Quick Start (Done in 5 Minutes)
Instead of diving into theory, let’s “show” an app running on localhost (e.g., port 8080) to the internet right away. We’ll do this safely, without touching NAT configs or opening ports on your router.
Step 1: Install cloudflared on your server or personal machine.
# For Ubuntu/Debian
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.debStep 2: Authenticate with Cloudflare.
cloudflared tunnel loginThis command returns a link. Just click it and select the domain you want to authorize.
Step 3: Create a Tunnel and map the service.
# Create tunnel named 'itfromzero-demo'
cloudflared tunnel create itfromzero-demo
# Expose port 8080 to the internet
cloudflared tunnel --url http://localhost:8080At this point, your app is online via a random subdomain. However, anyone with the link can access it. In the next sections, I’ll show you how to block uninvited guests using Zero Trust.
Why I Switched from VPN to Zero Trust
After performing security audits for over 10 startup projects, I’ve seen a familiar pattern. Teams often leave SSH ports (22) public or expose Jenkins and Grafana dashboards for remote work convenience. Some use VPNs, but teaching a new Designer how to install software and configure a .ovpn file usually takes all morning.
3 Major Pain Points of Traditional VPNs
- Excessive Permissions: Once connected to a VPN, employees can usually see the entire internal IP range. If a personal machine gets infected with malware, it can spread to the entire server system within minutes.
- Frustrating Speeds: All traffic must pass through an intermediate VPN server. This increases latency, especially when working from cafes or using 4G.
- Management Fatigue: Issuing or revoking certificates every time someone leaves is a repetitive, time-consuming task.
How Zero Trust Works in Practice?
Instead of trusting a device just because it has a VPN “key,” Zero Trust operates on the principle: Always re-verify. Every time you click an app link, Cloudflare verifies identity via Google/GitHub and checks the device and location. If everything matches, you’re in. The entire experience happens right in the browser, no complex client needed.
Detailed Implementation Guide for Real-World Apps
Step 1: Set Up Identity Provider
Go to Cloudflare Dashboard > Zero Trust > Settings > Authentication. Here, I recommend connecting GitHub or Google.
For internal teams, I usually use Google Workspace. For personal projects, GitHub is the cleanest option. Just create an OAuth App on GitHub, copy the Client ID and Secret, and paste them into Cloudflare. From then on, users just click “Login with GitHub.”
Step 2: Create a Protected Application
Navigate to Access > Applications > Add an application. Select Self-hosted.
- Application Name: Internal Dashboard (Or any name you prefer).
- Domain:
admin.itfromzero.com.
Step 3: Set Up Access Policies
This is the heart of the system. You can restrict access to only company email addresses:
Selector: Emails ending in
Value: @itfromzero.comA hard-learned tip: add a Country condition for “Vietnam”. This blocks 95% of automated scans from random foreign IP ranges at the first layer of defense.
Pro Tip: Secure SSH Without Opening Port 22
This is my favorite feature. You can completely close port 22 on your firewall (ufw/iptables). Anyone scanning your server’s IP will see nothing but a solid wall.
On your computer, add a few lines to your ~/.ssh/config file:
Host internal-server.itfromzero.com
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %hWhen you run ssh [email protected], your browser will automatically pop up for login. Once authenticated, the SSH tunnel is established. It’s secure and eliminates worries about SSH password brute-forcing.
A Few Lessons from Personal Experience
- Always have a backup plan: Enable one-time PINs (OTP) via Email. If GitHub or Google goes down, you won’t be “locked out” of your own system.
- Leverage Audit Logs: Cloudflare logs everything: who entered, when, and from which IP. I spend 5 minutes every Monday morning checking these logs to spot unusual access early.
- Handle offboarding quickly: Don’t just delete the email. Go to the Application section and click “Revoke all sessions” to immediately kick any old sessions out of the system.
Moving from VPN to Zero Trust might feel a bit strange at first. However, once you’re used to not managing config files, you’ll see it’s the smartest choice for DevOps. Happy deploying!
