Cloudflare tunnel as VPN to access resources
This topics is outside Railway, so i'm happy if anyone willing to help me with it
Before we start, i'm pretty new to cloudflare tunnel, so if there's something wrong about my statement please let me know
So i'm trying to configure cloudflare tunnel to allow me accessing database on railway private network without having to use the public networking, why? of course, security. With CF zero trust, i see that i can limit who can access specified resources and so on
So i've been reading cf tunnel docs and this article https://community.hetzner.com/tutorials/connect-over-pvt-net-with-cloudflare-access, however it turns out that at the end i need to configure the public hostname at the cf tunnel to access specific resources
So my question is, how do i can connect to specific resource (e.g. postgresql) without needing to use public networking/hostname, perhaps like connecting directly via ip or maybe private network url like postgres.railway.internal via my computer? is that possible or am i missing something?
Please let me know, any help is appreciated. Thank you!
templates used: https://railway.app/new/template/cf-tunnel
5 Replies
Project ID:
N/A
n/a
additional notes: i've configured warp on my desktop (windows) and have been authenticated with zero trust, also i've already enabling proxy option on the cf zero trust dashboard
I haven't tried this specifically on railway, but have used the cloudflare warp private network to a ip subnet:
My guess is: because railway only exposes the private hostname, you would need to setup the tunnel to use a "public" hostname and point it to your private hostname on railway.
Then you would use cloudflare access to place that public hostname behind
Note... when you're pointing to railway's private hostname, I had to use just the subdomain part and leave out the railway.internal part of the domain
I have set up Cloudflared on Railway before and it uses the Private Networking domain to connect to Cloudflare ZT.
Just be prepared to be billed a little more on egress since there is always idling network egress to ZT in the daemon