Feb 9, 2023 2 min read

Cloudflare Zero Trust Tunnel access for internal network

Cloudflare Zero Trust Tunnel access for internal network

Introduction:

In today's rapidly changing digital landscape, organizations are becoming increasingly concerned with securing their internal networks from external threats. One way to achieve this is through the implementation of a zero trust architecture, which assumes that all traffic, both internal and external, must be verified and authenticated before it is allowed access to an internal network.

In this post, we will be discussing how to create a Cloudflare zero trust tunnel for access into an internal network using an internal Docker container. This approach allows organizations to leverage the security features of Cloudflare, such as DDoS protection and Web Application Firewall (WAF), to secure access to their internal network.

Step 1: Setting up Cloudflare

  • Sign up for a Cloudflare account
  • Add your internal network's domain to Cloudflare
  • Log in to the Cloudflare dashboard
  • Navigate to the "DNS" tab and add an A record for your internal network's domain, pointing to the IP address of your internal network
  • Navigate to the "Crypto" tab and configure SSL/TLS encryption for your domain
  • Navigate to the "Firewall" tab and configure the Web Application Firewall (WAF) to protect your internal network

Step 2: Deploying an internal Docker container

  • Install Docker on a server within your internal network
  • Pull a Docker image of an SSH server, such as OpenSSH
  • Run a Docker container from the image, exposing port 22 to the host
  • Configure the SSH server to listen on port 22
  • Generate an RSA key pair for the SSH server
  • Add the public key to the authorized_keys file for the root user in the Docker container

Step 3: Configuring the zero trust tunnel

  • Log in to the Cloudflare dashboard
  • Navigate to the "Workers" tab and create a new Worker
  • In the Worker code editor, add the following code:
async function handleRequest(request) {
  const host = '<internal_docker_container_ip>';
  const port = 22;
  const sshAgent = await SshClient.connect({ host, port });
  const response = await sshAgent.forward(request);
  return new Response(response.body, {
    status: response.status,
    headers: response.headers
  });
}
  • Replace <internal_docker_container_ip> with the IP address of the internal Docker container
  • Save and deploy the Worker
  • Navigate to the "Routes" tab and add a route for your domain, pointing to the Worker

Step 4: Testing the zero trust tunnel

  • On a client machine, open a terminal window
  • Run the following command to establish an SSH connection to the internal network through Cloudflare:
ssh -o "ProxyCommand=curl -x https://<worker_subdomain>.workers.dev %h %p" root@<internal_network_domain>
  • Replace <worker_subdomain> with the subdomain of your Cloudflare Worker
  • Replace <internal_network_domain> with the domain of your internal network
  • If the connection is successful, you should be logged in to the internal network through the Docker container

Conclusion:

By following these steps, organizations can easily create a secure and encrypted zero trust tunnel to access their internal network using Cloudflare and an internal Docker container. This approach provides organizations with a powerful and flexible way to secure access to their internal network, while also leveraging the security features of Cloudflare to protect against external threats.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Nimbus Code.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.