DocHub / Remote Terminal Access

Remote Terminal Access

Browser-based SSH via Cloudflare Tunnel with simultaneous multi-device tmux sessions

Connection Architecture

Traffic flows through Cloudflare's network — no ports are opened on the machine. The tunnel is outbound-only.

Phone Browser
ssh.ipnoelp.com
HTTPS
Cloudflare Access
OTP auth + short-lived certs
tunnel
cloudflared
tunnel daemon
:22
SSH Server
localhost only
Laptop Terminal
tmux attach -t claude
local
tmux session "claude"
Shared by both devices
SSH
Phone SSH Session
tmux attach -t claude

Multi-Device Session Flow

Both devices attach to the same tmux session. Typing on one appears on the other in real time.

Phone (Browser SSH)
1. Open https://ssh.ipnoelp.com
2. Cloudflare OTP — email + code every 30 days
3. SSH login — automatic via short-lived certificate passwordless
4. tmux attach -t claude
Laptop (Local Terminal)
1. Open any terminal
2. No auth needed local
3. No SSH needed local
4. tmux attach -t claude
Both devices share tmux session "claude" in real time
Critical: Always use tmux attach -t claude (no -d flag). The -d flag detaches all other clients.

Security Model

Three layers of security protect the SSH server. No ports are exposed to the internet.

1
Cloudflare Access — Only authenticated emails can reach the SSH server. OTP verification with 30-day session cache.
2
SSH Authentication — Cloudflare short-lived certificates provide automatic passwordless login. No SSH password transmitted over the network.
3
No Open Ports — The cloudflared tunnel is outbound-only. No firewall ports exposed. No direct SSH access from the internet.

Services & Boot Persistence

Three systemd services ensure everything survives reboots.

Service Purpose Type Auto-Start
cloudflared-tunnel Maintains outbound tunnel to Cloudflare edge simple enabled
tmux-claude Creates persistent tmux "claude" session forked enabled
ssh OpenSSH server (listens on localhost:22) notify enabled

Technology Stack

Tunnel & Access
cloudflared — Cloudflare Tunnel daemon
Cloudflare Access — Zero Trust authentication
Browser SSH — In-browser terminal rendering
Terminal & Sessions
tmux — Terminal multiplexer (multi-client)
OpenSSH — SSH server
systemd — Service management & boot persistence
Configuration
~/.cloudflared/config.yml — Tunnel config
~/.tmux.conf — Multi-client settings
/etc/ssh/sshd_config — SSH CA trust + cert auth
Key Settings
aggressive-resize on — Multi-size clients
session_duration: 720h — 30-day auth
Restart=on-failure — Auto-recovery

Setup Process

1
Create API Token — Cloudflare dashboard → custom token with Access: Apps and Policies (Edit), DNS (Edit)
2
Run setup scriptsudo bash ~/setup-remote-terminal.sh — installs tmux, openssh, cloudflared, creates tunnel, systemd services
3
Cloudflare Access — Claude Code uses API token to create Access Application (type: SSH), policy (allow email), 30-day session
4
SSH certificates — Fetch CA key from Access API, add to sshd_config as TrustedUserCAKeys — enables passwordless browser SSH
5
Test — Open https://ssh.domain.com on phone, authenticate, run tmux attach -t claude
Drill down: Chas's Install Details · Developer Setup Guide · Back to Hub