I have a Windows 10 Pro desktop running a Windows application that has a built-in web server listening on port 81. Remote access normally requires enabling Port Forwarding on the router for port 81. Instead, I created an Cloudflare Tunnel and defined a CNAME pointing to that tunnel. The configuration file mapped all incoming traffic to port 81. I successfully accessed the Windows application via a browser from both Windows and Android.
The Windows application comes with a companion Android app with the ability to define LAN and WAN addresses. I changed the WAN address from the Port Forwarding address to the Cloudflare Tunnel and successfully accessed the Windows application over a cell Internet connection. I inspected the tunnel traffic (WireShark capture of the loopback adapter) for both remote browser and Android app access - everything looked like normal HTTP.
The next step was to tighten access to the Cloudflare Tunnel . I set up a Google Identity Provider and defined rules restricting Cloudflare Tunnel access to specific Gmail accounts. Access to the Cloudflare Tunnel via a browser from both Windows and Android either accepted the current Google login or prompted for login to the allowed Gmail accounts. However, I was now unable to connect via the Android app. I followed the instructions at https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp, installed the Cloudflare root certificate, and successfully enabled 1.1.1.1 Teams for my Cloudflare Access domain. I set up a Gateway Network policy allowing access to my private LAN destination IPs. The Android app still claims it is unable to reach the server.
I just stumbled on https://developers.cloudflare.com/cloudflare-one/identity/devices/require-gateway and added both Warp and Gateway to my Device posture attributes and then added Warp/Warp and Gateway/Gateway as includes in the Application rule associated with my Application URL (my Cloudflare Tunnel CNAME). I also followed the steps in https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel to enable routing from Cloudflare to my LAN subnet and deleted the 10.0.0.0/8 in the list after Add Split Tunneling Record, but still no success. The Access and Gateway/Network/HTTP show successful accesses for browser sessions but nothing relating to the Android app. I still see port 81 traffic on the loopback adapter when accessing the Windows application via the smartphone browser but nothing when I try to connect from the Android app.
Am I missing a rule somewhere or am I trying to do something that is not yet supported? With the exception of SSH, most of the tutorials relate to browser-initiated sessions. Browsers appear to be providing the necessary OAuth2 information to Cloudflare but whether/how WARP/teams integrates with OAuth2 is unclear.
Thanks, Norbert