Best practices for cloudflare warp tunnel

goal: using CF to tunnel in YNH but limit the devices that can get in

i think this is obvious but maybe i am missing something that is obvious

1 cloudflared Debian should be installed for the tunnel
2 enroll devices for the tunnel with warp app
3 set the 0trust config to allow connection of the devices from point 2 and block the rest

i am missing something?

edit:

here list of links per points if anyone want to do it later

• point 1

Downloads · Cloudflare Zero Trust docs or
https://pkg.cloudflare.com/index.html

• point 2

if u are dealing with android devices the 1.1.1.1 warp app is well build and u can add variables
if u have a mdm u can do this automatically so the user dont need to do a lot of stuff

image885×756 25.4 KB

• point3

u need to add to the warp application check for warp and gateway

u need to add ynh like a self hosted app

then u get to do the filtering, make sure u dont enable everything and get the email code
just add warp and user groups on included then gateway on required

• bonus

make sure u use Split Tunnels → Include IPs and domains and send only the needed traffic via warp

• bonus 2
  if u want to send some traffic from other devices via warp, OpenWRT have the package luci-app-wireguard to fill all the warp details and then u can use Policy-Based Routing to list domain (separate domains with space) that get sent via warp

After login I just get a black screen. I suspect something is wrong with the cloudglared config. Any idea?

can u share more details

Well here is my config

cat /etc/cloudflared/default.yml 

tunnel: default
credentials-file: /root/.cloudflared//xxxxxxxxxxxxx.json
ingress:
  - hostname: yuno.example.dev
    originRequest:
      connectTimeout: 10s
      disableChunkedEncoding: true
    service: https://localhost:443
  - hostname: jf.example.dev
    originRequest:
      connectTimeout: 10s
      disableChunkedEncoding: true
    service: https://localhost:443
  - hostname: jf2.example.dev
    originRequest:
      connectTimeout: 10s
      disableChunkedEncoding: true
    service: https://localhost:8095
  - service: hello_world


logfile: /var/log/cloudflared_default.log
no-tls-verify: True
loglevel: warn

I remove logfile and restart the service

Jul 16 11:12:39 yuno.home systemd[1]: Stopping cloudflared tunnel for default...
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR Failed to serve quic connection error="context canceled" connIndex=1 event=0 ip=x.x.x.27
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR Failed to serve quic connection error="context canceled" connIndex=3 event=0 ip=x.x.x.63
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR Failed to serve quic connection error="context canceled" connIndex=2 event=0 ip=x.x.x.7
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR Failed to serve quic connection error="context canceled" connIndex=0 event=0 ip=x.x.x.43
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR no more connections active and exiting
Jul 16 11:12:39 yuno.home cloudflared[662336]: 2023-07-16T10:12:39Z ERR icmp router terminated error="context canceled"
Jul 16 11:12:39 yuno.home systemd[1]: cloudflared@default.service: Succeeded.
Jul 16 11:12:39 yuno.home systemd[1]: Stopped cloudflared tunnel for default.
Jul 16 11:12:39 yuno.home systemd[1]: Started cloudflared tunnel for default.

While using https for service I get

{"level":"error","event":0,"ip":"x.x.x.57","connIndex":1,"error":"context canceled","time":"2023-07-16T10:18:31Z","message":"Failed to serve quic connection"}
{"level":"error","event":0,"ip":"x.x.x.27","connIndex":2,"error":"Application error 0x0 (remote)","time":"2023-07-16T10:18:31Z","message":"Failed to serve quic connection"}
{"level":"error","event":0,"ip":"x.x.x.27","connIndex":2,"error":"Application error 0x0 (remote)","time":"2023-07-16T10:18:31Z","message":"Serve tunnel error"}
{"level":"error","time":"2023-07-16T10:18:31Z","message":"writing finish: Application error 0x0 (remote)"}
{"level":"error","event":0,"ip":"x.x.x.53","connIndex":3,"error":"Application error 0x0 (remote)","time":"2023-07-16T10:18:31Z","message":"Failed to serve quic connection"}
{"level":"error","event":0,"ip":"x.x.x.53","connIndex":3,"error":"Application error 0x0 (remote)","time":"2023-07-16T10:18:31Z","message":"Serve tunnel error"}
{"level":"error","event":0,"ip":"x.x.x.33","connIndex":0,"error":"context canceled","time":"2023-07-16T10:18:31Z","message":"Failed to serve quic connection"}
{"level":"error","time":"2023-07-16T10:18:31Z","message":"no more connections active and exiting"}
{"level":"error","error":"context canceled","time":"2023-07-16T10:18:31Z","message":"icmp router terminated

While using http, the log file is empty.

the config needs to be on CF account settings not on the file

tunnel:  xxxxx
credentials-file: xxxxx.json
warp-routing:
enabled: true
protocol: quic

I’ve updated my config

cat /etc/cloudflared/default.yml 

tunnel: default
credentials-file: /root/.cloudflared//9a172a4b-bf82-4f18-9ff0-ab46fe6493b6.json
ingress:
  .....


no-tls-verify: False
loglevel: warn
protocol: quic
warp-routing:
  enabled: true

Tunnel starts w/o errors, but there is still nothing happening. I can see in the browser

GET
https://yuno.example.dev/
[HTTP/2 404 Not Found 109ms]

Same result if I just enable hello_world

...
    ingress:
      - service: hello_world
...

Back to the original config, I checked the config

> cloudflared tunnel  --config /etc/cloudflared/default.yml  ingress validate
Validating rules from /etc/cloudflared/default.yml
OK

> cloudflared tunnel  --config /etc/cloudflared/default.yml  ingress rule https://yuno.example.dev
Using rules from /etc/cloudflared/default.yml
Matched rule #1
	hostname: yuno.example.dev
	service: https://localhost

did you set any self hosted or private net?

u can have a something like test.lan pointing to 192.168.1.123

under access > applications >

image1012×603 32.7 KB

I did setup a selfhost as I want to map the app to a specific domain.