Current environment has a variety of managed services from a 3rd party hosting provider where connectivity those services is exclusively over a S2S VPN from my datacenter to the 3rd party, via a router managed by the 3rd party. I provide the 3rd party a list of private IP ranges that need to connect to the 3rd party hosted services and those are the only ranges allowed across that tunnel.
WFH users currently using an L3 VPN where the subnet assigned to VPN clients is authorized across the S2S tunnel so users can reach the 3rd party hosted resources.
Is there any way that Cloudflare Zero Trust could replace my L3 VPN and still work with the 3rd party VPN configuration? Note that there is no option for any type of component to be installed in the 3rd party hosting environment, or to alter the S2S VPN configuration other than allowing additional private subnets.
In short yes: I have this setup right now.
My setup is that our medical records system is part of another agency. They host a router in my DC, I provide a list of IP’s say 10.1.x.x/16 to that provider.
On my network default router at the office, I have a route of say 10.1.x.x/x point to the IP of 3rd party router. This in turn allows all on prem users access to the app.
All of this I haven’t had to touch, IE the 3rd party router, nor my default router, nor anything else that is working.
To implement a move away from L3VPN with Cloudflare, I installed a Cloudflared tunnel on one of the machines in the authorized network.
From there at Cloudflare I setup the “Private Network” tab on CF to point to that tunnel.
Because we also need DNS resolution for a specific IP on the remote side of that 3rd party link. I use an additional trick from the Zero Trust offering.
On the “Firewall policies” tab under “Gateway” - I setup a DNS policy.
The expression I use is ‘Traffic’ Domain is “xxx.example.com”, ‘Action’ - Override - ‘ip of host at 3rd party network’
This gives me both network routes and DNS resolution using the CF system, and I can lock this down with the ‘Access’ policies and force 2FA in the middle of all of this. IE I can add my O365 MFA login, in from of all 3rd party network access, and/or I can use the option to add 'Require a user to enter a justification for any access" - so log the reason. More still, I can use the Temporary authentication and this setups an email an approver workflow that allows a user to request access to an app/network on an as needed bases.
So overall very feature rich, works without issue and is not that hard to setup.
EDIT: One other thing to add, you use the Cloudflare WARP client on each endpoint needing access. (I skipped over these steps)
As I understand it from reading documentation cloudflared acts as a proxy and any traffic that runs through it will end up where the source IP of that traffic is the IP assigned cloudflared, is that correct? If that’s the case, that would make sense as to how you can connect across another VPN tunnel that is IP restricted.
I also see there is WARP Connector as an alternative to cloudflared and docs say the source IP is the virtual IP of the requesting device. I assume the connecting device is one that would have WARP client installed? Are virtual IP’s RFC1918 address space, or do they get IP’s in Cloudflare address space?
On the O365 MFA, is that fully SSO integrated with Zero Trust (via Enterprise App)? Does everything from Zero Trust run through single Enterprise App, so if you want to do CA policies, it would be based on all Zero Trust use cases? I assume there is no way to get more granular where you can register multiple Enterprise Apps based on Zero Trust destinations and then have CA based on individual resource access? That’s something Entra Private Access can do which is pretty cool, but Cloudflare Zero Trust at $7/user/mo is a heck of a lot more functionality over just Entra Private Access at $5/user/mo (or even EPA+EIA at $10/user/mo).
Unrelated to original question, do access any SMB shares via WARP client? If so, how well does that work?
TLDR: Your assumptions and understandings are just about spot on.
-
Cloudflared does in fact at as a proxy but only for the traffic you steer to the CF network by way of the ‘Routes’ policy set under ‘Networks’. Source IP is the Cloudflared box and not the WARP clients.
-
WARP can be setup on both sides and you can steer traffic that way but I did not set that up, I am using WARP on the client side, and Cloudflared on the server side. Each device gets a 100.96.x.x IP that is part of the internal CF network. You can enable PEER-to-PEER with an account level choice and that will allow anything with WARP to talk to other WARP clients on the same tenant. I tested this but decided to go Cloudflared because its more suited to my needs and deployment style. There is also the ‘WARP Connector’ linux app/router function. Be sure to separate WARP from WARP Connector when reading docs as they are purposed differently.
-
Yes Office 365 SSO is single app target on the O365 if you want to try to use conditional access at the Microsoft side. The way its integrated, you go to ‘Settings → Authentication → Login methods’ from there you hit ‘Add new’ and choose the integration you want, ‘Azure AD’ is a preconfigured list option but you can do any SAML. Faceboook, GitHub, Google, LinkedIn, Okta and others are all sort of built in to allow them as authentication sources. You can register more then once if you really want to try to use different O365 app registrations, but I do not know how that would work. They also support ‘Azure OIDC Claims’ but I have no idea what that is. So I can speculate there might be a way to do that but it would a pain to administer as each cloudflare app would need its own O365 registration and you would have to keep all that straight. Or just use the CF policies and get the majority of your needs met there. IE use O365 to grant or not grant access based on CA policy, then use CF policies to be more granular after that.
