/ the future I want to see

In 2018, is there any need in complicated workplace VPNs for services?

Software Engineers are often working on services that may have features they want to deliver under close wraps, have security implications due to ISO xxxxx or are services that offer privileged information.

You generally want to hide the dev/UAT/staging from the general public just in case it is indexed or even offers development logging printed out to the browser.

Workplace VPN has been a thing for 20+ years and they are a good way to hide hidden services or offer some form of additional encryption when using HTTPS or SSHing into a box.

In all fairness, Microsoft Server 2018 has a really slick VPN solution however most IT Pros would rather have their VPN on a purpose-made hardware solution or router.

Problems with workplace VPNs:

  • Generally, they offer a very thin layer of security because it means you may be able to access other network devices and have privileged IP access to all the companies hidden services. (e.g. you could see the site of client B when working on client A)
  • Latency/speed hops
  • Internet data could be routed through your companies internet connection and surveillance could be installed.
  • Generally restricting services on the IP of the VPN box is just a bit basic.
  • Without installing the VPN on your mobile, it is not possible to use your phone to visit internal links etc.

When you connect a computer to the server by using the Connect My Computer to the Server Wizard, a VPN network connection is automatically generated on the client computer and can be used to access server resources while working at home or on the road.

VPNs require some CPU computational power to run and generally add another number of hops and/or latency to your connection.

However, generally for this to all work you need to change your DNS settings to those of your employer and sometimes all internet traffic goes through this connection meaning you signing over any personal use of your machine.

Sometimes this works nicely but a lot of internal services are generally on self-signed certificated rather than a public internet domain. Huge companies generally have their own wildcard certificate for internal services which is good.

VPNs are sometimes set up well and use domain credentials from a Windows Server domain or Apple Open Directory etc, but these generally don't support 2FA, SSO (single sign-on) or even third party authentication such as Gmail for business, Github, Facebook/Twitter/blah.

What is the alternative?

Cloudflare Access is probably the best contender in the market for ditching the VPN. It's only ~$3/user and supports all sorts of identity providers. Okta is $1-3/user per month offering a bargain solution at $4/user which has to be a million times cheaper than rolling your own solution.

This offers Email 2FA, SMS 2FA, voice 2FA, Google/MS Authenticator rotating tokens and even hardware tokens such as RSA tokens and Yubikey.

You can roll your own login domain and with Okta you can connect to your AD domain and syncronise authentication.


How is this more secure though just using firewall rules and some form of authentication?

  • 2FA as standard
  • Access rules at the edge make configuration easy and reduces latency
  • No VPN configuration on BYOD devices or even just personal mobiles
  • The WAF provides intrusion protection and rate limiting even on the hidden services where you think the traffic is trusted (an employee for example).

Introducing Cloudflare Warp/Argo Tunnel/whatever it is called.

Cloudflare Warp is a security-conscious tool for exposing web applications without needing to expose the server they run on. With Cloudflare Warp, traffic to your application is run over a private, encrypted, virtual tunnel from the Cloudflare edge and traffic is only able to find and access your server if it routes through Cloudflare.
Only Cloudflare knows how to dial back to the application through the virtual tunnel created between the application and Cloudflare. Traffic can never hit your origin directly because it can never find it, your origin isn’t on the internet, it’s only there if you go through Cloudflare, via Warp. Instead, the client connects to the nearest Cloudflare data center, never directly to the application itself.

Warp is arguably even better, it replaces opening ports on the server by exposing services via a secure tunnel. (Sure, this sounds like a VPN in reverse!) but it is a lot more efficient.

You can fine tune what services to expose to Argo by port/protocol etc.

Things to note:

  • You essentially hide the origin IP of the box as you are not exposing services.
  • You can spin up Cloudflare nodes adding more to your load balancing cluster. Argo will redirect traffic to the closest origin. It is limited to 6 connections for non-Enterprise customers.
  • You can create a docker instance for exposing other Docker services easily, an example is here on Github (older way of doing things, I might fork this!).
  • There is lack of support in Terraform for Cloudflare Warp (boo) but Kubernetes support is there.
  • 10ç per GB of data seems high but its 8ç/GB for AWS data out.
  • No support for Websockets for now which is essential for some kind of web apps.
  • cloudflared can set up using DNS-over-HTTPS for outbound server calls reducing t requests to third party service
  • Cloudflare offers a free Certificate Authority for generating origin certificates that are only trusted by Cloudflare.