Cloud-flare zero trust tunnel.

Question

Cloud-flare zero trust tunnel.

mediwg opened this issue 7 months ago · 3 comments

Hi,

I am experiencing an issue when trying to connect to a device using the ssh2 package in my Node.js (client) application. The device is behind a Cloudflare Zero Trust Tunnel. While I can successfully connect using a terminal SSH client, the connection fails when using the ssh2 package.

I followed the Cloudflare setup instructions on both machines as outlined here: Cloudflare Zero Trust Tunnel SSH Setup. As mentioned, it works perfectly in a normal terminal but not with ssh2.

Additionally, when I use a direct IP connection, ssh2 works. However, in production, I do not have access to the IP and must use the Cloudflare Zero Trust Tunnel.

Details:

Package Version: "ssh2": "^1.15.0"
Node.js Version: v20.12.2
Operating System (client side): macOS
Operating System (server side): Raspberry Pi

Steps to Reproduce:

Set up a device behind a Cloudflare Zero Trust Tunnel.
Attempt to connect to the device using the ssh2 package with the above code.
Observe that the connection fails, while the terminal SSH client works.

Additional Context:

I have verified that the device is accessible and that the credentials are correct by connecting through a terminal SSH client.
The issue seems specific to Cloudflare, as connecting to devices not behind Cloudflare works with the ssh2 package.
I have checked firewall settings and confirmed that the SSH port is open.

Is there a known issue with ssh2 when connecting to devices protected by Cloudflare Zero Trust Tunnel? Are there any workarounds or configurations that might resolve this issue?

Answer 1 · 2024-06-10T14:38:10.000Z

What does "the connection fails" mean? Is connection rejected outright? Is there a timeout? Is there an authentication error? Something else?

What is the output when setting debug: console.log in your connection config object? In the event of a handshake error, that will tell you what each side is offering and show you what you may need to add to your algorithms config option in order to connect (provided ssh2 supports the missing algorithms).

Answer 2 · 2024-06-10T15:35:07.000Z

Custom crypto binding available
Local ident: 'SSH-2.0-ssh2js1.15.0'
Client: Trying ssh........tech on port 22 ...
node:events:496
      throw er; // Unhandled 'error' event
      ^

Error: Timed out while waiting for handshake
    at Timeout._onTimeout (....../ssh2/lib/client.js:1116:23)
    at listOnTimeout (node:internal/timers:573:17)
    at process.processTimers (node:internal/timers:514:7)
Emitted 'error' event on Client instance at:
    at Timeout._onTimeout (....../ssh-backend/node_modules/ssh2/lib/client.js:1118:16)
    at listOnTimeout (node:internal/timers:573:17)
    at process.processTimers (node:internal/timers:514:7) {
  level: 'client-timeout'
}

Answer 3 · 2024-06-10T17:07:28.000Z

If that's all you're getting then the TCP connection is not being established. That suggests whatever SSH client that is currently working for you has some special/different configuration that needs to be replicated with ssh2.