How to Configure End-to-End Encryption with Cloudflare Tunnel

As with any form of remote access or tunnel, end-to-end encryption is an important part of security. One of the great features of Cloudflare Tunnels; you can encrypt the session all the way to the host you are accessing remotely. One of the main reasons I started writing this was that I really felt there was nothing conclusive about these instructions. Too many guides assumed you knew all the steps and details, and sometimes that is frustrating to me.

I don’t know much about OpenSSL or creating PFX certificates. I have a basic understanding of certificates and private vs public keys, but not necessarily enough to know how to work this out on my own. This resulted in me working through several different guides to get all the right steps in place. Hopefully, this guide makes it easier for you, so you don’t have to bounce around so much.

You can look back at my previous posts and probably realize I was working on this way earlier this year. This is another throw back to a draft I started and forgot to finish. When I was helping one of the guys on my team set up his own tunnel for his lab, I went to send him these instructions and realized that I never published this one. So here we are, finishing what we started and putting this out here.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table of Contents

What are we doing?
Certificate Configuration Process
Certificate Installation
Cloudflare Console Settings
Conclusion


What are we doing?

You might be wondering why you would even need to configure this setting at all. Once you log into your Cloudflare console, you should click on the domain you are using; in my case it is ‘seesmitty.co’.

seesmitty.co domain for remote access

From here we want to go to SSL/TLS –> Overview. This is where we can configure the SSL settings for our remote access. So why do we care? Realistically, it is because we want our environment to be secure. If you look at the available options for SSL Security, it’s pretty clear that we need to spend at least a little time here. You should see ‘Flexible’ here if you haven’t changed the setting. This ensure that your browser is securely connected to Cloudflare servers, meaning the most dangerous part of the journey is protected. You absolutely could stay here on this setting and be fine.

However, maybe you want to make sure that your tunnel is encrypted all the way to your host. This could be because you do some cybersecurity testing in your lab and don’t want to capture this traffic. Maybe you need to make sure that encryption is enabled all the way through the network for compliance reasons. Whatever the reason, these are the steps to get there.

Clicking through the different settings will show where the encryption ends depending how we have it set. We want the strictest level of configuration. You’ll notice that the Full (Strict) setting requires the CA certificate to be installed on the Origin Server. That is what we are going to talk through.

Don’t change this setting yet though, we will change this after we get the certificate installed.


Certificate Configuration Process

For this, we want to ensure that we are leveraging end-to-end encryption whenever possible. This means we need to configure certificates on our reverse proxy so we can tunnel all the way to the proxy server. Technically, this isn’t REQUIRED but it is definitely recommended. Since my tunnel lives on Windows Server, these instructions will be focused as such.

NOTE: Whenever the documentation is talking about the ‘Origin Server’, it is referencing the Cloudflare Tunnel Proxy server.

Cloudflare’s official documentation is located here for additional reference.

Get Origin Server Cert

  1. In the Cloudflare console, from the home page, click on your Domain. Choose SSL/TLS –> Origin Server.
  1. You should see a button to create a certificate. Clicking this button will take you to a page to choose your certificate options. RSA 2048 is more than fine for a Home Lab, but always use what is required for any production environments.
    • Alternatively, if you have you want to use a Third-Party CA, you can generate your own CSR, and use that to create your Origin Server certificate.
certificate details for the end-to-end encryption process
  1. Ensure that the domains you intend to include are listed in the next section. You should see two:
    • One as a wildcard for the domain
    • One including the domain
domains for the end-to-end encryption certificate
  1. Finally, choose a validity period. 15 Years is the default, but you should focus on what you need. In a Lab, I would leave it as default. Hit Create.
certificate duration
  1. On the next screen, you will see the PEM certificate and Private key. Copy the text for each category, and save them into individual files. I have saved mine as:
    • Certificate.pem
    • privatekey.txt
examples of private key and pem file for Cloudflare origin certificate used with end-to-end encryption
  1. Finally, click OK. In next section we will finalize the certificate file.

Convert Certificate Details to PFX Certificate

Now that we have our key components for creating our certificate, we can use OpenSSL to create the PFX certificate we need to enable End-to-End encryption. I have been having issues installing OpenSSL from Winget, (Assuming because the version included is going EoL), so in this case, I used Chocolatey to install OpenSSL. Instructions to install Chocolatey are located HERE.

  1. Using Chocolatey, I ran this command in an elevated PowerShell window (Elevated CMD window works as well)
choco install openssl
  1. Then we will need to add the path to the environmental variables list to make our next few commands easier.
set "Path=%Path%;C:\Program Files\OpenSSL-Win64\bin"
  1. Next, change directory to the location where the certificates are stored. In my case, I just have them in Downloads. For example:
cd C:\Users\smitty\Downloads\Certs
  1. Finally, run this command to create our PFX certificate. (Be sure to replace the name for the private key and PEM certificate with your actual names).
    • -out is the intended name for the new PFX certificate
    • -inkey is the name of the file with the private key
    • -in is the name of our .pem file.
openssl pkcs12 -export -out ssl_certificate.pfx -inkey privatekey.txt -in certificate.pem

This will prompt you for a password, which you need to supply and verify. This password can be anything of your choosing, just don’t lose it. You will need it when you go to import the certificate into the local store on the origin computer. Once you have done that, you are finished, and you have created the PFX certificate you need for the end-to-end encryption.


Certificate Installation

If you’ve ever installed a certificate on Windows before you can probably skip this section, but just in case I’m including these instructions. If you are going to skip, just make sure you install the certificate for Local Machine, not user, and that you don’t mark the Private Key as Exportable.

How to Install the Certificate

  1. Right click the certificate and hit “Install PFX”. This should open the dialog menu to import a certificate.
certificate installation for end-to-end encryption with cloudflare tunnels
  1. On the window that pops up, be sure to choose Local Machine for this certificate, and his Next.
certificate installation for end-to-end encryption with cloudflare tunnels
  1. Confirm the path to the certificate you want to install matches the one you right-clicked a few steps ago, and then hit Next.
  2. From here, type the password you used when creating the certificate. Be sure to leave the box Unchecked for marking the Private Key as exportable. Hit next once you are ready.
continue certificate installation for end-to-end encryption with cloudflare tunnels
  1. On the next dialog box, you can leave it to automatically choose where to place the certificate, and hit Next.
  2. On the final screen, confirm everything is accurate and hit finish. If you got the password right, it should prompt you with a Successful import message.
finalize certificate installation for end-to-end encryption with cloudflare tunnels

Confirm Certificate is Installed

  1. Open the start menu and look for the Certificate Manager. (You can also open MMC.exe and load the Certificate Manager for Local Machine).
start menu manage computer certificates
  1. Once it is open, go to Certificates -> Personal -> Certificates. You should see the Cloudflare Original SSL certificate listed here. Once this is complete, you can head over to the Cloudflare Console.
confirm certificate installation for end-to-end encryption with cloudflare tunnels

Cloudflare Console Settings

  1. Now we are back to where we started. Back in the Cloudflare dashboard, click on your domain. From here go to SSL –> Overview.
  2. Change the settings on your SSL/TLS encryption mode to “Full (Strict)” for maximum security during transport.
full strict end-to-end encryption with cloudflare tunnel

Conclusion

There you have it! You should now have full end-to-end encryption with your Cloudflare Tunnel setup. This should enable you to have protected data transport from start to finish while using the tunnel for internal access. Whether or not this is necessary for you is totally up to you. Flexible is enough for home labs in most cases, and unless you get a specific error related to a certificate on your origin server, you can probably leave it on Flexible for the foreseeable future. However, you now have the instructions either way.

Hopefully you found this helpful. I was able to find all the steps eventually, and I am hoping that someone else will have an easier time than I did if they have to do this same thing. I’m curious to hear what you thought and if this was helpful. If you found value in this, please let me know! Hit me up on Twitter @SeeSmittyIT to let me know what you thought. Or if you are avoiding the bird site, I’m also posted up on Mastodon @[email protected]. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →