Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersCloudflare Zero Trust - Anyone used/using to replace VPN access?
clinty

1182 posts

Uber Geek

Lifetime subscriber

#298822 19-Jul-2022 17:36
Send private message

Having had a few hacks and hack attempts on some of my small business customers recently, have been looking around for replacements for RDP and VPN that don't cost the earth - which to a small business client seems to be less than $5 per user per month, but preferably free :)

 

 

 

Am having a look at Cloudflares Zero Trust VPN replacement - part of the Cloudflare for Teams offering, free for up to 50 users

 

 

 

Has anyone had any real world experience of setting up and managing it? How has the user experience been? MFA before connecting would be nice ( I see it can use M365 for SSO)

 

 

 

In most cases it will be for accessing network drives and internal SQL databases,  when WFH or on the road with company laptops

 

 

 

Clint

Create new topic
Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2943906 19-Jul-2022 17:58
Send private message

Works incredibly well but does take some time to get the configuration correct and tweak things. 
Once setup its seamless to manage.

 

You will need some place internally to deploy and run an instance of cloudflared - A docker container or Linux server is the best choice. All tunnels can now be configured via the online dashboards making configuration easier. Previously you had to publish or configure tunnels via cloudflared.

 

Once the tunnel is up - you can publish any applications required securely or networks and then add authencation to the front of these. MFA can be easily setup via Azure AD if you are using M365 and this in-turn can be added in front of any published apps etc.

 

You have the choice of publishing apps as required or providing access to subnets as need via the tunnel and in-turn Warp clients.




-- opinions expressed by me are solely my own. ie - personal



Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2943907 19-Jul-2022 18:00
Send private message

Also note that you do need your DNS to be managed by Cloudflare to use Zero Trust.




-- opinions expressed by me are solely my own. ie - personal

clinty

1182 posts

Uber Geek

Lifetime subscriber

  #2943909 19-Jul-2022 18:09
Send private message

Jiriteach:

 

You will need some place internally to deploy and run an instance of cloudflared - A docker container or Linux server is the best choice. All tunnels can now be configured via the online dashboards making configuration easier. Previously you had to publish or configure tunnels via cloudflared.

 

 

What sort of resourcing do you need? Can you get away with an old PC or NUC?

 

 

Also note that you do need your DNS to be managed by Cloudflare to use Zero Trust.

 

 

 

 

I assume that is the DNS for the web facing domain ie xyz.co.nz not the internal DNS xyz.local ( I know that is no longer best practice, but a lot of domains are still configured that way :) )

 

 

 

Clint



Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2943914 19-Jul-2022 18:39
Send private message

clinty:

 

What sort of resourcing do you need? Can you get away with an old PC or NUC?

 

 

Depends on the traffic you will be proxying thorugh it. The agent itself does not require much resources at all. Designed to easily run on a Raspberry Pi or similar so will work fine on an older PC or NUC but you would want to make sure you have adequte network throughput. See here for more - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/hosting-requirements/

 

 

I assume that is the DNS for the web facing domain ie xyz.co.nz not the internal DNS xyz.local ( I know that is no longer best practice, but a lot of domains are still configured that way :) )

 

Clint

 

 

Yes the external facing DNS which will allow you to publish apps. eg. site1.xyz.co.nz - but then again - you dont need to publish apps if you dont want to. You could expose a subnet via the tunnel to the Warp clients - once connected, users can just use the internal IP's/DNS.




-- opinions expressed by me are solely my own. ie - personal

clinty

1182 posts

Uber Geek

Lifetime subscriber

  #2943916 19-Jul-2022 18:44
Send private message

Any gotchas or issues you have come across?

 

It seems pretty secure out of the box - the only weak point seems to be the user or the end point being compromised - which holds true for VPN as well :)

 

 

 

Clint

 

 

Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2943917 19-Jul-2022 18:51
Send private message

clinty:

 

Any gotchas or issues you have come across?
It seems pretty secure out of the box - the only weak point seems to be the user or the end point being compromised - which holds true for VPN as well :)

 

Clint

 

 

Have not come across any and using it on a daily basis.

 

The agent configuration is powerful but can be annoying as it does not allow users to quit the application. Also does not allow them to turn off the connection initally (extra configuration required to enable this). I ended up writing a few launcher scripts for MacOS - https://github.com/Jiriteach/Cloudflare-WARP-Launcher which works well.

 

Only other issue would be updates to cloudflared. They do release quite regularly - depending on how you run cloudflared, you need to factor in updates to this which will take down things temporarily.

 

Overall its solid and secure and works very well. Have also configured geoblocking for some published apps as well. You can lock it down as much as you want via policies which is really good.  




-- opinions expressed by me are solely my own. ie - personal

clinty

1182 posts

Uber Geek

Lifetime subscriber

  #2943918 19-Jul-2022 18:53
Send private message

Jiriteach:

 

clinty:

 

Any gotchas or issues you have come across?
It seems pretty secure out of the box - the only weak point seems to be the user or the end point being compromised - which holds true for VPN as well :)

 

Clint

 

 

 

 

The agent configuration is powerful but can be annoying as it does not allow users to quit the application. Also does not allow them to turn off the connection initally (extra configuration required to enable this). I ended up writing a few launcher scripts for MacOS - https://github.com/Jiriteach/Cloudflare-WARP-Launcher which works well.

 

 

No Macs allowed at my sites :-P 

 

 

 

Will give it whirl on my network :)

 

 

 

Clint

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
insane
3236 posts

Uber Geek

ID Verified
Trusted

  #2943931 19-Jul-2022 19:51
Send private message

I believe it's based on technology from Zscaler, so if it's anything as good as ZTNA, it should be very good.

clinty

1182 posts

Uber Geek

Lifetime subscriber

  #2944497 20-Jul-2022 21:06
Send private message

Setup was pretty easy - although some of the help pages seem a bit out of date, and Edge didn't like the Cloudflared download - not signed :)

Basic WARP configuration was good, and got traffic passing back to the internal network OK

However ping didn't seem to be working - will play with that tmrw :)

Clint

Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2944498 20-Jul-2022 21:12
Send private message

clinty: Setup was pretty easy - although some of the help pages seem a bit out of date, and Edge didn't like the Cloudflared download - not signed :)

Basic WARP configuration was good, and got traffic passing back to the internal network OK

However ping didn't seem to be working - will play with that tmrw :)

Clint

 

Good to hear. Note that ICMP traffic is not supported currently so pings wont work. I know they are working on adding this capability soon!




-- opinions expressed by me are solely my own. ie - personal

pih

pih
649 posts

Ultimate Geek

Lifetime subscriber

  #2944500 20-Jul-2022 21:14
Send private message

Quick question because my Google-fu is failing me: Does anyone know if this works as a solution to accessing services behind CG-NAT?

Jiriteach
1119 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2944502 20-Jul-2022 21:15
Send private message

pih: Quick question because my Google-fu is failing me: Does anyone know if this works as a solution to accessing services behind CG-NAT?

 

Yes - its perfectly designed to work behing CG-NAT.




-- opinions expressed by me are solely my own. ie - personal

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright