Secure Remote Access to Your Home/Business Network with Cloudflare Zero Trust

Context

In my quest for a complete home stack for both development and web hosting, I wanted to find a way that I could access all of my home hosted tooling remotely. Imagining myself sitting at a coffee shop, blogging about some random new tech related find seemed rather appealing. So, having set up a bunch of open source tools on my home servers with a sort of knowledge management, project management, and source control stack, I decided to look for a relatively simple and inexpensive way to access it remotely.

Enter Cloudflare Zero Trust!!!

Cloudflare Zero Trust allows you to set up a secure connection for remote access to your home or business network. It also allows you to connect public domains that you own to IP addresses on your private network to do things like self-hosting public websites.

While there are paid options for Cloudflare, we will be focusing on what we can do with Cloudflare for free.

What we will set up

We will start by preparing an Ubuntu server to install the Cloudflare Tunnel connector using Docker. After that, we’ll create a Cloudflare Tunnel and define the CIDR for the private network we want to access remotely, which will include the IP of the Ubuntu server hosting the Cloudflare connector.

Next, we’ll configure a team domain and set device enrollment permissions for the team, using email and OTP authentication for access control. Once that’s done, we’ll install the WARP client, log into our team account, and enable the WARP client from a separate network connected to the internet using the allowed email and OTP received. Finally, we’ll enable a secure connection from the remote network and test the connection to our private network by ssh’ing into the server running the Cloudflare connector.

The aim of this post is to show the basic set up to get a remote connection to your private network. We will not be covering SSL/HTTPS or DNS for your internal sites, instead we’ll just be using IP addresses. In later posts we will be covering the topics of a self-hosted certificate authority for securing internal site traffic with SSL/HTTPS in your private network and how to set up a locally hosted DNS server so you don’t have to use IP addresses to access your local sites and tools in your private network.

Let’s get started

We’ll start off by updating the machine that will be hosting our Cloudflare tunnel and installing net-tools and Docker.

  • net-tools: This is so that we can get the IP address of our server to determine the CIDR for our private network and to ssh into the specific host.
  • Docker: Docker will be used to run the Cloudflare tunnel connector in a container on the machine that will provide the secure entry point for Cloudflare, on our behalf, into our network.

We will assume you have a Debian based machine that you can use to install the Cloudflare tunnel connector. This can be a physical host or a virtual machine. Either one of these will work for this set up. Use the following to bootstrap your server. The only difference for other operating systems is in the step when choosing the operating system that you will run the tunnel on. Use the following command to prepare an Ubuntu server for the tunnel.

apt update && apt install net-tools docker 

Next we need to sign up for a Cloudflare account. Head over to https://dash.cloudflare.com/sign-up to create a new account.

Follow the sign up process until you can log in to the Cloudflare dashboard. The Cloudflare dashboard should look something like the screenshot below.

In the left hand side drawer menu, click on the ‘Zero Trust’ menu item. This will take you to the Zero Trust configuration area.

Under the ‘Networks’ menu option, select ‘Tunnels’. This will take you to a screen for adding, editing, and removing your tunnels.

Click on the ‘Add a tunnel’ button. We are going to use the ‘Cloudflare’ tunnel type. Select the ‘Cloudflare’ option and click next.

We then need to enter a name for our tunnel to identify it. For this post we’ll use the name ‘Techtonic Insights Tutorial’. Give your tunnel a name and click ‘Save tunnel’.

Once we have created our tunnel, we then need to configure the tunnel. On the next screen, we can select our preferred operating system. In this post we will use Docker but you can use the Debian option as well for Ubuntu based servers.

Cloudflare has made their tunnels really easy to install on any of the supported operating systems. I tend to use Docker purely because it fits with my preferred way of running software. The nice thing about the setup for Cloudflare tunnels is that they give you a single command to run for your operating system and it includes a token to link the connector to the Cloudflare tunnel automatically. You just run the command AND THAT’S IT! Your have a connector connected to your Cloudflare tunnel.

Copy the command under the ‘Install and run a connector’. We’ll paste that in the terminal for the machine we’ve set up to run our Cloudflare tunnel.

Docker will pull the image for you and run the connector once installed. The only thing to mention here is that if you would like the connector to start up automatically when the host machine starts up and to run in detached mode (ie. in the background), add the -d and --restart always flags.

docker run -d --restart always cloudflare/cloudflared...

To verify the connector has started and is running on the host we can use the following command.

docker ps

(note: to kill the container run: docker stop <container_id>)

You should see the tunnel running in the output from docker ps.

root@DemoCloudFlareTunnel:~# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS         PORTS     NAMES
40a77e1b6141   cloudflare/cloudflared:latest   "cloudflared --no-au…"   3 minutes ago   Up 3 minutes             wizardly_williams

Next we need to configure the network options for your tunnel. Back in your browser where you copied the connector installation command, click the ‘Next’ button. You will be taken to a screen for setting up public hostnames.

We want to set up a private network so we will select ‘Private Networks’.

To check for your machine’s IP, you can use ifconfig from net-tools that we installed earlier (a quick internet search will describe how to do this for your specific operating system).

