Force Traffic Through Cloudflare Tunnel

We have a web application which our employees access internally on a private IP and customers access externally on a public IP. The functionality of the web application is different depending on if you are connecting internally or externally.

When using the WARP client, our staff are directed to the web app on it’s external IP. Is there a way we can force this traffic through the cloudflared tunnel so that it connects on it’s internal IP?

I’m new to Cloudflare for Teams too, which sounds like what you’re trying to setup. But I’ll try and help.

Have you got cloudflared with a tunnel setup running on the server hosting the application? How are the users running WARP attempting to access it? Through Cloudflare Access? Browsing to a domain name?

Currently I have a Linux VM running cloudflared with a tunnel that includes a 10.* subnet. In the Teams dashboard this is restricted by user so it allows them RDP and SSH access to the resources they need (as they would have had via our corporate VPN). This all works fine.

The web application itself is accessed via HTTPS through a browser. It’s not hosted on the VM that the cloudflared tunnel is on, although that VM can access the application server.

With that said, none of our internal browser based applications are accessible when using WARP so I’m clearly missing a setup step somewhere. Perhaps I’m naïve in thinking it would just work like our corporate VPN does.

Thanks for the reply.

From what I understand of Cloudflare for Teams so far it sounds as though you’re really close to having it going. It seems like you’re using Cloudflare Access to control user access to SSH and RDP on specific systems.

If that Linux VM running cloudflared is able to reach the web application server on HTTPS, could you setup another ingress so that users can reach the web application by the Cloudflare Access App Launcher too? This is what I’m thinking of: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/config

I think another option is just to create a tunnel that can route traffic to your local network by advertising a CIDR back into Cloudflare’s network that’s then reachable from users logged into WARP under your organizations account. You essentially tell the tunnel what IP address space is reachable from the tunnel and create a DNS override rule in Cloudflare Gateway to return the local IP address of the web application. The doco is here: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net

In either solution I think the private IP of the server running cloudflared would be source IP, so your application should present the internal version. Although that’s something I haven’t actually tested just yet.

Thanks.

The second part of your reply is what I have set up (partly it seems). I can actually get to the web app in a browser if I specify the IP and port number. Obviously some sort of DNS issue then. I clicked through that link you sent into the one below and followed steps 1 - 3. Unfortunately that didn’t work. At a bit of a loss at this point.

https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns

It sounds like you’ve essentially made your private network routable within Cloudflare for your organisation. If you’re able to reach the web app by it’s private IP address through WARP then I think you’re pretty much finished the setup. The only step you’re missing is to create a DNS override under Gateway → Policies for the domain name you’d like users to reach your application with.

I’ll preface this with a note that I’ve yet to test this exact setup myself. But I think you’d just need to create a new DNS policy and build an expression that’ll match on the selector Host for whatever hostname you’d like to override. For example, if your domain name was example.com and you wanted users to be able to reach the web app on https://webapp.example.com when logged into and connected to WARP, you would create a Host override for webapp.example.com, select the Override action and enter in the private IP address of your web app’s server. It’s worth noting that if the web app is listening on a non-standard port, your users will still need to provide the port at the end of the URL (https://webapp.example.com:8443).

This will override the DNS lookup for any user logged into your teams account through WARP or if DNS requests are being forwarded to a Gateway location. I think at this point users logged into WARP will be able to reach your web app through the hostname you specified in your DNS policy.

1 Like

Thanks for the clear instructions. I’ve done all that and it hasn’t worked initially. I’m going to play around with it though.

Just to clarify, do I also need to add these hosts to the ‘ingress’ section of the config.yml file? The link I posted above (…/routing-to-tunnel/dns) also puzzles me as I’m not sure if I need to do that as well.