← Back to Blog

Accessing Your Home Server Anywhere with Cloudflare Zero Trust

cloudflare networking security

Have you ever wanted to access your home server or local services while on the go, but didn't want to deal with the security risks of port forwarding? Cloudflare Zero Trust is the perfect solution. This guide will walk you through setting up a secure tunnel and using a loopback adapter for seamless access.

Prerequisites

Before we begin, make sure you have the following ready:

  1. Cloudflare WARP: Installed on your client device (phone, laptop, etc.).
  2. Cloudflared Agent: Installed on the server you want to access.
  3. Zero Trust Dashboard: A configured team name and access policy. If you're new to this, check out the official setup instructions.

How to Do It

1. Create a Cloudflare Tunnel

First, head over to the Cloudflare One Dashboard and navigate to Network > Connectors > Cloudflared. Create a new tunnel, copy the provided command, and run it on your server. This establishes the secure link between your server and Cloudflare's edge.

2. Configure CIDR Routes

Now, you need to tell the tunnel which IP addresses it should handle. Go to Network > Routes and create a route. I recommend using a private IP range, such as 10.0.1.33/32, and assigning it to your new tunnel.

Cloudflare Route Configuration

3. Setup Loopback Adapter (Windows)

Depending on your OS, you might need a network loopback device. On Windows, this allows the system to route traffic to the tunnel correctly. I've created a PowerShell script below to automate this.

You will need DevCon installed to use the script. You can find an installer here. Run the following command as Administrator:

script.ps1 add ssh 10.0.1.33 255.255.255.255

Here is how the resulting adapter should look in your network settings: Windows Loopback Adapter

4. Adjust Split Tunnel Settings

Go to Team & Resources > Devices > Device profiles and edit your default profile. Under Split Tunnels, ensure your configuration allows the traffic. I recommend using Exclude mode and making sure your CIDR (from step 2) is NOT in the exclude list. This is a critical step!

5. Configure Client Device

On your client device (I'm using iOS, but Android is similar), install the Cloudflare One app. Open it and enter your Team Name in the settings.

Cloudflare One App Setup

6. Connect and Access

Flip the switch in the WARP app, and you're good to go! You can now access your server using the private IP address you assigned to the tunnel (in this case, 10.0.1.33).

Connection Success

Powershell

Use this script to manage your loopback adapters. Remember to run it as an Administrator.

param(
    [Parameter(Mandatory=$true)]
    [string]$Action,

    [string]$Arg1,
    [string]$Arg2,
    [string]$Arg3
)

# Require Administrator privileges
$IsAdmin = ([Security.Principal.WindowsPrincipal] `
    [Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $IsAdmin) {
    Write-Error "This script must be run as Administrator"
    exit 1
}

$DevconPath = "devcon.exe"
$LoopbackHwId = "*msloop"

switch ($Action.ToLower()) {
    "add" {
        if (-not $Arg1 -or -not $Arg2 -or -not $Arg3) {
            Write-Error "Usage: add <AdapterName> <IPv4Address> <SubnetMask>"
            exit 1
        }

        $AdapterName = $Arg1
        $IPv4        = $Arg2
        $SubnetMask  = $Arg3

        Write-Host "Installing Microsoft Loopback Adapter..."
        & $DevconPath install "$env:windir\inf\netloop.inf" $LoopbackHwId

        Start-Sleep -Seconds 2

        # Get the newest loopback adapter
        $Adapter = Get-NetAdapter |
            Where-Object { $_.InterfaceDescription -like "*Loopback*" } |
            Sort-Object ifIndex -Descending |
            Select-Object -First 1

        if (-not $Adapter) {
            Write-Error "Loopback adapter not found"
            exit 1
        }

        Rename-NetAdapter -Name $Adapter.Name -NewName $AdapterName -Confirm:$false

        Write-Host "Assigning IPv4 address..."
        netsh interface ipv4 set address `
            name="$AdapterName" static $IPv4 $SubnetMask

        Write-Host "Loopback adapter created successfully:"
        Write-Host "  Name: $AdapterName"
        Write-Host "  IP:   $IPv4"
        Write-Host "  Mask: $SubnetMask"
    }

    "remove" {
        if (-not $Arg1) {
            Write-Error "Usage: remove <AdapterName>"
            exit 1
        }

        $AdapterName = $Arg1

        $Adapter = Get-NetAdapter -Name $AdapterName -ErrorAction SilentlyContinue
        if (-not $Adapter) {
            Write-Error "Adapter not found: $AdapterName"
            exit 1
        }

        Write-Host "Removing loopback adapter: $AdapterName"
        & $DevconPath remove "@$($Adapter.PnpDeviceID)"

        Write-Host "Loopback adapter removed successfully"
    }

    default {
        Write-Error "Invalid action. Use: add or remove"
        exit 1
    }
}