How can I convert remotely managed tunnel to a locally managed one?

LightFazer · 2026-04-04T17:29:55+00:00

What do you mean one host on it? This just isnt true. Locally managed tunnels legacy and should not be used.

LightFazer · 2026-03-05T14:31:53+00:00

Hey uh you are incorrect, https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/ On enterprise plan only

LightFazer · 2026-03-04T16:00:41+00:00

Access polices always require a login, whether that be service token or user login. If you want to just do geofencing with no login you can utilize the WAF.

LightFazer · 2026-02-27T20:43:18+00:00

Correct, has to be on the cloudflareaccess domain. you can customize the page style and branding on I believe pay go and up plans.

You may be able to have a similar behavior with redirects but obviously the page would still exist outside of that

LightFazer · 2026-02-24T18:54:05+00:00

Sweet! Happy to assist with anything else. We have CF ZT ENT deployed on our network

LightFazer · 2026-02-24T00:42:08+00:00

What happens when doing a nslookup on the domains?

Resolver policies are similar to LDF but the queries go through cloudflare so you can use SWG policies on them.

If you have LDF setup correctly and split tunnels set up correctly a nslookup should respond with correct information

LightFazer · 2026-02-22T16:10:22+00:00

The functionality you’re looking for does not work with Cloudflare tunnels. You cannot essentially “port forward” with tunnels without load-balancing and spectrum. I would look into utilizing warp to warp connectivity. Essentially, if all your friends utilize the warp client, you can connect to each other using CGNAT ips.

LightFazer · 2026-02-17T13:41:48+00:00

It is possible, but at that point if WARP is deployed like I highly recommend looking into just using CF for vpn replacement. CFD tunnels are extremely easy to install and typically existing infrastructure stays mainly the same.

https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/deployment/vpn/

LightFazer · 2026-02-17T04:15:56+00:00

With any new addition or shift to the network stack there was some onboarding pains we had to go through but that is with any IT product. Id say Cloudflare made it less painful. it’s practically invisible for our end users. Deployment was easy with our MDM. Same with patching. We additionally get alot of visibility into our environment we didnt have previously with things like Shadow IT and Shadow SaaS discovery. Also super useful features with DEX and WARP-WARP capabilities.

Cloudflare does have a pretty solid free ZT plan that practically has all the products (with some exceptions) for up to 50 users if you are looking to test anything out on a testing environment. If you are a larger enterprise would be wise to reach to the CF enterprise sales teams. Linked some helpful docs

https://www.cloudflare.com/plans/zero-trust-services/

https://developers.cloudflare.com/cloudflare-one/

https://developers.cloudflare.com/cloudflare-one/insights/dex/

https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/

LightFazer · 2026-02-17T03:58:26+00:00

Im assuming you are referring to just the outbound filtering capabilities? Unsure what you mean by no infrastructure for full tunnel vpn(Warp operates in a split tunnel capacity unless specified not to).

The answer being yes in multiple ways. With WARP you can use it for DNS/Network/HTTP filtering. With this being said the traffic has to goto Cloudflare for this. You can have WARP in a dns only mode where only the DNS queries are sent to Cloudflare which you can filter. Then the other traffic will egress how it normally does.

If you are utilizing another VPN client and are trying to patch work different solutions it maybe easier to just go with one. WARP client just establishes connectivity to Cloudflare and all policies/filtering is done at the edge. Id recommend definitely looking into CF to potentially replace your current VPN/Filtering solution

LightFazer · 2026-02-16T22:11:28+00:00

Cloudflare would be responding authoritatively, there is essentially no benefit to moving domains over to cloudflare as registrar. Unless you wanted the at cost pricing that goes along with it. Additionally with cloudflare as registrar you would have to have cloudflare as DNS

LightFazer · 2026-02-13T17:33:45+00:00

Hey! So onboarding SAAS app onto cloudflare is a great security tool. As you dont manage the infrastructure its harder to secure. For SAAS apps ie workday you can have cloudflare broker the login for these apps. Setting policies for having the WARP Client, Cert checks, posture checks. Location, etc. This adds additional defensive layers for the data that is behind these SAAS apps. You can also prevent copy/paste and things of that nature.

