r/CloudFlare: Secure cloudflare tunnels with geo restrictions?

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/10kessi/secure_cloudflare_tunnels_with_geo_restrictions/

Question

I'm using Cloudflare Tunnels for a couple of workloads at my homelab. They are working great. In some instances I cannot protect my applications via the "Access / Application" options that are available, because my iOS app won't allow me to use any auth before connecting to it. Not a big problem. I use a UUID v4 subdomain for these kind of service. But to sleep a little bit better I would like to geo restrict the source IP...

Since I cannot use the "Access / Application" options I tried the "Gateway / Firewall DNS policies", but I don't think they are being used for a Tunnel. Am I right?

Answer

You can use the app policies by denying everyone access and then bypassing for a specific country. That way, only that country will reach your app.

But be informed that a UUID subdomain is only security by obscurity, sooner rather than later your domain will get discovered.

Maybe look at using WARP and private endpoints.

Comment 1 on Answer

Problem is that I cannot use the app policies because I have to use some Identity provider besides using other optiones like WARP, country, and so on, right?! I have to enter at least for the first time an email addy. And that's not possible for the iOS app. Or am i misunderstanding something here? Thanks

My response to comment 1

When using a bypass rule, it acts, if the condition fits, as if there is no app policy, so no IdP is needed.

Comment 1.1 on Answer

Thank you so so so much u/MasterofSynapse!!! You made my week. I totally missed to option to toggle between these options.

My response to comment 1.1

Always happy to help :) And yes, the dropdowns are a bit non-obvious at first