Use cloudflare for teams and argo tunnel as vpn to my server

In my work I use two servers which are located in different places in the local networks. They are not accessible to the Internet except for a few approved web applications, and I access the server control panel by typing into my browser the address of that server, e.g. 192.168.88.111.

I use wireguard VPN tunnels to access these two networks. They connect and I get access to the whole subnet (e.g. 192.168.88.1/24). I was wondering if I could use cloudflare for teams (CFT) to replace wireguard so that I can access my server transparently from anywhere with internet access simply by typing in the server address (like h[tt]p://192.168.88.111) or connecting to it via SSH.

I have WARP on my phone and computer all the time because I’m worried about my traffic, and I like the option described above since I wouldn’t have to worry about multiple VPN applications anymore.

From what I understand, this can even be done as part of the free CFT plan, but the problem is that I don’t understand exactly what I have to do in the cloudflare control panel to get multiple devices into a single network. I have created an organization in CFT, and logged into it on my client devices using the WARP client, but I still don’t understand what I need to do on the server to make it accessible from the client devices.

I’ve attached a picture below that depicts what the overall operation of this system should look like. There are WAPR clients running on the devices, which proxies all traffic from these devices to prevent the operator/provider/owner of the wifi router from having access to my traffic, as well as to bypass some restrictions on access to Internet resources in my country. But at the same time, these warp clients connect my devices to my servers located in private networks.

As far as I understand, what I want is described in this section: h[tt]ps://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net

I do not understand how to make this solution work. At the moment I have done the following:
1)Added a website to cloudflare (h[tt]ps://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website), including moving the name servers (h[tt]ps://support.cloudflare.com/hc/en-us/articles/205195708)
2)Installed cloudflared (h[tt]ps://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation) on a server on your local network.
3)Enabled the “Argo” switch under “traffic” in the site control panel.
4)Performed “cloudflared tunnel login” successfully, authorizing cloudflared for my site
5)Executed “cloudflared tunnel create”.
6)Executed “cloudflared tunnel route ip add 192.168.88.0/24” where 192.168.88.0 is my home subnet. For example, the router is 192.168.88.1 and the server is 192.168.88.111.
7)Executed “cloudflared tunnel route ip show”, and got the following:
[email protected]:~$ cloudflared tunnel route ip show

NETWORK COMMENT TUNNEL ID TUNNEL NAME CREATED DELETED 
192.168.88.0/24 72d62d91-7879-479b-a38e-ab4dafd33dcc farewell-vm 2021-03-22T22:02:28Z -  

8)Did “cloudflared tunnel route ip get 192.168.88.111” where 192.168.88.111 is my server on my home network. According to the h[tt]ps://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/create-tunnel documentation page, this command checks if the route matches the address. The output is the following:

NETWORK COMMENT TUNNEL ID TUNNEL NAME CREATED DELETED 
192.168.88.0/24 72d62d91-7879-479b-a38e-ab4dafd33dcc farewell-vm 2021-03-22T22:02:28Z  

Which, as I understand it, shows that this IP is properly routed to this tunnel.

9)Created a configuration file(etc/clouddflared/config.yml) and wrote the following into it:

tunnel: xxxxxx-xxx-xxx-xxx
credentials-file: /etc/cloudflared/xxxxx-xxx-xxx.json
warp-routing:
  enabled: true

10)Started the tunnel as a service (h[tt]ps://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service)

11)Logged into CFT on my mobile devices in the account corresponding to the organization(logged in through the email corresponding to the site above), and I see these devices in the appropriate sections of the team at h[tt]ps://dash.teams.cloudflare.com/

But after all this, I still can’t access from my devices running WARP to 192.168.88.0/24. What did I do wrong?

