r/CloudFlare: Zero Trust Access to Private Network Help

r/CloudFlare: Zero Trust Access to Private Network Help
💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/10mu6el/zero_trust_access_to_private_network_help/

Question

Want to start by saying i'm very new to CF. I just configured CF Zero Trust. I've set up authentication with Github. I've a docker server on my home network running several containers that i am trying to access. I've set up the tunnel and that seems to be working because i was able to set up an app using public dns and it was protected by CF then i was able to access it. The main idea is i want to get rid of all my public dns records and just use zero trust. So i've got the tunnel and added my private network to the tunnel. Then added an application and a rule for the server IP and port number. I've got the CF app on my phone and able to log into Zero Trust (i configured WARP as well). Also set up split tunnel. But when WARP is connected and i go to IPofServer:5000 in a browser, i cannot get to my app. Any suggestions or guides that might be helpful? Thanks is advance

Answer

You do not need any Access application or rule for private networks.

Since the Access applications only work for public hostnames and you aren't using them, it could get in the way of the private routing.

Delete the Access app and try to reach your app again.

If it still doesn't work, report back and we will continue troubleshooting.

Comment 1 on Answer

Awesome thank you. I’ll give it a try. Do I need any kind of network or firewall policy in zero trust? Or this should just work with the tunnel, private network in tunnel, and WARP configured w split tunnel and my LAN network specified for the split tunnel?

EDIT: Still no luck. Tried it with proxy off and on too. Not sure what I’m missing here

EDIT 2: Ok i figured it out and got it working. Needed a firewall policy and proxy on. Now just need to figure out how to handle ssl certs and a few other things. Thanks for the help

My response to comment 1

Great that you figured out what was wrong. However, you do not need a firewall policy in ZT for private communications between CF Tunnels and WARP. The FW policies are for controlling internet access via Gateway of the enrolled devices, when running in the right mode of WARP.

And yes, because you use private, you have to handle your own certs.

Comment 1.1 on Answer

Interesting. I’ll have to test it with the policy off. Thanks again

EDIT: You are correct. I disabled the fw policies and everything is still working. Not sure what I was missing the first time. Maybe those applications I added were causing issues. Thanks again.