🎯 Akses SSH Server STB dari Luar Jaringan (Cloudflare Tunnel) + Tips Keamanan

Saya masih belajar dan nyoba-nyoba. Dulu kalau bingung harus googling, baca-baca, tanya-tanya di forum. Sekarang alhamdulillah belajar lebih mudah karena bisa langsung dipandu sama GPT—jadi step by step-nya lebih jelas dan cepat dipraktekin.

Target saya di catatan ini: bisa remote SSH ke server STB Armbian + CasaOS dari luar rumah tanpa ribet buka port di modem/ISP. Solusinya pakai Cloudflare Tunnel + domain sendiri (contoh: ssh.domainkita.com).

---

1) Setting Cloudflare Tunnel di Server

Edit file /etc/cloudflared/config.yml. Gunakan TCP mode untuk SSH (penting!):

Copytunnel: 12345678-abcd-4321-efgh-9876543210ab
credentials-file: /root/.cloudflared/12345678-abcd-4321-efgh-9876543210ab.json

ingress:
  - hostname: casa.domainkita.com
    service: http://localhost:80
  - hostname: n8n.domainkita.com
    service: http://localhost:5678
  - hostname: ssh.domainkita.com
    service: tcp://localhost:22
  - service: http_status:404

Ganti 12345678-abcd-4321-efgh-9876543210ab dengan Tunnel ID kamu sendiri. Berlaku juga nanti saat mengisi “Target” di DNS (format: TUNNEL_ID.cfargotunnel.com).

Restart service biar config terbaca:

Copysudo systemctl restart cloudflared
sudo systemctl status cloudflared --no-pager -l

Contoh “screenshot” output (dummy):

● cloudflared.service - cloudflared
     Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled)
     Active: active (running) since Wed 2025-09-10 04:42:44 UTC
   Main PID: 28406 (cloudflared)
      Tasks: 9
Sep 10 04:42:44 cloudflared[28406]: INF Registered tunnel connection ... protocol=quic location=sin13
Sep 10 04:42:45 cloudflared[28406]: INF Registered tunnel connection ... protocol=quic location=sin09

---

2) Tambahkan DNS Record di Cloudflare

Masuk dashboard Cloudflare → menu DNS → tambah CNAME:

• Name: ssh
• Target: 12345678-abcd-4321-efgh-9876543210ab.cfargotunnel.com
  (Ganti 12345678-... dengan Tunnel ID kamu → TUNNEL_ID.cfargotunnel.com)
• Proxy status: Proxied (ikon awan oranye)

Cek dari server:

Copydig +short CNAME ssh.domainkita.com
dig +short A ssh.domainkita.com

Kalau keluar IP Cloudflare (104.xx, 172.xx), berarti DNS sudah resolve OK.

---

3) Install cloudflared di Laptop/PC Client

Kita butuh agent cloudflared di sisi client supaya koneksi SSH bisa “diterowongkan” lewat Cloudflare.

Windows

1. Download cloudflared.exe dari situs resmi Cloudflare.
2. Buat folder C:\cloudflared dan taruh cloudflared.exe di sana.
3. Tambahkan ke PATH:
   • Buka Start → ketik Environment Variables → pilih Edit the system environment variables.
   • Klik Environment Variables….
   • Di System variables → pilih Path → Edit → New.
   • Isi: C:\cloudflared → OK semua.
   • Tutup semua CMD/PowerShell yang terbuka, lalu buka lagi.
4. Cek versi:

Copycloudflared --version

Linux

Copysudo apt-get install cloudflared
cloudflared --version

---

4) Jalankan Tunnel dari Client

Di laptop/PC (Windows/Linux), jalankan ini untuk bikin “listener” di port lokal 2222:

Copycloudflared access tcp --hostname ssh.domainkita.com --url localhost:2222

Maksudnya: koneksi ke ssh.domainkita.com akan diteruskan ke localhost:2222 di laptop.

---

5) Akses SSH Seperti Biasa

Buka terminal baru, lalu:

Copyssh root@localhost -p 2222

Contoh “screenshot” output (dummy):

The authenticity of host '[localhost]:2222' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
root@localhost's password:
Welcome to Armbian 25.5 (bookworm) on aml-s9xx-box
Last login: Wed Sep 10 06:28:56 2025 from 127.0.0.1

Kalau sudah masuk shell server, artinya akses SSH dari luar jaringan berhasil 🎉.

---

Diagram Alur

Client (Laptop)
   |
   | SSH -> localhost:2222
   v
cloudflared (client)
   |
   | Tunnel terenkripsi via Cloudflare
   v
Cloudflare Edge
   |
   | Forward TCP -> server
   v
cloudflared (server) -> sshd (localhost:22)

---

Tips Keamanan SSH (Wajib kalau Publik)

1) Ubah port SSH default

Misalnya ganti ke 22222. Edit /etc/ssh/sshd_config:

Copysudo nano /etc/ssh/sshd_config
# ubah/aktifkan baris:
Port 22222

Restart SSH:

Copysudo systemctl restart ssh

Jangan lupa sesuaikan config.yml:

Copy  - hostname: ssh.domainkita.com
    service: tcp://localhost:22222

2) Gunakan SSH Key (disable password login)

Di laptop/PC, buat key (kalau belum ada):

Copyssh-keygen -t ed25519 -C "ssh-remote-tunnel"
# tekan Enter terus atau set passphrase sesuai kebutuhan

Kirim public key ke server:

Copyssh-copy-id -p 2222 root@localhost
# kalau port server diganti 22222:
# ssh-copy-id -p 2222 -o "ProxyCommand=none" root@localhost

Disable password login di server (/etc/ssh/sshd_config):

CopyPermitRootLogin prohibit-password
PasswordAuthentication no

Restart SSH lagi:

Copysudo systemctl restart ssh

Setelah ini, login hanya bisa dengan key → jauh lebih aman.

3) (Opsional) Buat alias di ~/.ssh/config

Biar lebih simple, kita bisa bikin profile:

CopyHost stb
  HostName localhost
  Port 2222
  User root
  IdentityFile ~/.ssh/id_ed25519

Setelah itu, cukup jalankan:

Copyssh stb

---

Penutup

Awalnya saya kira rumit, tapi ternyata setelah dipandu step-by-step sama GPT, semuanya jadi lebih jelas. Sekarang saya bisa remote server STB/Armbian dari mana saja dengan domain sendiri, tanpa buka port router—lebih aman dan rapi.