Replacing legacy VPNs with Cloudflare Access

It's been a while since I wrote a post, and I thought I'd dive into more VPN-related stuff.

Traditionally you would create a VPN server to access internal resources on your network, giving client access to whoever needed it and treating users who are logged in as trustworthy. However, this comes with some headaches such as:

  • Uptime, patching, monitoring requirements
  • Supporting users with connection issues/first time setup
  • Revoking access for users with a current session (or disabling users once they have left, if you don't have Single-Sign On (SSO) configured)
  • Exposing services on a port to the outside world

Recently I've been trialling Cloudflare Access, which is a completely different way to access internal network resources. Rather than setting up a single server, or a fleet of VPN servers as I have done previously with Pritunl/OpenVPN, Cloudflare Access uses the "Zero Trust" security model. This means that regardless of your logged-in session state, each TCP/UDP connection you make has a policy driven decision whether you can make that connection or not behind it, according to the rules specified by the organisation.
Another benefit is that there is a single UDP outbound connection created by the cloudflared service, so no inbound ports are required to be opened, improving security. Traffic is routed to the nearest Cloudflare edge location to ensure low latency.

I found setup relatively simple:

  1. Create an Azure Active Directory tenant (free)
  2. Register an App in Azure AD
  3. Follow the steps in this article to configure the App in Azure AD and allow Cloudflare Zero Trust to use it as an identity provider (I also created a group in Azure AD to restrict who is allowed to connect)
  4. Set up cloudflared (in my case as a Docker container), which sets up a Cloudflare Tunnel with the appropriate network CIDR block allowed to route traffic
  5. Follow the steps in this article to configure Cloudflare Access
  6. Create a Gateway Policy which allows the appropriate internal traffic to flow
  7. Download the WARP client and log in with the Azure AD user account
  8. Done!

After a few tweaks (and re-reading the instructions...) I was able to use my connection just the same way as using a traditional VPN, without the hassle of maintaining a server to do so. cloudflared is a very simple service to set up and only needs a token to download its configuration and bootstrap itself.

All of this is free to get started. I'm looking forward to testing Cloudflare Access next, to get rid of SSH key authentication.