Gateway selector in access policy rule not eligible

I use Cloudflare zero trust with self-hosted services on my Synology Disk Station. I have a registered domain with Cloudflare and a tunnel to my Docker instance on the Synology. I use the zero trust “free plan”. I published the applications and used Google as identity provider. Everything works flawlessly and as desired when accessing via the browser.

Now, however, I want to use the iOS apps to access the Synology Photo Station, for example. To enable mobile access with the iOS app for the Synology Photo Station, I thought about using a bypass access policy. And to define there that all devices that are connected to my zero trust instance via WARP client do not require authentication.

But when I want to configure the policy and select “bypass” as the action, the “gateway” selector shown in the documentation is not displayed. Is this because I am using the “Free plan” for Zero Trust?

Or alternatively, are there other, better ways to access self-hosted services via mobile apps?

Many thanks

Hi there! I was facing exactly the same problem a few days ago. Luckily, there’s an easy solution.

In the Zero Trust dashboard, navigate to Settings → WARP Client. Then scroll down to the “device posture” section and click “add new” under WARP client checks. Select “Gateway” from the list and click “save”.

You should now be able to use the “Gateway” selector when creating an Access policy. I recommend using the “Service Auth” action rather than the “Bypass” action when creating the policy, as this will make Cloudflare generate a JWT that you can validate at your origin.

1 Like

(post deleted by author)

Hi Albert,
first - thank you so much, that was very helpful, and it solved the problem. So far - great. But may I take the opportunity and ask you something about the other solution you have proposed?
Right now, I am sitting in front of my client which is connected through WARP client to my zero trust account. The status shown ist (translated from german) “your internet is protected”.
Now I enter the zero trust dashboard, navigate to Applications, select my configured application which I am using für testing, edit the application and enter the policies section
Now I click on “test your policies” on enter my e-mail address. Look at the result

I would have expected. that the user details show a warp connection - because right now I have one. But in the user details you can clearly see that the connection was not identified.

Thank you

Dear Albert,

I don’t understand exactly what you mean by the idea of using auth instead of bypass service.

I would like to access my self-hosted instance of Synology Note from an iPhone and the app for Synology Note installed there. But since I have Google as IDP, it doesn’t work, the app is either not that clever or it’s not me.

If I access it from somewhere with a browser, I can authenticate with my Google account and have access. If I do this with the app, it doesn’t work. I can’t enter a service token there.

Do you have any hints or tips for me?
Many thanks

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.