How to Use Cloudflare Tunnel for Secure Remote Access

After talking about Azure AD application proxy, I think it only makes sense to continue evaluating other “Zero Trust” tools that leverage a reverse proxy design for access to resources behind a firewall. Cloudflare Tunnel is another popular solution to the “Anti-VPN” movement, and it is the next one I want to check out on this blog. Cloudflare is probably most well-known for the protection of websites against DDoS attacks, and their load balancing capabilities, but in recent years Cloudflare has really leaned heavily in the “Zero-Trust” world and released a whole line of products supporting Zero-trust infrastructures. Cloudflare has an excellent break down of their product here, where you can the best information about the Tunnel offering.

Unlike the Azure AD Application Proxy, I talked about previously, the Cloudflare Tunnel product offers the ability to access SMB shares, as well as SSH & RDP via the Tunnel gateway. While the Azure AD App proxy is a different type of tool, I’m comparing the two because they both represent a “VPN-less” option for remote access. In this post I’m going to focus on the HTTP/HTTPS access for Cloudflare Tunnels to compare with Azure AD App proxy, but I’d like to explore other options later.

Today, I’m looking at my Home Lab again. I’ll be going on vacation this year, so it’d be nice to be able to still access my resources and spend some of my free time working on the stuff I write about here. I’m trying to find the best solution, so why not test as many as I can. Cloudflare has a “free tier” for the Tunnel, so it’s already a great option. Let’s get started.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Table Of Contents

Prerequisites
How it Works & Basic Setup
Subdomain and Site Access
Security Options to Consider
Conclusion


Prerequisites

Similar to the Azure AD App proxy, we will need to consider a few things as we get ready to set these things up.

  1. DNS Considerations

For Cloudflare Tunnels to work properly, you need to have a domain listed on Cloudflare and your DNS records for that domain to be hosted by Cloudflare. This is something that may be difficult or a deal breaker for some large organizations, but it is a recommendation for Cloudflare. There is an option to do a partial DNS change, however, they would suggest a full DNS change. Just keep in mind what you decide as it will matter for the ‘sites’ you add to Cloudflare.

Additionally, with DNS for services like this, you will want to consider whether internal DNS should match external DNS as far as the FQDN goes. If people accessing the service will be both internal and external at times, then it will be easier for those people accessing if they access the site via Internal DNS when on the network. This will avoid additional routing and access issues. Having the same FQDN whether inside or out will alleviate the burden on the people using the site.

  1. Hosting Considerations

As mentioned above, we will need to have something internal running the connector to provide our tunnel access to our resources behind the firewall. This means you will need the connector to run on a server or server-less computing environment. I plan on experimenting with a couple options, but I will start with Windows Server, as that is the majority of my environment.

  1. WARP Client (Workstation Agent)

Some folks are tentative about installing an agent for access via a solution like this. I get that. Agents add a layer of troubleshooting and management that must be a consideration. If you were only interested in remote access via HTTP/HTTPS, then you could avoid the WARP client completely and use just DNS & HTTP filtering options. However, for some of the advanced features (that make going VPN-less possible) the WARP client looks like the best option.


How it Works & Basic Setup

How it Works

Let’s start with a basic explanation of how the Cloudflare Tunnel works. Essentially, the Cloudflare Tunnel is built on the same idea of the reverse proxy concept that Azure AD App proxy is based. There is a connector running inside the network that creates a connection to Cloudflare systems. When someone outside your network accesses the website you publish, DNS points it to the Cloudflare network, where it is routed to your connector via Network Address Translation (NAT). This means that access to your resources is protected by Cloudflare’s network before access is granted. Cloudflare takes on the risk of attack rather than you having to publicly expose yourself to the internet.

To ensure Zero Trust is maintained, there is a process of authentication that protects against unwanted access. Depending on the licensing tier you choose, you have access to a third-party Identity Provider, or you can just use the built-in authentication Cloudflare provides. From there, Zero Trust is maintained by ensuring that access is granted only to those who should have it by using groups you configure in the console. If you follow the “Deny by Default” approach to Zero Trust, you can provide robust access without risking direct exposure to the internet.

Basic Setup – Domain Name Servers

Fortunately, my DNS is already hosted at Cloudflare (one more reason I like this solution), so I will be skipping that part of the setup. If you already have a domain you want to use, you can just configure the DNS nameservers for that domain instead of adding a site if you wish. If you don’t have a domain, then you’ll need to get one via the various methods available out there.

Once your account is created, and your nameservers are changed, you’re ready to get started.

I’ll be using a Windows Server for this. You can adjust the instructions to match if you are using a different OS. The hardware specs will always be dependent on traffic, but if this is for yourself, minimal specs should work just fine.

I didn’t see anything in Cloudflare’s documentation that said that the connector server must be joined to a domain, but it will likely aid with internal DNS, and authentication if you have other security controls in place, so I will be joining to my local domain.

