CLI Companion

  • Hugging Face CLI
    • login
    • whoami
    • repo create
    • upload
    • download
    • lfs-enable-largefiles
    • scan-cache
    • delete-cache
  • Hapi CLI
    • new
    • start
    • build
    • test
    • plugin create
    • route add
  • Cloudflared
    • tunnel
    • tunnel run
    • tunnel list
    • tunnel delete
    • access
    • access tcp
    • update

    The `cloudflared access tcp` command establishes a secure, authenticated connection from your local machine to a TCP application protected by Cloudflare Access. It acts as a local proxy, forwarding traffic from a local port to the remote TCP service through Cloudflare's network, ensuring that only authenticated and authorized users can reach the service.

    Syntax

    bash
    cloudflared access tcp --hostname <application-hostname> --service <local-service-address> [OPTIONS]

    or

    bash
    cloudflared access tcp --url <tcp-application-url> --service <local-service-address> [OPTIONS]

    Arguments and Options

    * `--hostname <application-hostname>`: Specifies the hostname of the TCP application configured in Cloudflare Access. This is the public hostname users would typically access.

    * `--url <tcp-application-url>`: An alternative to `--hostname`. Specifies the full URL of the TCP application, often in the format `tcp://<hostname>:<port>`. Cloudflared will extract the hostname and port from this.

    * `--service <local-service-address>`: The local address and port where `cloudflared` will listen for connections. When you connect to this address (e.g., `localhost:22`), `cloudflared` will tunnel the traffic to the remote TCP application. Example: `localhost:22`.

    * `--id <application-id>`: (Optional) The Application ID of the Access application. Usually derived from `--hostname` or `--url`.

    * `--destination-ip <ip-address>`: (Optional) Used when connecting to private IP-based services behind a WARP tunnel. Specifies the private IP address of the destination service. Must be used with `--destination-port`.

    * `--destination-port <port>`: (Optional) The port of the destination service when using `--destination-ip`.

    * `--listen-address <address>`: (Optional) The local address `cloudflared` should bind to for the proxy. Defaults to `localhost`. Can be used with `--listen-port` to override `--service` behavior.

    * `--listen-port <port>`: (Optional) The local port `cloudflared` should bind to for the proxy. Can be used with `--listen-address`.

    * `--force-ip-rules`: (Optional) Forces IP rules to be applied to traffic. Useful in certain networking configurations.

    * `--loglevel <level>`: (Optional) Sets the logging level (e.g., `debug`, `info`, `warn`, `error`). Default is `info`.

    * `--config <path>`: (Optional) Path to a `cloudflared` configuration file.

    Usage Examples

    #### 1. Connecting to an SSH server

    Suppose you have an SSH server configured in Cloudflare Access with the hostname `ssh.example.com`.

    bash
    cloudflared access tcp --hostname ssh.example.com --service localhost:2222

    This command will start `cloudflared` listening on `localhost:2222`. You can then connect to your SSH server by running:

    bash
    ssh -p 2222 user@localhost

    #### 2. Connecting to a PostgreSQL database

    If your PostgreSQL database is protected by Cloudflare Access under `postgres.example.com` and runs on port `5432`:

    bash
    cloudflared access tcp --hostname postgres.example.com --service localhost:5433

    Then, use your PostgreSQL client to connect:

    bash
    psql -h localhost -p 5433 -U your_user -d your_database

    #### 3. Using the `--url` flag

    Equivalent to example 1, but using the `--url` flag:

    bash
    cloudflared access tcp --url tcp://ssh.example.com:22 --service localhost:2222

    #### 4. Specifying a different listen address/port explicitly

    If you want `cloudflared` to listen on a specific local port, for example, port `2222`, but not necessarily use `localhost` as the service argument (though `--service` often implies this):

    bash
    cloudflared access tcp --hostname ssh.example.com --listen-address 127.0.0.1 --listen-port 2222

    This is similar to `--service 127.0.0.1:2222`.

    #### 5. Connecting to a private IP (via WARP tunnel)

    If you're using WARP and have a private IP configured in Access rules (e.g., `10.0.0.50` on port `22`):

    bash
    cloudflared access tcp --hostname ssh.example.com --destination-ip 10.0.0.50 --destination-port 22 --service localhost:2222

    This will proxy local connections on `localhost:2222` to `10.0.0.50:22` through the Access tunnel.

    Explanation

    When you run `cloudflared access tcp`, it performs the following steps:

    1. **Local Proxy Setup**: `cloudflared` starts a local TCP server on the address and port specified by `--service` (or `--listen-address`/`--listen-port`).

    2. **Authentication**: It opens a browser window for you to authenticate with Cloudflare Access, if you're not already authenticated.

    3. **Tunnel Establishment**: Once authenticated, `cloudflared` establishes a secure, encrypted tunnel to the Cloudflare network, targeting the TCP application identified by `--hostname` or `--url`.

    4. **Traffic Forwarding**: Any connection made to the local proxy (e.g., `ssh -p 2222 user@localhost`) is securely forwarded through the Cloudflare Access tunnel to the remote TCP application. Cloudflare Access policies are enforced before the connection reaches the destination.

    This method allows you to access internal TCP services (like SSH, RDP, databases, Kubernetes APIs) without exposing them directly to the public internet or requiring a traditional VPN. Access policies ensure that only authorized users or groups can establish these tunnels.