to ssh into my machines works pretty well so far but I have only been using it for the past 20 years.
And then some people will come to rely on it, and then some will eventually get blocked due to protection rules misfiring, but it's all free service so not much point in blaming the company. Gmail story waiting to repeat?
I'm under the impression that this is against CloudFlare's ToS, otherwise I'd probably be doing it myself.

See section 2.8 "Limitation on Serving Non-HTML Content." of their subscriber agreement:

use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.

Last I checked, SSH is non-html content. I even opened a support ticket with their support, specifically asking about SSH and other traffic and this is what I received: So if no matter what service you use, Once you breach this rule it will be applied.

EDIT: Looks like the CloudFlare CTO has clarified things below that this usage does not in fact violate the ToS.

That's for Cloudflare's CDN/reverse-proxy service.

This is the correct one for Cloudflare Tunnel: https://developers.cloudflare.com/cloudflare-one/connections...

This seems to be the license for cloudflared. But when you use cloudflared to create a tunnel via cloudflare network, aren't you also bound to Cloudflare's ToS because the software itself is useless without using the service provided by Cloudflare?
I am literally Cloudflare's CTO. I'm pretty sure I know that using Cloudflare Tunnel for SSH isn't a violation of our service.
best reply ever, totally made my day.
Thanks for the clarification! Might want to educate your support staff a bit more so they can provide the same clarification.

This was my assumption as well given the tutorials and such available on your site. I was confused though and so reached out for clarification.

Nobody thought you were figuratively cloudflares CTO.

“I’m literally never going to stop misusing this word.”

Hold up. I follow this space closely (I maintain the list of tunneling tools linked in OP). Everybody I've communicated with has been operating under the assumption that section 2.8 applies to Cloudflare Tunnel. See for example my post on another thread yesterday [0]. Are you saying this isn't the case? Is it even possible to use Tunnel without going through the CDN?

[0]: https://news.ycombinator.com/item?id=30259902

What I'm saying is we specifically allow people to use SSH with Cloudflare for Teams: https://developers.cloudflare.com/cloudflare-one/tutorials/s...

The original comment above implied that using SSH with Cloudflare Tunnel was somehow forbidden.

Ah ok I misread your comment as implying the CDN ToS doesn't apply to Tunnel. It doesn't if you aren't using it (ie SSH), in which case only the Tunnel ToS applies, but otherwise both apply.
It's not clear to me what is allowed. Would I risk a termination if I used the service to proxy ~500 GB per month of video content?

(I'm looking for a way to get around bad traffic shaping I get in the afternoon between two locations streaming live TV.)

It was strange reading this comment on Hacker News..

You will also find comments from CloudFlare folks here which suggests this use-case is sanctified.

Why not just run Wireguard on a raspberry pi, set up DDNS to send your home IP to a Dynamic DNS provider (if you're on a dynamic IP), and then SSH to your machines at home using keys (instead of passwords)?

Setting up a Pi and running the Wireguard install script is about half an hour of work.

If you're using ddns why do you need WireGuard at all?
I use a similar setup. The VPN is needed because it is the only port accessible outside my network. Wireguard is easy to setup right, and I already need it for accessing other stuff on my home network.
Wireguard needs an endpoint
If I understand GP correctly, the goal is to SSH into an RPi on a home network. Since they mention DDNS, it's implied that they're connecting directly to their home router. What I'm saying is why not port forward directly to the RPi?
Yes you are right. If just connecting to the Pi, port forwarding is fine (and I use this).

When adding more devices at home (IP cameras etc.) and not connecting just to the Pi then the Wireguard VPN comes in.

I knew cloudflared could support https but never knew it works with other protocol as well.

TIL `ProxyCommand cloudflared access ssh --hostname %h`

I assume in this way we can even host mincraft servers (or any binary TCP protocol service) with cloudflared?