Create a Tunnel

  1. Login to your Cloudflare account and click on Zero Trust on the right-hand side. This should take you to the Zero Trust dashboard.
cloudflare tunnel zero trust dashboard
  1. Click on Access –> Choose Tunnels. Click the button to Create a Tunnel
cloudflare tunnel create a new tunnel
  1. Give your tunnel a name you will be able to identify, and hit Save Tunnel.
cloudflare tunnel name configuration
  1. You should see a new window with a choice of OS and architecture. Follow the instructions on the page to finish your installation of the connection software. If you are using Windows Server Core, check out these instructions instead.
  1. Once this is finished, you should see your tunnel listed as active below the installation instructions. Choose next to continue.
cloudflare tunnel activated

Subdomain and Site Access

  1. Here we are going to add some information for the public facing hostname and provide the details for the internal access we wish to access externally.
    • Subdomain: the hostname for our domain that we want to use to access (ex. ‘https://web.seesmitty.com’)
    • Domain: The domain that we added to Cloudflare that has DNS associated to it.
    • Path: Any additional things that we want to pass along if we want to be able to reuse the subdomain for other resources later.
    • Service Type: Choose the protocol for Access (HTTP/HTTPS for this example)
    • URL: the internal FQDN for our internal resource. (Can also be an IP address)
    • No TLS Verify: If your internal site has HTTPS configured, but only with a Self-Signed (Or not public) TLS Certificate, you will want to enable the No TLS Verify setting to avoid SSL errors.
  1. Once you have filled out these details, hit ‘Save’. You may see a notification about adding a DNS record for this domain. That is necessary, so hit OK to continue.
Cloudflare tunnel setup
  1. Finally, it is time to test! Navigate to the site which you just configured. (In my case, it is https://web.seesmitty.co). Boom! You should now be redirected to your site and it should be protected with a Cloudflare SSL certificate.
working cloudflare tunnel

As you can see, the site is for my lab firewall, and is protected with a valid SSL certificate.


Security Options to Consider

As with any internally hosted resource, you likely don’t want just anyone getting access. Sure there is a login screen for my firewall, but why rely solely on the firewall software to keep bad guys out. Let’s let Cloudflare handle part of the security burden. After all, even if only people I were associated with knew about the site, not everyone needs to be able to configure the firewall.

Basic Zero Trust principles would suggest we do not allow access unless they specifically need it. Role-Based Access control is a critical part of all Zero Trust concepts and a good security posture. So let’s lock down access even more to ensure that only those people who are supposed to access, can access the site.

Cloudflare supports all of the major enterprise IdP providers, as well as a few others. They also have their own basic authentication option. I plan on covering the basic authentication piece, but I may come back and write about the Azure AD integration as well. Feel free to explore the option that makes the most sense to you. I will be configuring the ‘One Time Pin’.

Application Access

  1. Back in the Cloudflare console, get back to the Zero Trust page, click Access and choose Applications. Hit the Get Started button.
get started with securing applications hosted by cloudflate tunnel
  1. For this, we want to choose “Self-Hosted” as our application type. On the next page, we want to give an Application name (console display name) and a session duration. The session duration stipulates the time after which a person accessing the app will have to reauthenticate. The default is 24 hours, those you may want something shorter for more sensitive resources. If you only want to configure a single application authentication policy, then leave the subdomain blank, and match it to the domain you chose above.
application settings for cloudflare tunnel authenticated access
  1. Application Appearance will allow you to customize the appearance of the login page, as well as the ‘Access Denied’ page and/or message. This can be ideal if you want specific messaging for unauthorized users. Provide a link to the path to an icon if you want specific branding to take place
application appearance settings
  1. Choose an IdP provider. In my case, I am sticking with the Cloudflare provided ‘One Time Pin’ option. Click next to continue.
choose an idp with cloudflare tunnel
  1. Give your application a policy name, action and session duration. Choose a criterion that matches your authentication method. For example, I am limiting my access to email addresses ending in the ‘@seesmitty.com‘ domain.
configure application settings for cloudflare tunnel access.
  1. Finally, if you want to require a justification for access, configure the settings at the bottom of this page, and save to finish.

Application Settings

Finally, to bring it all together, you will need to go back to set the web application and configure it to require authentication.

  1. Click back over to Access –> Tunnels –> Tunnel Name. Click on your Tunnel and choose to configure.
  2. Click on the Public Hostname and choose to configure again.
  3. Expand ‘Additional Application Settings’ and go down to the bottom and choose ‘Access’.
  4. From here, enable the ‘Protect with Access’ setting, and choose the application you just created in the previous section.
enable application authentication access for cloudflare tunnel

Finally, hit ‘Save Hostname’ and you can now test your site!


Conclusion

There you have it! A fully working and protected application, that lives behind your firewall, and did not require opening ports or holes in the firewall to grant access. Cloudflare Tunnel includes many more settings that add additional layers of protection and customization. Once I am ready to circle back, I’ll be trying to create a breakdown of the primary differences between Cloudflare Tunnels and Azure AD Application Proxy. I’d also like to cover the implementation of Azure AD Authentication as well as that is a logical next step for these Cloudflare tools.

I hope you are experimenting with these tools in your lab. I know it will make it easier for me to mess around in the lab while I am gone, and it will continue to give me opportunities for learning new technologies. I’ve recently found out about a tool by the name of Twingate and I am looking forward to playing around with it as well. Seems like another solid option for Home Lab enthusiasts like myself.

As always, let me know what you think and if this worked for you. Hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Or if you are avoiding the bird site, I’m also posted up on Mastodon @[email protected]. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →