Based on the Zero Trust implementation provided by Cloudflare, achieve intranet penetration.

Here are two functions summarized here, one is to achieve SSH connection, and the other is to achieve external network access to web services.

  1. Prerequisites
    I won't say much here. You need to have your own domain name and it should be hosted on Cloudflare. After logging in to Cloudflare, select Zero Trust in the left sidebar, define a group name, and choose the free plan.

  2. SSH
    In the Zero Trust interface, click Access -> Tunnels -> Create a tunnel.

Name: Any name you like.

I recommend using Docker for installation, as it is convenient and easy to manage.

However, the Docker command needs to be modified.

docker run -d cloudflare/cloudflared:latest tunnel --protocol auto --no-autoupdate run --token xxxxxxxxx

Add a -d after docker run to run it in the background, so that the terminal service won't stop. Add --protocol auto after tunnel. After running on the intranet server, you can use docker ps to check. After --token, enter the exclusive token for your current tunnel.

Then go back to the Zero Trust page, click Next or click on the tunnel you just created after exiting, click Public Hostname -> Add a public hostname. Fill in the subdomain for Subdomain, select the top-level domain for Domain, leave Path blank. Select SSH for Type, and enter the LAN IP address and SSH port of the intranet server for URL. Finally, click Save hostname.

At this point, the settings for the intranet server and the web page have been completed, but we still need to configure SSH on the client side:

vim ~/.ssh/config
# Add
Host *.xxx.xxx
ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %h

Replace xxx.xxx with your top-level domain, and use * to adapt to all subdomains for cases where multiple servers need intranet penetration.

By now, your client should be able to successfully SSH to your intranet server using the subdomain you defined.

  1. Web Services
    The previous steps are the same, except for the Type, URL, and port, which should be selected as needed. Finally, there is no need to modify the SSH configuration.
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.