r/CloudFlare: Zero Trust Access to Private Network Help
Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/10mu6el/zero_trust_access_to_private_network_help/
Want to start by saying i'm very new to CF. I just configured CF Zero Trust. I've set up authentication with Github. I've a docker server on my home network running several containers that i am trying to access. I've set up the tunnel and that seems to be working because i was able to set up an app using public dns and it was protected by CF then i was able to access it. The main idea is i want to get rid of all my public dns records and just use zero trust. So i've got the tunnel and added my private network to the tunnel. Then added an application and a rule for the server IP and port number. I've got the CF app on my phone and able to log into Zero Trust (i configured WARP as well). Also set up split tunnel. But when WARP is connected and i go to IPofServer:5000 in a browser, i cannot get to my app. Any suggestions or guides that might be helpful? Thanks is advance
You do not need any Access application or rule for private networks.
Since the Access applications only work for public hostnames and you aren't using them, it could get in the way of the private routing.
Delete the Access app and try to reach your app again.
If it still doesn't work, report back and we will continue troubleshooting.
Comment 1 on Answer
Awesome thank you. I’ll give it a try. Do I need any kind of network or firewall policy in zero trust? Or this should just work with the tunnel, private network in tunnel, and WARP configured w split tunnel and my LAN network specified for the split tunnel?
EDIT: Still no luck. Tried it with proxy off and on too. Not sure what I’m missing here
EDIT 2: Ok i figured it out and got it working. Needed a firewall policy and proxy on. Now just need to figure out how to handle ssl certs and a few other things. Thanks for the help
My response to comment 1
Great that you figured out what was wrong. However, you do not need a firewall policy in ZT for private communications between CF Tunnels and WARP. The FW policies are for controlling internet access via Gateway of the enrolled devices, when running in the right mode of WARP.
And yes, because you use private, you have to handle your own certs.
Comment 1.1 on Answer
Interesting. I’ll have to test it with the policy off. Thanks again
EDIT: You are correct. I disabled the fw policies and everything is still working. Not sure what I was missing the first time. Maybe those applications I added were causing issues. Thanks again.