Cloudflare Zero Trust - Private Networks via WARP
I’ve finally got round to setting up all my machines to use Cloudflare “Zero Trust” (https://developers.cloudflare.com/cloudflare-one/). It’s excellent! Apart from those machines now being protected from all external network access, I now have Cloudflare Access on everything and can connect via ssh (and setup a tunnel for other things like Remote Desktop). All built on WireGuard technology too, yay!. Connections appear smoother and snappier than before. The service is free for up-to 50 users in an “organisation” too. 😎
This doc records setting up my account’s Zero Trust organisation, allowing me to Connect through Cloudflare Access over SSH to devices in my organisation.
Setting up Zero Trust Access at Cloudflare
Follow Cloudflare’s getting started doc to enable your Zero Trust environment. Check off the items in that list, but be aware that the docs may not always tie-up with the current state of the apps or Cloudflare’s dashboard (you may need to hunt around for particular sections if they’ve moved to other / sub-sections for instance!). I’m not going to repeat their instructions here, however, as an aide-memoir for myself and to help out anyone else in their setups, the following may be useful. It details choices I made, as well as times I came across moved resources! All resource locations are obviously only correct at time of writing. The following numbered list corresponds to the list seen in the current getting started doc, but should still be useful if that resource changes.
- Login method: One-time PIN
- Now located at My Team > Groups. I currently have two groups set up:
- “Admins” (set as default group): Include: Emails (A list of specified emails. NOTE: these can be outside any ‘chosen domain’)
- “All Domain Users”: Include: Emails Ending In: (A list of domains (@example.com), currently just one - my ‘chosen domain’)
- Installing the Cloudflare certificate is only currently required if you’ll be intercepting traffic. However, I installed it on all my clients (iOS, macOS, Win) for which there are good installation instructions provided. If the cert isn’t installed and you enable traffic inspection, the Zero Trust client will scream a little, highlighting that the connection is no longer safe!
- Deploy WARP: I have access to all client devices so I chose “Manual deployment”.
- Log in to your organization’s Cloudflare Zero Trust (previously know as Teams as well) from each device. Users could do this themselves if they are ‘in’ your groups. Once completed, the regular 1.1.1.1 client app switches to Zero Trust (with Warp). All being well, you should see each device listed in My Team > Devices
- Proxy is currently off, but when enabled, policies (groups of rules) are now located at Gateway > Policies
- Enable TLS decryption is currently off. Beware! Enabling this may break certain accesses that check for, or don’t play well with, proxies, such as Banking sites/apps etc. OK if you’re a proper organisation that is happy to not allow this kind of use, but not so handy if it’s just your family setup!
Add an ssh ‘application’ at Cloudflare
Setup a Group (if not already done)
Groups are helpful when you need to create multiple policies and apply them to a recurring set of users. Defining those users in a group speeds up your policy creation process.
To have a (pre)set group able to use ‘applications’ I created the following (I didn’t have this setup originally, so it’s now repeated here as an example)…
From the Zero Trust dashboard, select Access > Access Groups, select “Add a Group”
- Group name: Admin
- Default Group: Set as default group
- Group configuration:
- Include: Emails (A list of specified emails. NOTE: these can be outside any ‘chosen domain’, e.g. they could include [email protected] as well as [email protected])
Create the app and add an access policy
Applications allow access to a resource in our organisation. The resource could be a SaaS, an internally hosted app (with Layer 4 managed access), or a self-hosted app that will simply take advantage of Cloudflare’s authoritative DNS. In this example we’re setting up ssh access for a particular machine (swap “machinename” below for the name or ID of your machine and “example.com” for your domain).
From the Zero Trust dashboard, select Access > Applications.
- Click “Add an application”.
- Choose “Self-hosted” on the next page.
- Input a subdomain that will become the hostname where your “application” will be available to your users.
