I’m using Cloudflare Zero Trust Tunnel as VPN for my developers in my company. works beautifully, since they have a Computer sitting in the companies network, and they simply connect from home via RDP to that Computer through Cloudflare Zero Trust (WARP Client).
However, we starting to get rid of our computers and use laptops for all employees. Basically the goal would be that they use it as BYOD, meaning they take the laptop home when they want to work from home, or take it to the company when they want to work inside the company building. The goal is that they don’t feel a difference, wherever they work, and all the apps (no matter if desktop apps, web apps etc.) work as expected.
This means we would get rid of RDP. Cloudflare Zero Trust by default allows SMB, RDP and SSH Protocol. However I have some application, like e.g a ERP System that are a bit more complex when it comes to connection and ports. The ERP System is started via SMB (simply doubleclick an .exe on a network drive) however, the ERP itself then connects via multiple TCP Ports to other services in my network. Currently when it does this, the application crashes because cloudflare blocks these ports.
I don’t really want to expose every TCP service as a public hostname in Cloudflare. Is there a way to simply say “If someone is connected via Zero Trust Tunnel via WARP Client, then he can use Port xx to machine xx, Port yy, Port zz etc.”?
A traditional VPN would simply allow this by default, as soon as you are connected to the VPN Network. I know the Zero Trust Idea is that everything is blocked by default and you specifically need to allow stuff, which in essence I find really good. Is Cloudflare Zero Trust Tunnel not the correct product for my case? Or do I simply not know all of its features?
Sure. Add the IP addresses in the “Private Networks” section of the tunnel configuration and then whitelist the IP address in the “Split tunnel” configuration page.
Pro tip: you can buy a cheap domain name or use an existing domain name and configure some custom sub-domains to point to your services. For example, you can create an A record for erp.internal.example.com so that it points to 10.0.0.1. 10.0.0.1 is a private IP address so it won’t be accessible by anyone unless they are on the VPN.
Also look into client certificates to restrict access to further enhance your security.
A large part of the benefit of zero trust is that you are authorizing a particular user on a device with particular attributes to access a particular resource. If all you do is connect your users to a private network, there’s really only some marginal benefit versus openVPN or whatever you’re using, since anyone on the network still had unfettered network access.
The right way is to do it is pretty well documented in the cf zero trust docs. Take a look at the cloudflare zero trust access and tunnel documentation.
The end goal is (probably) for there to be no way to access a resource except via a cloudflare tunnel. Being on that private network does not allow you to access resources.
Now, there’s a very good reason to connect private networks - rolling out zero trust takes time. But if you do have to use that workaround, I hope you don’t call it a day because the legacy VPN’s been replaced - there’s still more work to do.
Haha I’m aware of the meaning of “Zero Trust”. I think you’re trying to imply that Access Policies should be implemented in addition to the configuration of the tunnel in order to fine-tune the restrictions for specific users? Is there anything other than Access Policies I should look into?
The end goal is (probably) for there to be no way to access a resource except via a cloudflare tunnel. Being on that private network does not allow you to access resources.
Which specific Cloudflare features should one use to configure such a system? OS-level firewall + cloudflared + access policies?
As I am super new to doing more than making my cams accessible. The bit I have read through leads me to “sorta-kinda” understand that yes access policy type things. I don’t know how/if you can do it by just using the ZT Tunnel = FQDN or if you need to employ the WARP on top of it. I can see how WARP can severely limit access.
I just looked at your linked photos… That I have not looked into at all and just those to photos I think you can do it without WARP. Maybe? IDK. I just lurk here.
