Do I add my cloudflare origin certificate to my router to enable access?

I have successfully setup Cloudflare Access with the Gsuite SSO option. I also have an access policy created whitelisting my email address. I use an ZTE wireless/wired router and have configured a DDNS service in its settings for which I have added a subdomain A-record in Cloudflare (proxied/orange setting). It works to access the subdomain and Cloudflare Access login screen shows, SSO works and upon loading the Router login screen, I am dealt a 522 cloudflare error page.

Do I need to upload my cloudflare Origin ceriticate to my router admin settings page for the access to work?

So you are hosting your website on your own private ISP connection? In this case the certificate should go on the webserver where Cloudflare is connecting to.

A 522 is not a certificate related error but refers to an issue with the connection itself. Best guess, you havent configured your router properly to internally forward connections (port forwarding).

Sorry if I was unclear.

I am simply trying to reach my office router’s login page, which is available on a local IP: 192.168.100.1

I use a DDNS service (dynu) to bind intranet.[mydomainnamehere].com to my office’s dynamic ISP-provided IP address. The DDNS client is running insided the actual routuer itself, ensuring the public IP address is always updated on dynu.

Port forwarding can be setup on the router, perhaps this is the missing link, however I thought that because my Cloudflare account is using Force SSL on my domain, the internal router page also need this certificate to function, I might be missing something?

I assume that login page is not associated with a domain, correct? In that case Cloudflare wouldnt be part of the picture.

You’re right, the login page is not associated with a domain.

This is what I have tried now:

In the cloudflare access policy settings I have used intranet.[mydomainnamehere].com/:10000 as the access URL. In the router settings port forwarding page I have entered a TCP connection profile forwarding 10000 port calls for intranet.[mydomainnamehere].com to 192.168.100.1 with port number 80 (port 80 seems to work when trying to access the router page in a local browser from the local ip address).

Is anything else missing?

In that case you technically can configure an Origin certificate, but there will be little point in that as that certificate wont be any more valid than the self-signed certificate routers usually ship with.

I’d either keep the default certificate or (if you really want it to validate in your browser) get a Lets Encrypt one.

OK thank you, noted on the certificates. However, I still can’t seem to be able to reach the actual router login page. typing in intranet.[nydomainnamehere].com/:10000 does direct me to the CF Access Login screen. The SSO is set up correctly, but after authenticating, the browser still returns a 522 code.

Here is a screenshot of the router port forwarding setting. I have used hostname of 0.0.0.0 before - this is because when trying to enter a domain name in there, it complains, it needs an IP address, so here I am unsure.

I am afraid that really is a question for StackExchange and alike then. The forum is for Cloudflare related questions.

sure got it, will do. As per the above information however, are my settings for Cloudflare Access configured in a way that should make this work? My idea is in the right direction?

I am a bit confused. How is your Access protected site connected to your router?

The 522 you are getting would be covered at Community Tip - Fixing Error 522: Connection timed out.

Where is the site which you run through Access actually hosted?

the domain name used for the entire cloudflare account runs a website on the www subdomain. The server IP for this website is added as an A record for @ and www as normal.

I have a new A record added for the intranet subdomain with a different server IP. The IP address added in this record is the Dynu dynamic dns service address provided within the user account there. FYI, when entering this IP address into my browser, it directly reaches my router login page. My router updates this dynu dns link dynamically. The Cloudflare record simply redirects the subdomain to this IP.

The only goal here is to reach my router login page through my subdomain and be protected by Access with SSO.

I’m sorry if I am unclear, I don’t know how to explain differently.

But in this case the following is not correct, is it?

You do want to associate that login page with your domain, right?

So basically you want to point a hostname of your domain to your router UI, is that correct?

Yes I do, that sentence might have been misleading, sorry.

So, if in Cloudflare DNS i setup an A record with the IP of my router in it, it works and loads the router login page as long as I leave the orange/proxy icon set to off/DNSOnly.

When enabling Cloudflare Access (and hence needing to set my DNS record to orange/ON) it stopped working and threw the 522 error.

Thats not an Access issue at this point however. Before doing anything with Access you first need to get the connection up and running.

In this case, you could add an Origin certificate to your router as well. How you do this depends on your router and you best refer to its documentation.

The reason why you might get the 522 might be the port you chose. Port 10000 wont work in the context of Cloudflare. Cloudflare only supports those listed at https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy, particularly those for HTTPS only in your case.