- Application name: machinename SSH
- Application domain: machinename-ssh.example.com
- Click “Next”
- Add a policy. Name it something like “Access”
- Use ‘Assign a group’ to control who should have access to this app. Note that the policy must either have a group with an ‘Include type’ or have at least one ‘Include rule’ somewhere! I already have an Admin group setup as my default so that gets automatically checked 😎
- [OPTIONAL] Additional settings > Browser rendering: SSH
- Click ‘Add Application’ / ‘Save’
Setup the ‘app’ (using a tunnel) at the client
Cloudflare Tunnel creates a secure, outbound-only, connection to Cloudflare’s network. With an outbound-only model, you can prevent any direct access to this machine and lock down any externally exposed points of ingress. And with that, no open firewall ports.
Install cloudflared on the machine serving the app
Cloudflare Tunnel is made possible via a lightweight daemon from Cloudflare: cloudflared. For installation, see the Downloads page. The following instructions detail the process on a machine running mac OS (where I already have Homebrew installed).
| |
Login with cloudflared
Run the following command on the server to authenticate cloudflared to your Cloudflare account.
NOTE: If you are working on a machine that DOES NOT have a browser, or a browser window does not launch, simply copy the URL from the command-line output and visit the URL in a browser on any machine.
IMPORTANT: If you are working on a machine that DOES have a browser, ensure your default browser is already logged-in to Cloudflare FIRST so that the URL loads nicely!
| |
From the URL, choose your hostname from the presented list. Cloudflare will issue a certificate scoped to your account.
The resulting ~/.cloudflared/cert.pem file is used to authenticate the local instance of cloudflared.
You can now use cloudflared to control Cloudflare Tunnel connections in your Cloudflare account.
To check it’s working, try:
| |
Create a Tunnel
Cloudflare now allow tunnel management remotely, which is a huge win for setup. Navigate to the Cloudflare Dashboard > Access > Tunnels > “Create a tunnel”
- Name your tunnel. The name can be any value (however, maybe identify it as something like ‘cloudflared-tunnel-machinename’). Note a single Tunnel can also serve traffic for multiple hostnames to multiple services in your environment, including a mix of connection types like SSH and HTTP, however this example will use just one, which is set up shortly.
- Install (and run) a connector using the instruction for your environment i.e. for macOS it’s something like
sudo cloudflared service install eyJhI...JMiJ9. If it sparks into life, you should see evidence in the “Connectors” pane of the “Create a tunnel” page. - Lastly, add a configuration containing a dedicated DNS route e.g. for this example a subdomain something like
machinename-ssh@ (example.com) pointing to a Service such asSSH://localhost:22is required.
Once setup, we should have a new DNS CNAME (machinename-ssh) pointing to our tunnel value of ed67d574-b91d-447c-70ce-d911472b9ff7.cfargotunnel.com
To verify all is working, check the logs
| |
We’d expect something resembling the following …
| |
The important part is that there are tunnel connections registered!
198.41.128.0/17 - see the full list of Cloudflare IPs for reference). Once that range is added, cloudflared should show 4 tunnel connections registered at ALL times.
To add to a team’s Zero Trust config, go to Cloudflare dashboard, Zero Trust > Settings > Warp Client > Device settings > Default > Configure > Split Tunnels (Exclude IPs and domains) > Manage …Connect to app/machine via ssh
Using Native Terminal
Setup ssh config
NOTE: cloudflared must be installed on the connecting machine (see above for installation)
1 2 3# discover location of cloudflared which cloudflared # -> /opt/homebrew/bin/cloudflaredAdd the following to the SSH configuration file
~/.ssh/config.1 2Host machinename-ssh.example.com ProxyCommand /opt/homebrew/bin/cloudflared access ssh --hostname %hConnect via terminal
You can now test the ssh flow by running a command to reach the service.
1 2 3ssh machinename-ssh.example.com # cloudflared will launch a browser window to prompt you to # authenticate before establishing the connection from your terminal
Using Browser-rendered terminal
Cloudflare can render an ssh client in your browser without the need for client software or end user configuration changes.
If not already enabled, Enable Browser Rendering:
In the Zero Trust dashboard, navigate to Access > Applications. Select your app and click Edit > Settings tab > Additional settings:
- Browser Rendering: SSH
- SAVE!
Connect via browser
In a browser, visit https://machinename-ssh.example.com