Technology partners! Thank you for all your advice and guidance on options in the network / firewall space. I am new to this journey so taking some time learning first and working to try things out.
I wanted to share the use case and see if this is the correct handling to go about it.
Problem: I want to connect to critical resources when outside my network, even in unknown networks through an appropriate security posture. I do not have access to a static IP from my ISP…only through business accounts.
My Background Understanding
OpenVPN, Wireguard, Tailscale will allow me to create a tunnel to my internal network and leveraging rules in pfSense.
It is my understanding that Tailscale leverages coordination of my network by making use a pointed circuit to my network. For Tailscale to work properly I should use a static IP from my ISP to mitigate issues.
Cloudflare provides a similar solution with a coordination client on my network and then leverages specific configurations on which services / systems I wish to expose.
Bring in OpenVPN and Wireguard I make use of a specific connection pair leveraging either named users (OVPN) or keys (WG).
All these options have me thinking through how do I get access to critical resources as needed leveraging good security practices. Do all of these Cloudflare Tunnel, Tailscale, OpenVPN and Wireguard share the same servicing space? Or are they separate?
Use Case: My thoughts are would it be right to leverage OpenVPN (I control what has access to this user / pass) to the exposed services through Cloudflare Tunnel? Can this be done?
If you are connecting to your home network, just setup dynamic dns and combine this with OpenVPN. It’s pretty secure, you can up the level of security (whole range of cryptographic ciphers to choose from) which may slow the connection, use 2FA, use certificates (lose your device it’s easy to revoke the cert without affecting anything else), etc.
When you get stuck quite a lot of info out there to get you out of the hole.
OpenVPN and WireGuard are sort of base layer VPN or tunneling technologies: You configure each end or peer manually, including certificates/accounts/keys and endpoint addresses. Tailscale and Cloudflare Tunnel build on top of that layer by abstracting away the configuration. Tailscale uses WireGuard under the hood. CF Tunnel uses some proprietary technology, as far as I can tell.
The elegant thing about Tailscale is that it incorporates some neat firewall and NAT traversal techniques. It also handles roaming peers. In regards to your question that means that peers do not need static IP addresses. In many cases, you don’t even need to configure the firewall and NAT to allow inbound connections.
In all of these cases, users that want to access your network need the respective application on their devices or on their router.
Cloudflare Tunnel is somewhat different. It always works as long as outbound connections are allowed because Cloudflare controls the other end of the tunnel. So you don’t need to configure anything there either. Users can access private resources by using the Cloudflare Argo app on their devices. However, CF also offers an authorization layer that they can put in front of otherwise resources. This allows restricting access to e.g. web sites to users who have prior authenticated against an ID provider or using one-time-passwords.
As far as leveraging rules or configuration, I don’t know what you mean by that. Regardless of which option you choose, you should put appropriate access control into effect. That is especially true for CF Tunnel, since you’ll be running an application inside your network that you don’t control. On the other hand, if you’re looking at it from a privacy perspective, someone sniffing your traffic will only see that you connect to CF’s network. If you self-host a VPN, you’ll leak your network’s address.
can you really pass openvpn traffic trough cloudflare? I recall in their TOS / EULA it’s only available for the kind of web traffic (but i might be mistaken reading it).
since Tailscale already mentioned, check the Route48 project. you can have your own public ipv6 space over GRE / wireguard tunnel, might be something you want to use along with your openvpn setup