r/CloudFlare: Cloudflare Access and Warp/Gateway/Teams Policy

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/y5gpos/cloudflare_access_and_warpgatewayteams_policy/

Question

Hi there folks,

i am trying to secure a locally hosted website using cloudflare access. I created the tunnel and the corresponding hostname. This all works like it should.

Next thing i did was to create an application on top of it and using an allow policy with mails ending with @ mydomain.com and one time PIN as authentication. This is also working.

I have an app that has to connect to this website without authentication. So i installed the warp client on my android phone and enrolled it into Gateway/Zero Trust/Teams. I went into the Warp client menu and added device posture checks for warp, gateway and android version.

Then i created an bypass policy for this application, if the connections is made via gateway.

If i access the teams -> devices site on the zero trust dashboard i see the enrolled device and the completed posture check for android version. But nothing from warp or gateway, even if the phone is connected. CHecked via https://cloudflare.com/cdn-cgi/trace and warp and gateway are on.

But if i try to access this website via the phone connected to gateway i still get the time PIN login and the app is not able to connect.

I disabled QUIC/HTTP3 for the domain, there are no split tunnels configured, so everything is going through cloudflare.

Is there anything i am missing? Thanks!!!

Answer

You could, instead of going through the public hostname for your Android App, also add the IP of the local webserver to the Tunnel as a private endpoint and let your app access that directly, this circumvents the authentication of the Access Application, so you won't need a bypass action.