That said you can use Azure groups and other ‘selectors’ on the CF side to do more targeted policies on the CF ‘Access’ policies.
https://developers.cloudflare.com/cloudflare-one/policies/access/#Selectors
- Granularity, even on the free plan (what I am using) you get all of the policies and selectors etc. So in my instance I can get very granular. I go to ‘Access’ and define a ‘Application’. In that menu you get x5 choices.
a) Self-hosted
b) SaaS
c) Private Network
d) Infrastructure
e) Bookmark
Using either A) or C) are for on-prem resources, from there you associate a an Access ‘Policies’ definition and setup your granularity. After that you can setup different ‘Login methods’ on the Applications definition as well as forcing users to either authenticate each app (my current choice) or you can flag the app to use the ‘WAPR Authentication identity’ to allow who ever setup the WARP link to be used as the user for the app.
So as for your assumption about not being granular I think your inaccurate in that assumption.
- SMB, works a treat! In fact if I compare my Palo Alto Global Connect VPN to my Cloudflare WARP connection. I get far more performance on the Cloudflare WARP link then I do with PA, using the exact same ISP links
Overall the solution is very comprehensive and I think based on your questions will do everything your seeking.
Thanks for going into the details, helps clarify some thigns for me. Looks like I need to jump in with some testing.
Did you do anything with WARP Connector? One of the things that CF calls out is that WARP Connector allows two way communication and calls out things like AD. I am working to move everyone to Entra Joined devices but still have a bunch of domain joined, so I need AD auth/GPO to work appropriately. Didn’t quite understand why cloudflared wouldn’t work for that.
What about being on-network before login for a fully authenticated login against AD, can CF ZTNA allow that scenario?
WARP Connector - No I didn’t want to stand up a linux vm just for a glorified router. Connector says its for Site-to-Site intended for devices that can’t run WARP, IoT, phones etc.
I never tested a domain only or hybrid machine, the reason is that you need line of site prior to login for everything to work properly.
Overall it SHOULD work but you do need to make sure you have an MDM.xml file that uses the pre-auth function and a service token to register the device into CF.
The primary reason: The endpoint can’t download the .pol files prior to the VPN linkup. they then stay on the endpoint pending processing. Some GPO’s are enforced immediately, others require a reboot (think roaming profiles etc.) these can’t process after user login. They have to occur prior. So then your in a chicken and egg problem. You have to have the policy first, but you can’t get the policy until the VPN link, but then you have to reboot so the cached copy takes effect.
OR, just have pre-auth (VPN or WARP) and call it a day.
I will save you a bunch of time by providing a working MDM.xml file:
multi\_user
pre\_login
organization
example ORG
auth\_client\_id
REDACTED
auth\_client\_secret
REDACTED
configs
organization
example ORG
display\_name
Default
auto\_connect
1
onboarding
switch\_locked
The other tidbit is to set the registry key to use the WebView2 browser to avoid having a browser window popup on the client when they login. This gets SSO working without a user having to choose to open the auth link from the browser back in the WARP client (you will see what I mean if you go this route)
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/#authenticate-in-embedded-browser
Another question on something that I’m not finding to be clear in the docs.
I have resources in a local datacenter and resources in Azure with no overlapping RFC1918 address space. Would I want to deploy a cloudflared instance in those two locations and then create two separate tunnels with the private IP space unique to each location?
Would the end result of that be the WARP client would have 2 tunnel connections, one to each cloudflared instance, keeping the routing as close as possible to the destination resources, without hops through the opposite location?
Yes:
Site1 - perhaps 10.1.x.x/16
Site2 - perhaps 10.2.x.x/16
Create x2 cloudflared instances, one for each site, spin up per docs
In CF, go to Zero Trust - > Networks → Tunnels (Create tunnel) - Select Cloudflared - Give it a name & save → (deploy) → route (Select Private networks) → Populate the CIDR → Save
Do that for both sites:
Then all WARP users/clients on your network will be able to route traffic to your sites. DNS resolved to a private IP will route as expected to either site1 or site2 depending on your tunnels and dns.
Also keep in mind you can have more then one tunnel per site, so for me I have x2 or x3 so I can move routes around using the CF portal, and take the host of the cloudflared service offline while keeping the routes into the various networks up and working for clients.
That said, CF has another feature. Say both site 1 and site 2 have overlapping address space. Since you can only have 1 client access a given private IP, you can use the “virtual networks” option to have a selector on the WARP client to toggle between routes in network1 vs network2.
The config is a bit burred in the menus, but CF - ZT - Settings → WARP Client → (bottom of the page) Virtual Networks - > Add new
And on each route, you then have an ‘Additional settings’ tab where you choose which of your groups of networks called a vnet/virtual network to apply that given route to.
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/
Also keep in mind you can have more then one tunnel per site, so for me I have x2 or x3 so I can move routes around using the CF portal, and take the host of the cloudflared service offline while keeping the routes into the various networks up and working for clients.
Interesting. Using my Azure site as reference, I could do something like this?
- Azure Tunnel #1 - 10.1.0.0/16 - cloudflared on SERVER1
- Azure Tunnel #2 - no private networks - cloudflare on SERVER2
During normal operations, users are connecting to Azure Tunnel #1. If I need to do maintenance on SERVER1, update cloudflared, etc., I remove the private network from Azure Tunnel #1 and add it to Azure Tunnel #2.
What is the impact to existing tunnels and associated connections through the tunnel when you do a switch like that?