Cloudflare Tunnels¶
Cloudflare Tunnels provide secure, outbound-only connections from internal machines to the internet without opening inbound firewall ports. Astradial uses tunnels for SSH access to the NUC and local development routing.
NUC Tunnel¶
| Property | Value |
|---|---|
| Name | astradial-nuc |
| Tunnel ID | f4e921cc-5b3b-4179-acfc-1ccfd3ccd308 |
| Hostname | nuc.astradial.com |
| Service | ssh://localhost:22 |
| Runs on | NUC (Debian) |
Configuration¶
The tunnel is configured at /etc/cloudflared/config.yml on the NUC:
tunnel: f4e921cc-5b3b-4179-acfc-1ccfd3ccd308
credentials-file: /etc/cloudflared/f4e921cc-5b3b-4179-acfc-1ccfd3ccd308.json
ingress:
- hostname: nuc.astradial.com
service: ssh://localhost:22
- service: http_status:404
Systemd Service¶
The tunnel runs as a systemd unit:
# Check status
sudo systemctl status cloudflared
# Restart
sudo systemctl restart cloudflared
# View logs
sudo journalctl -u cloudflared -f
The service starts automatically on boot.
Known Issue: Cloudflare Access Blocking SSH¶
Access Policy Conflict
If a Cloudflare Access application/policy exists on nuc.astradial.com, SSH connections will fail with a 302 redirect to the Access login page. This happens because Access intercepts all traffic to the hostname, including non-HTTP SSH sessions proxied through the tunnel.
Resolution: Either remove the Access application for nuc.astradial.com entirely, or add a bypass rule for non-HTTP protocols. The simplest fix is to not attach any Access policy to this hostname.
Mac Development Tunnel¶
A second tunnel (mac-dev-tunnel) runs on the development MacBook for local testing.
| Property | Value |
|---|---|
| Name | mac-dev-tunnel |
| Hostnames | test.astradial.com, test-lite.astradial.com, local.astradial.com |
| Runs on | MacBook (development) |
This tunnel routes the test, test-lite, and local subdomains to services running on localhost during development.
Client Setup (Connecting to NUC via SSH)¶
Install cloudflared¶
# macOS
brew install cloudflared
# Debian/Ubuntu
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \
| sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] \
https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \
| sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install cloudflared
SSH Config¶
Add the following to ~/.ssh/config on your local machine:
Host nuc
HostName nuc.astradial.com
User <your-user>
ProxyCommand cloudflared access ssh --hostname %h
Then connect with:
Note
The first time you connect, cloudflared may open a browser for Cloudflare authentication (if Access is configured). Subsequent connections use a cached token.