Here is an example of the ifconfig output with the IP on Ubuntu.

The IP for the machine in our private network that is hosting the Cloudflare tunnel is in the range 192.168.1.0-255. The CIDR for this range is as follows.

192.168.1.0/24

This allows this tunnel to access any of the IPs in this range once we connect privately to our network using the Warp client.

Finish the set up by clicking ‘Finish’. You can then verify that your tunnel is set up and healthy by looking at the ‘Status’ column of your tunnel details.

Next we can move on to creating a secure connection to our network that behaves similarly to a VPN by:

  1. Configuring a team and device enrollment rules.
  2. Installing the Cloudflare Warp client.
  3. Logging into our team account/domain.

Let’s set a team domain first. This is what we will use to log in to our team account using the Warp client which let’s us remotely connect to our private network.

Click on ‘Settings’ in the left hand drawer menu. Then select the ‘Custom Pages’ option. In the ‘Custom Pages’ section, we can set our team domain. I am using the name ‘techtonicinsights’ but these need to be globally unique, so choose a unique team name for you or your organization.

Here you can also configure custom pages for login and blocked users. We’ll skip these steps for now and use Cloudflare’s default login and blocked pages.

Go back to the main ‘Settings’ screen and select ‘WARP client’. You should see the following.

We’ll leave all the device settings for the ‘Default’ profile as is for now. We will need to add some device enrollment permissions in order to connect WARP Client to our private network.

Click on the ‘Manage’ button to the right of ‘Device enrollment permissions’.

We will create a basic email rule for this post and include a one-time-password/pin (OTP) authentication method. The OTP method is used by default so we don’t need to visit the ‘Authentication’ tab for our set up. Under the ‘Rules’ tab, click the ‘Add a rule’ button.

Now save the device enrollment rule by clicking the ‘Save’ button on the left. You should now see your device enrollment rule in the list. You can explore how to set up rules that work best for you.

Now we will need to download the Warp client on the devices that we want to remotely connect to our private network. The download links for supported platforms can be found at the following link.

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp

Download and install Warp for your device’s operating system. The client can also be downloaded for Android and IOS from their respective App Stores. We will be using a Windows machine for the remainder of this post.

Once Warp is installed on Windows, you can find it in the bottom right tray as a small grey cloud. Click on the cloud and you will see the client’s UI.

Select the small configuration icon in the bottom right corner and select ‘Preferences’. This will open up a configuration menu. Select ‘Account’ from the menu on the left.

Click ‘Login with Cloudflare Zero Trust’. This will close the menu and re-open the tray with some terms and conditions you will need to accept. Read through them and click ‘Next’ and then ‘Accept’ if you agree to the terms and conditions.

Now we will enter the name of the team to match the domain we set for our team earlier in the ‘Settings’ -> ‘Custom Pages’ section. In our case this was ‘techtonicinsights.cloudflare.com’. This will then open a login page in a browser where we will enter our email address that we gave permissions in the ‘Device enrollment rules’ section.

Enter your email address that you provided access for in the previous step for device enrollment and click ‘Send me a code’. You will then receive an email that looks similar to the following screenshot with an OTP.

Click the link or enter the OTP into the Cloudflare login page. You should then see a successful connection result page provided your device enrollment permissions were correctly set up to allow the email address you configured.

Now we can open the WARP client from the bottom right tray again and go back to preferences (click on the gear icon in the bottom right). Go to the ‘Account’ section again and you will now see that you are logged in to the team you created. This will reflect the name of the team you set up earlier. For us it’s ‘techtonicinsights’, for you it will be your unique team name.

Now we can enable a secure connection using the WARP client. Open the UI again from the tray in the bottom right tray in the bottom right corner. Click the big toggle button to enable the secure connection to your private network.

Next we can check if we are able to access machines on our network. Any machine that is accessible from the machine hosting the tunnel connector should be accessible provided there is some way to access i (ie. ssh, web server, etc). A simple ssh test to the machine hosting the Cloudflare connector should tell us whether the connection is working.

After connecting to another network that is not connected directly to the target machine but connected to the internet, we can enable the WARP client and ssh directly to hosts in our network.

Note that any server in the same network and CIDR range for the private network can will be reachable. As long as there is a web server or ssh daemon running and the standard network and user permissions are correctly configured, you will be able to access the hosts on the network remotely.

We now have a way to securely connect to our private network from a remote location over the internet using Cloudflare tunnels and WARP for absolutely no cost!

Summary

In this post we started by preparing an Ubuntu server to install the Clouflare tunnel connector using Docker. We then created a Cloudflare tunnel and specified the CIDR for the private network we aimed to access remotely and that included the IP for the Ubuntu server hosting the Cloudflare connector tunnel. Then we configured a team domain and device enrollment permissions for the team based on email and OTP authentication. We then installed the WARP client and logged in to our team and enabled the WARP client using the allowed email and received OTP from a separate network that was connected to the internet. We then enabled a secure connection from the remote network and tested the connection to our private network by ssh’ing into the server that the Cloudflare connector was running on.

Leave a Reply

Your email address will not be published. Required fields are marked *