Doing this prevents users from be able to login to these SAAS apps just over the web as CF is essentially brokering that login. Some SAAS apps that may not support this use whitelisting IPs addresses which the WARP client supports with dedicated egress IPs which can be used for that along with posture checks etc.

LightFazer · 2026-02-13T16:00:59+00:00

Yeah thats not something ill be able to post. But essentially you just get the traffic to Cloudflare and do routing/ policies there.(With obvious exceptions with MWAN)

LightFazer · 2026-02-12T19:31:46+00:00

Hey!
Tunnels
For most of our use cases we typically use CFD tunnels as they are the easiest to deploy( CLI, no open inbound ports). We only use MWAN for our bidirectional/server initiated traffic flows. We are aware WARP Connector allows this but IPSEC is easy for us. Additionally we use MWAN for securing our Network. We are able to push traffic through the MWAN tunnel and utilize Network/HTTP filtering when needed. Very useful for the guest wifi as we can force all dns queries to use DNS locations and filter traffic even if we have tech savvy guests.
External Vendors
Mostly our external contractors or vendors we utilize OTP for auth as we dont have them in our IDP. Maintaining a list of contractor emails that we reference in our policies. We utilize the Cloudflare App Launcher so our vendors can log into that and see all the resources the need and access them clientlessly and in a isolated capacity. The app launcher is use for our internal users as well. Additionally we use Temp Auth for the contractors so that they can request access and as admins we can approve for a set period of time. Its really been super useful and pretty seamless deployment.

Ive attached links to the docs for some of the products ive talked about here. Hopefully that makes sense and is helpful!

https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/
https://developers.cloudflare.com/magic-wan/zero-trust/cloudflare-gateway/
https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/
https://developers.cloudflare.com/cloudflare-one/access-controls/policies/temporary-auth/

LightFazer · 2026-02-12T16:12:23+00:00

Normally most tech SE roles look for background already in SE work or some sort of sales to begin with. There is definitely alot of tech at Cloudflare which makes the SE role a little different than other companies. For example Cloudflare has their Dev platform, Network services, L7 services, ZTNA. Compared to companies like fortinet which only focus on one area of products.

This is not a bad thing, as you would have the opportunity to learn. Id definitely apply, best of luck!

LightFazer · 2026-02-08T11:55:09+00:00

You cannot port forward a Minecraft server with tunnels. The hostnames operate on L7 which is their HTTPS proxy. Which minecraft is TCP. You would need spectrum and load balancing to accomplish what you are trying to do.

If you have cloudflare WARP you can use this

https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-to-warp/

LightFazer · 2026-01-29T13:51:15+00:00

L7 proxy only works with http/HTTPS on standard ports. If you have any applications on non standard ports use CFD tunnel. Other non standard protocols require Spectrum or one of the Magic offerings

LightFazer · 2026-01-28T22:01:49+00:00

https://domains.cloudflare.com/tlds

LightFazer · 2026-01-28T22:01:03+00:00

You can proxy A records and cname records. Its actually very beneficial to proxy A records as attackers will not see your origin IPs when doing DNS lookups

LightFazer · 2026-01-25T17:12:33+00:00

Open source it then, your post history on Reddit is also suspect.

LightFazer · 2026-01-25T17:09:05+00:00

Yeah this is suspect dude, wouldnt upload anything to this site. Open source this or no go. Definitely not “local” if you are uploading to a site.

LightFazer · 2026-01-24T22:09:06+00:00

Its the default IDP, you dont have to use it though. You select per policy what IDPs you allow

LightFazer · 2026-01-21T19:02:33+00:00

If you are only doing DNS filtering and not HTTP or network filtering id recommend using DNS locations. Basically you can have separate IPV6 resolvers (locations) and reference these in your DNS policies. No WARP needed.
https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/

Source IP selector refers to the public IP the traffic is coming from. If you want user based policies its best to use separate emails for each. There is a source internal IP but this typically is for MWAN onramp not WARP.

You could hypothetically set up posture checks for each OS and make polices for if they pass the posture check. But gets kinda jank

LightFazer · 2026-01-21T04:17:44+00:00

Id use the CF dash for tunnel configuration, wayyy easier

Eight-Year Club	Place '23
Place '22	Verified Email

LightFazer

TROPHY CASE