Chas’s Remote Terminal Install
This documents the specific remote terminal setup on Chas Watkins’ laptop (Vivo Pro 15), completed 2026-02-12. This is a reference for troubleshooting and recovery — not a general guide (see the Developer Guide for that).
Machine Details
| Item | Value |
|---|---|
| Machine | Vivo Pro 15 |
| OS | Ubuntu 24.04.3 LTS (amd64) |
| User | chas-watkins |
| Hostname | vivo-pro-15-cw |
Cloudflare Configuration
| Item | Value |
|---|---|
| Domain | ssh.ipnoelp.com |
| Cloudflare Account | chas@omelasai.com (dashboard login) |
| Account ID | 896d280b76d5f879b1907385d16023eb |
| Zone | ipnoelp.com |
| Zone ID | ad0498c43019a36e1fd54ff9496dd94b |
| Tunnel Name | laptop-ssh |
| Tunnel ID | 3aba34f7-27ed-4ce5-8713-838f4f49d64c |
Access Application
| Item | Value |
|---|---|
| App Name | Laptop SSH |
| App ID | 086e4718-29ca-4b73-a0c5-a0db050723b8 |
| App Type | SSH (browser-rendered) |
| Session Duration | 30 days (720h) |
| AUD Tag | 27e97be3afd3bad4657d2876ff0f10935d41dc3c5ef5b548427f2bf37842f215 |
Access Policy
| Item | Value |
|---|---|
| Policy Name | Allow Chas |
| Policy ID | dac1b318-b61b-4c7b-b09c-70dfe234fc49 |
| Decision | Allow |
| Include | Email: chas@omelasai.com, chas@lifeonroatan.com |
SSH Certificate Authority
| Item | Value |
|---|---|
| CA ID | f885e7d0f35f99ec3e2001aa2f76a202c14a480064563679 |
| Public Key | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEFyKK4Bi/uIZs9zf3WtYhKo4L2HVjGFuCVoD6c/JJVFCh+BJz4sWhf86EDPDUpN605eVP1+G2Zd4kbSdMiH7kA= |
| Location on disk | /etc/ssh/cf_ca.pub (also legacy copy at /etc/ssh/ca.pub) |
Local File Locations
| File | Path |
|---|---|
| Cloudflared credentials | ~/.cloudflared/3aba34f7-27ed-4ce5-8713-838f4f49d64c.json |
| Cloudflared config | ~/.cloudflared/config.yml |
| Cloudflared cert | ~/.cloudflared/cert.pem |
| SSH CA public key | /etc/ssh/cf_ca.pub |
| SSH principals file | /etc/ssh/cf_principals |
| Cloudflare API token | ~/.cloudflared/.env (CF_ACCESS_API_TOKEN, expires 2026-04-01) |
| tmux config | ~/.tmux.conf |
| Setup script | ~/setup-remote-terminal.sh |
| SSH cert setup script | ~/setup-ssh-certs.sh |
| SSH config fix script | ~/fix-ssh-config.sh |
Cloudflared Tunnel Config
File: ~/.cloudflared/config.yml
tunnel: 3aba34f7-27ed-4ce5-8713-838f4f49d64c
credentials-file: /home/chas-watkins/.cloudflared/3aba34f7-27ed-4ce5-8713-838f4f49d64c.json
ingress:
- hostname: ssh.ipnoelp.com
service: ssh://localhost:22
- service: http_status:404
Systemd Services
cloudflared-tunnel.service
Runs the Cloudflare tunnel as user chas-watkins. Auto-restarts on failure.
[Unit]
Description=Cloudflare Tunnel (laptop-ssh)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=chas-watkins
ExecStart=/usr/bin/cloudflared tunnel --config /home/chas-watkins/.cloudflared/config.yml run laptop-ssh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
tmux-claude.service
Creates a tmux session named “claude” on boot. Multiple clients can attach simultaneously.
[Unit]
Description=tmux "claude" session (always-on)
After=network.target
[Service]
Type=forking
User=chas-watkins
ExecStart=/usr/bin/tmux new-session -d -s claude
ExecStop=/usr/bin/tmux kill-session -t claude
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
tmux Configuration
File: ~/.tmux.conf
set -g mouse on
set -g history-limit 50000
set -g default-terminal "screen-256color"
setw -g aggressive-resize on
set -g status-right '#[fg=green]#H #[fg=yellow]#S'
Key setting: aggressive-resize on allows multiple clients at different screen sizes without forcing the smallest size on everyone.
SSH Server Modifications
Added to /etc/ssh/sshd_config:
PubkeyAuthentication yes
TrustedUserCAKeys /etc/ssh/cf_ca.pub
# Cloudflare Access short-lived certificates
Match User chas-watkins
AuthorizedPrincipalsFile /etc/ssh/cf_principals
Principals file (/etc/ssh/cf_principals):
chas@omelasai.com
chas@lifeonroatan.com
This enables passwordless SSH login when connecting through Cloudflare Access — Cloudflare issues a short-lived certificate signed by its CA, and the SSH server trusts that CA for the chas-watkins user.
How to Use
From the laptop
tmux attach -t claude
From phone (or any browser)
- Open
https://ssh.ipnoelp.com - If session expired (every 30 days): enter
chas@omelasai.com, get OTP code from email, enter code - SSH login is automatic (short-lived certificate — no password needed)
- Run:
tmux attach -t claude
Both devices now share the same terminal session in real time.
Important: Never detach others
Always use tmux attach -t claude (no -d flag). The -d flag detaches other clients, which defeats the purpose of simultaneous multi-device access.
Service Management
# Check all services
systemctl status cloudflared-tunnel
systemctl status tmux-claude
systemctl status ssh
# Restart tunnel
sudo systemctl restart cloudflared-tunnel
# Restart tmux session
sudo systemctl restart tmux-claude
# View tunnel logs
journalctl -u cloudflared-tunnel -f
# List tmux sessions
tmux list-sessions
# List clients attached to the claude session
tmux list-clients -t claude
Cloudflare API Token
Two tokens exist for managing this setup:
Token 1: “Claude CLI” (original setup, tunnel management)
- Stored in:
~/.cloudflared/cert.pem(encoded in the Argo tunnel token) - Permissions: Tunnel management, DNS
Token 2: “access-management” (Access API)
- Stored in:
~/.cloudflared/.envasCF_ACCESS_API_TOKEN - Expires: 2026-04-01
- Permissions:
| Permission | Scope |
|---|---|
| Account > Access: Apps and Policies | Edit |
| Account > Access: Service Tokens | Edit |
Used by Claude Code to manage Access Applications, policies, session duration, and short-lived certificates.
Recovery After Reboot
Everything auto-starts via systemd. After a reboot, allow ~30 seconds for the tunnel to reconnect to Cloudflare. Verify with:
systemctl is-active cloudflared-tunnel ssh tmux-claude
All three should report active.