Allow access to all ports, only via tunnel

Hi, We have a bunch of virtual servers which we want to lock down using Cloudflared and Warp. We only want our employees, with Warp installed, to be able to access these servers. But they need access to all ports; http, mysql, ssh, etc.

I’ve tried to implement this, but I’m not sure how; I’m not even sure this is the right tool for the job.

I already have a healthy tunnel set-up with one of these servers as a test. But I’m not sure how it should be configured. For example, under public hostname, I put TCP for the “Type” because I want all ports opened; not a speific service. And I put the IP address of the server for the “URL” because I want to connect directly to the server via it’s public IP address. And I’m not sure if I need to even use the private network section.

This configuration does not work, and I’ve been playing with it for days trying to tweak it, to no avail.

Can someone please tell me if what I want to do is possible, and if so, what I’m doing wrong?

Thanks!

1 Like

It is the right tool, we work on all our servers through tunnels and WARP for day-to-day use.

Assuming you’ve set up the tunnel ok, don’t add anything under public hostname, as these tunnels won’t be public. Just add the LAN IP address of the server (as /32) or the network (if accessing a remote LAN, typically /24) under private network.

After that you need to configure the WARP access under Zero Trust… Settings… WARP access. Start with the single default profile, later you might want to add more profiles for tuning settings based on if the user is in the office or outside (for example, to not use the tunnel to connect to a server in the office when you are in the office). In the default profile you may need to configure the split tunnel to include or exclude the relevant private IP ranges from the tunnel. This can be a little tricky to get right - you need to tunnel your LAN IPs, but ensure not to tunnel other private IPs so users don’t have to turn off WARP to access things on their home LAN.

It takes a little bit of experimentation to get everything right, but once it’s up and running it works well (for us anyway!)

Thank you sjr. I really appreciate your help. For the LAN IP address, we don’t have a LAN set up. We just have a bunch of DigitalOcean servers in different data centers. So they are only connected by the public network. In this case, can I use the public IP address? I’ve tried using the public IP address, but no luck yet.

We just added a private IP address to the interface as a /32. We address across the company sort of like this…

10.123.1.1/32 - colo server 1, VM 1
10.123.1.2/32 - colo server 1, VM 2, etc…
10.123.2.1/32 - colo server 2, VM 1, etc…

10.123.100.1/24 - office 1 LAN (tunnel running on a server there)
10.123.110.1/24 - office 2 LAN, etc…

All company assets can then be reached over WARP; no VPNs or intra-site links, no special firewalling at the servers to allow specific IPs and easy to control.

I see. Unfortunately, we don’t have any of that infrastructure. We all work remotely, so we have no LAN that connects all of us or our virtual servers. So I think we need to use the public IP addresses of the virtual servers, which brings me back to wondering if I should be filling the “Public Hostname” or “Private Network” section of the tunnel settings.

There’s no private LAN on our colo servers, just a single private-range IP address added to the interface as a /32 only to give a private IP for the tunnel to use. All users are remote from the colo. But by having different IPs for each server in the same subnet it is easy to include/not exclude them from the WARP split tunnel settings. The servers are not connected to each other over these private IPs, only WARP users can reach each server via the tunnels on these IPs.

Over the tunnel we connect to SSH, HTTP or any other services. The only access permitted from the public IP address is Cloudflare for HTTPS and our Spectrum ports, plus our break-glass IP addresses for SSH should there be a problem with the tunnel. All runs well.

@marc5 @sjr I have the exact same problem: how to SSH through a cloudflared tunnel via the public IPv4 of the server, not its private IP.

I tried using the public ipv4 as the entry in the “private network”, doesn’t work…

In a nutshell, is it possible to do this with cloudflared tunnel:

ssh ubuntu@<public ipv4>

@marc5 did you find an answer?

Thank you, sjr! You saved a lot of time for me!) yet, just adding network to this list is working! I’m able to connect to my VDS using it’s private network.

Trying to configure Docker networks, I think I should “share” my server’s network with Docker as subnetworks. For example, I have 10.1.1.1 - server private network. I want to give 10.1.1.1/24 (to allow set to 10.1.1.255) to Docker so then I’ll be able to see all containers from my local laptop. Is it correct thoughts?