Zellij + tmux + Cloudflared for Remote Development
A remote development solution in terminal using Zellij, tmux and Cloudflared
platform-engineering
#cloudflare
#tmux
#zellij
#remote dev
Environment
- Fedora Linux 42
- Zellij 0.43.1
- tmux 3.5a-4.fc42
- Cloudflared 2025.8.1
Install tmux
sudo dnf -y install tmux
Install Zellij
Zellij is a modern terminal workspace and multiplexer written in Rust.
Download and Install
- Install cargo
curl https://sh.rustup.rs -sSf | sh
Note: I recommend to create a new terminal here as this install will add cargo to PATH.
- Install Zellij
cargo install --locked zellij
- Verify the installation:
zellij --version
# Output: zellij 0.43.1
First Run
Start Zellij with:
zellij
Or attach to an existing session:
zellij attach
Basic Usage
# Show current sessions
zellij list-sessions
# You can resurrect a session by, provides with the previous layout, etc.
zellij attach
# Kill session means to stop an active session, it will report as `EXITED`
## Kill a session
zellij kill-session [name]
## Kill all sessions
zellij kill-all-sessions
# To clear old session in `EXITED` status
## Delete a session
zellij delete-session [name]
## Delete all old sessions
zellij delete-all-sessions
Install Cloudflared and Setup Zero Trust SSH Access
Cloudflared creates secure tunnels to expose your local services without opening firewall ports. This section covers setting up secure SSH access using Cloudflare Zero Trust with WARP clients.
Architecture
graph LR
A(Device
iOS/Windows) <--> B[WARP]
B <--> C(Cloudflare Edge)
C <--> D[Cloudflared Tunnel]
D <--> E(Infrastructure)
Prerequisites
- Cloudflare account with Zero Trust enabled
- Domain in Cloudflare
- Fedora server with SSH enabled (or AlmaLinux)
- iOS/Windows devices with WARP client
Server Setup
1. Install cloudflared on Fedora/AlmaLinux
# Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
sudo mv cloudflared /usr/local/bin/
sudo chmod +x /usr/local/bin/cloudflared
2. Create Tunnel (Web UI)
- Go to Zero Trust → Networks → Tunnels
- Click Create a tunnel
- Select Cloudflared
- Name it (e.g., “workstation”)
- Copy the install command shown (includes token)
- Run on your server:
sudo cloudflared service install TOKEN_FROM_WEB_UI
sudo systemctl enable --now cloudflared
3. Configure Tunnel (Web UI)
Add Private Network Route
- Click your tunnel name
- Go to Private Network tab
- Click Add a private network
- Enter CIDR:
172.192.100.1/24 - Save
(Optional) Add Public Hostname for laptop access
- Go to Public Hostname tab
- Add a public hostname:
- Subdomain:
workstation - Domain:
yourdomain.com - Type:
SSH - URL:
localhost:22
- Subdomain:
4. Add Virtual IP on Server
# Add virtual IP to loopback
sudo ip addr add 172.192.100.1/24 dev lo
# Make persistent (Fedora)
echo "172.192.100.1/24" | sudo tee -a /etc/sysconfig/network-scripts/ifcfg-lo
Cloudflare Dashboard Configuration
1. Configure Split Tunnels
Zero Trust → Settings → WARP Client
- Click Default profile → Configure
- Click Split Tunnels
- Switch to Include mode
- Add these entries:
- Type: IP Address →
172.192.100.1/24 - Type: Domain →
*.cloudflareaccess.com - Type: Domain →
*.cloudflareclient.com - Type: Domain →
*.cloudflare.com
- Type: IP Address →
2. Enable Gateway Proxy
Zero Trust → Settings → Network
Under Firewall:
- Toggle Proxy to ON
- Check TCP ✓
3. Set Device Enrollment
Zero Trust → Settings → WARP Client
- Click Manage → Device enrollment permissions
- Add a rule:
- Rule name:
Email Auth - Action: Allow
- Selector: Emails
- Value:
your@email.com
- Rule name:
Client Setup
iOS/iPadOS
- Install 1.1.1.1 app from App Store
- Menu → Account → Login to Cloudflare Zero Trust
- Enter your team name (found in Zero Trust URL)
- Authenticate with email
- Enable WARP mode (not DNS-only)
SSH Configuration:
Host: 172.31.100.1
Port: 22
Username: your-fedora-user
Auth: Password/SSH Key
Compatible apps: Termius, Prompt, Secure ShellFish
Windows
- Download WARP from https://1.1.1.1
- Settings → Account → Login to Cloudflare Zero Trust
- Enter team name and authenticate
- Enable WARP
Use any SSH client:
ssh user@172.31.100.1
macOS/Linux Laptop (Alternative without WARP)
If you added a public hostname, you can use cloudflared:
# Install cloudflared
brew install cloudflare/cloudflare/cloudflared # macOS
# Add to ~/.ssh/config
Host workstation
HostName workstation.yourdomain.com
ProxyCommand cloudflared access ssh --hostname %h
User your-fedora-user
# Connect
ssh workstation
Quick Reference
| Setting | Location in Web UI | Value |
|---|---|---|
| Private Network | Tunnel → Private Network tab | 172.192.100.1/24 |
| Split Tunnels | Settings → WARP Client → Profile | Include mode + IPs/domains |
| Gateway Proxy | Settings → Network → Firewall | Proxy ON, TCP checked |
| Device Enrollment | Settings → WARP Client → Manage | Email authentication |
| Public Hostname (optional) | Tunnel → Public Hostname tab | SSH to localhost:22 |
Access Summary
| Method | Use Case | Requirements |
|---|---|---|
| WARP + Private IP (172.31.100.1) | Mobile devices, simple setup | WARP client connected |
| cloudflared + Public hostname | Laptops, explicit control | cloudflared installed |
Troubleshooting
Connection timeout:
- Check Split Tunnels is in Include mode with correct IP
- Verify WARP is connected (check at https://help.teams.cloudflare.com)
Can’t add private network:
- Avoid
100.64.0.0/12(Cloudflare reserved) - Try
172.31.x.xor high10.x.x.xranges
- Avoid
Verify setup:
- Tunnel status: Zero Trust → Networks → Tunnels (should show HEALTHY)
- WARP status: Visit https://help.teams.cloudflare.com on client device
Notes
- No SSH ports exposed to internet
- Virtual IP avoids home network conflicts
- Future work: Update this note to use SSH keys over passwords