Are you using regular Warp or Warp For Teams https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp

Windows Warp+ For Teams

where Warp client advanced connection is via Team Gateway DoH subdomain

2 Likes

As far as I understand, for iOS/MacOS the client is the same program, which can work both as a WARP client and as a WARP for Teams client, depending on the settings. As I wrote in point 11, I’m logged into a WARP for Teams account in this app, and apparently I’m using the WARP for Teams version.
In the Team Gateway DoH subdomain field I have an automatically generated subdomain as a long string of hexadecimal digits, I have not changed it.

I configured the DoH subdomain as described in this article(How To Use 1.1.1.1 w/ WARP App And Cloudflare Gateway To Protect Your Phone From Security Threats), and I can now see the stats from my devices in the control panel, but it has not brought me any closer to accessing my servers.

Hi @vvzvlad - thanks for the post. Let me try and walk through what I think is going on here.

Couple limitations:

  • The Teams mobile client does not currently work with the private routing feature. That will be coming soon.
  • You need to configure Cloudflare Gateway to use Split Tunnel mode - where you tell Gateway that certain private IPs should traverse the WARP tunnel.
  • Once you control the Split Tunnel settings, you’ll need to enroll your client once more - it only picks up the settings on enrollment - that’s also something we’re fixing soon.

Let me know if that helps on the notebook flow.

2 Likes

Ah that explains part of the problem! Thanks @SamRhea

Part of this is my fault for adding to confusion - should have said that the mobile version of the client does not work with the private routing feature, but the desktop does.

1 Like

What I did next:
1)In the control panel at gateway/policies/settings/split_tunnels, I created a new entry with the value “192.168.88.0/24”
2)On my computer in the WARP client, I clicked “logout from teams” and then re-logged into my cloudflare account for teams.
3)Connected via mobile Internet, waited for the WARP client to connect to the server and checked the availability of 192.168.88.111. It is still inaccessible from my laptop. Although in the “excluded IPs” window in preferences - advanced I see the created subnet 192.168.88.0/24 with the comment that I left on the split_tunnels settings page, it means that it was successfully loaded from the server. However, I don’t see this subnet in the routing table in the netstat.txt file in the logs folder.

Just to be clear: the WARP Policies for Split Tunnels are identifying networks that are not sent to Cloudflare edge.

Hence, you want to make sure that no network there is covering yours.

By default I believe that 192.168.0.0/16 is present in the Split Tunnel config, which would be a super-set of your network 192.168.88.0/24. Therefore, you need to make sure that those values are deleted from the Split Tunnel policy so that traffic egressing from your WARP-enable device into those IPs is effectively sent to Cloudflare.

This bit is part of the tutorial at https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel#include-rfc-1918-ip-ranges-in-warp

4 Likes

Oh, I see, it was the other way around. That’s why I was thinking “why is it called something wrong”. :slight_smile:

Now, I removed all the entries from Split Tunnel config that include 192.168.88.0/24 - my entry “192.168.88.0/24” and the default entry “192.168.0. 0/16”, re-logged in, and I don’t see anything else in the “excluded IPs” in the warp client related to my subnet (only 192.168.0.0/24, but apparently it covers the 192.168.0.0-192.168.0.255 range, and can’t affect my subnet).
But 192.168.88.111 is still inaccessible, and there’s no entry in netstat.txt that says to somehow specifically routing 192.168.88.0 subnet

Can you confirm that you have Layer 7 filtering enabled?

Cloudflare for Teams dash → Gateway → Policies → Settings → Proxy Settings, enabled

For any of these changes, note that it can take a couple minutes for them to propagate and become active.

1 Like

No, Layer 7 filtering was inactive. When I try to toggle it to “enable” a couple of seconds after toggling it, the red message “Error enabling HTTP traffic filtering.” appears at the bottom, and the switch returns to the disabled state.

I suspect you may be lacking something in your account to allow to do that. I’m sure that @SamRhea can point you in the right direction.

Hi @vvzvlad - that shouldn’t be happening in the UI. What Cloudflare for Teams plan do you have?

Free plan Cloudflare For Teams and minimal plan for argo

Thanks for the report, I’ve asked our team to take a look.

1 Like

Is the issue related to this bug that was fixed a couple of days ago?