How to create secure remote access with zero trust policy

This short how-to should give you some ideas on how to create secure web access to your web services without VPN.

First of all: You can stop reading (and probably using Internet after all) if you don’t trust any content providers. I will use Cloudflare, OPNsense, Solokeys and Github for this Demo. You need a fixed IP-address or just use Cloudflare’s DynDNS service as well.

This is not a complete step-by-step guide! You should know what you’re doing before exposing confidential/private services on the internet.

Register your TLD with Cloudflare’s NS servers

First you need to transfer one TLD (NS servers to be precise) to Cloudflare. It’s pretty straight forward and there are plenty of how-tos, so I’ll just skip it. Cloudflare DNS

Set up the Web Application Firewall

Once you moved your domain, you can set up a WAF. This should block many scanners and internet noise, unless you chose to allow common hosting providers. Cloudflare Web Application Firewall

Create a Zero Trust App Access

Next go to Zero Trust -> Access -> Add new Application Give it a name and select a subdomain

Zero Trust Application

Add an identity provider (Github, TOTP, Facebook, …)

You need to add at least one identity provider. I like Github because it offers FIDO2 2FA, so I can use my Solokeys as second factor. ID providers Add the email addresses or IDs you want to use for authentication.

Create a proxied A record

Go back to your domain manager and create a proxied A record from the subdomain you choose before.

Set up your host or firewall for dedicated remote access

At last, you need to configure your firewall to block any access except Cloudflare traffic. This can be done easily using FreeBSD pf tables or OPNsense aliases. Login to your OPNsense (or create a file on your FreeBSD host) and add all (Cloudflare IP addresses)[]. OPNsense Host Aliases (for FreeBSD hosts it’s just normal pf tables persist <conf/cloudflare> + pass in from table <cloudflare>

Add a rule to forward traffic to your web server, and you’re done doing the basic configuration. OPNsense Host Aliases

To add more security you should use client certificates (mTLS). See you next time…