Small Office VPN

We have a smallish office (35 or so people) and we’d like to replace our VPN with CF tools. We use the VPN for 2 things:

  1. Connecting to a half dozen or so servers at our office
  2. Shared IP for external servers so we don’t have to add every user’s remote IP address into firewalls

I’m pretty sure we can solve #1 with Access and Argo, but I’m not sure if there’s a way of solving #2 with CF tools. Is there a way we can do that with Cloudflare’s tooling? Thanks.

Can’t you use Access to block connections to these servers as well?

Probably, but we need to allow clients in as well. I think we would need to add the clients to our ID provider for access to work in that situation. But I could be wrong.

What we do now it put in our VPN IP and the IPs of the clients that need access.

Yeah, it will require clients to be added to your access plan even if they use something like One Time Pin.


Adding to what was already said.

Solving 1. is pretty straightforward, install cloudflared on the servers or on a bastion that connects to all the servers (this needs to be decided based on location, firewall rules in between, redundancy, services, etc.)

For the second, if the external servers will pass through Cloudflare, and it will use the proxy part (meaning they can be accessed via a normal web browsers (eg. it’s not RDP, SSH, etc.), you can still use an IP to bypass the Access rule. I’d argue it will defeat the purpose, but it can be relatively expensive especially with tons users.