Zero Trust Samba with Cloudflare Private Routing

? I have a few goals for this project:

  • Deploy a Samba file server on an Ubuntu machine
  • Make that machine inaccessible to the Internet
  • Connect to that file server without adding back hauls that degrade performance
  • Control who can reach the server using my identity provider of choise, instead of relying entirely on simple password auth in Samba

?️ This walkthrough covers how to:

  • Deploy a Samba file server on an Ubuntu machine
  • Use Cloudflare Tunnel to create a private network and connect that server to Cloudflare’s network
  • Connect to that server through Cloudflare’s network using the WARP agent

Samba

The Server Messaging Block (SMB) protocol provides connectivity from client device to file shares, printers, and other destinations. The vast majority of SMB use cases depend on Microsoft Windows.

What about the rest of the operating systems out there? 30 years ago, Andrew Trigdell first built Samba to provide for SMB connectivity from UNIX-like and BSD systems, like macOS. Samba is free, GNU-licensed, software and I’m going to run it on my Ubuntu machine and use the native Samba client on my Mac to connect.

I have an Ubuntu VM, running in Digital Ocean, where I’m going to run a Samba file server. You could repeat this process with other operating systems.

First, I’ll install Samba using apt. I followed the directions available from Ubuntu here with a couple of modifications beginning on step 3, which I’ll call out here.

I have poor user hygiene and am running as root, so I created the Samba directory with this command.

mkdir /root/sambashare/

Next, I can edit the configuration of the Samba service.

sudo vim /etc/samba/smb.conf

I’ll add the following five lines to the end of the configuration file.

[sambashare]
        comment = Samba on Ubuntu
        path = /root/sambashare
        read only = no
        browsable = yes

I can now add a user and set a password. I’ll be relying on my identity provider login, but this password gives me an additional second factor if I want to think of it that way. Again, I’m running as root and Samba requires the user to also be a user on the machine, so I need to run the following command.

sudo smbpasswd -a root

Alright, I can now restart the service, update the firewall, and check its status.

sudo service smbd restart
sudo ufw allow samba
sudo service smbd status
Samba Service

Now that my Samba server is up and running, I need to connect to it. I do not want this service exposed to the public Internet, so I want to reach it through a private network. However, most private networks trust all users inside of them. I want to only let certain users in this private network reach this service (and no other services). To do that, I’m going to use Cloudflare Tunnel and Zero Trust network rules in Cloudflare Gateway.

Cloudflare Tunnel

Cloudflare Tunnel connects applications, resources, and networks to Cloudflare’s global network without requiring me to open up holes in my own firewall. The Cloudflare Tunnel daemon, cloudflared, will create outbound-only connections to Cloudflare. The daemon is open-sourced and releases are available for several different operating systems.

Cloudflare Tunnel can be used for public-facing applications, internal resources that need Zero Trust rules, or in a deployment similar to a private network, like what I’m doing in this tutorial.

Install and Authenticate

First, I’m going to install cloudflared.

sudo wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
sudo dpkg -i ./cloudflared-stable-linux-amd64.deb

Next, I’ll authenticate cloudflared into my Cloudflare account.

cloudflared login
cloudflared login

I’ll follow that link in a browser, login to my Cloudflare account, and choose a site in my account. This part is a little clunky (and we’re going to fix this) but I can pick any site listed for this private networking use case. The certificate downloaded will be account-wide.

cloudflared name

Once selected, I can return to my terminal and confirm that the instance of cloudflared has received the certificate.

cert received

Configure and Connect

Now that I have authenticated cloudflared, I can create my Tunnel. The following command will create a Cloudflare Tunnel – but it won’t run it just yet, we’ll do that after we configure it.

cloudflared tunnel create smb-machine
create tunnel

The command above created a Tunnel in my account and issued credentials for that Tunnel to this instance of cloudflared. The Tunnel I created is not ephemeral or dependent on cloudflared to be running. For example, when cloudflared restarts, I do not need to recreate this Tunnel.

Next, I am going to configure the private network functionality of Cloudflare Tunnel. The command below will tell Cloudflare to send traffic inside of my private network, bound for the specified IP CIDR, to the Tunnel I just created.

cloudflared tunnel route ip add 10.0.0.4/32 smb-machine
create route

I can now finish configuring the Tunnel itself. I’m going to create a configuration file and edit it (in Vim) with the following command.

vim /root/.cloudflared/config.yaml
vim

Inside of that file, I’ll add the following lines. The tunnel: value is the ID of the Tunnel I created earlier and the credentials-file: value is the location of the credentials file for that Tunnel.

tunnel: 3c152f92-62d0-4195-b4e9-213e5b93fb5b
credentials-file: /root/.cloudflared/3c152f92-62d0-4195-b4e9-213e5b93fb5b.json
warp-routing:
  enabled: true

I’m going to knock out one final step. You might notice that the Samba server is not listening on the IP address that I just configured. To handle that, I’m going to run the following command to configure my network interface to receive traffic for that IP. You might not need this step if your service is available at the IP you configured.

ifconfig lo:0 10.0.0.4 up

ifconfig commands do not survive a restart, so I’ll go back later and make sure to add this to my etc/network/interfaces file, but for now this allows me to test.

Run

Alright, I’m ready to run the Tunnel. I could run this Tunnel in a one-off way, to test the functionality, with the command below:

cloudflared tunnel run smb-machine

However, I want access to this file server even if cloudflared or the Ubuntu machine restarts, so I’m going to run cloudflared as a service.

sudo cloudflared service install
sudo systemctl enable cloudflared
service

With that, cloudflared is now connected to Cloudflare’s network, ready to receive traffic bound for 10.0.0.4/32, and able to survive a restart.

Building Zero Trust rules

The only users able to connect to that private IP will have to first enroll in my account. I can control who can enroll in my account (more on that later), but imagine I am part of a large organization. I don’t want just anyone in that organization to be able to reach this resource.

I’m going to build a rule that only allows me to connect. I could modify this to allow users in a specific Okta group or a list of users, but in this case it’s just me.

To create that rule, I’ll navigate to the Cloudflare for Teams dashboard. In the dashboard, I’m going to open the Gateway page and find the Network tab.

network panel

First, I’ll create a rule to allow my user identity to reach the IP specified.

allow

Next, I’m going to create a second rule to block everyone else.

block

These rules are enforced in top-to-bottom order, so I need to make sure the Allow rule is listed first.

list

Connecting from WARP

I can now enroll my client machine into this private network and connect to the Samba server.

Configuring enrollment

First, I need to define who can enroll into my private network using the WARP agent. To do that, I’m going to stay in the Cloudflare for Teams dashboard and open the Settings page.

settings page

I’ll select Device settings.

device settings

I’ll configure the enrollment rules by clicking Manage. I already have configured a handful of identity providers, but if you haven’t yet then this guide will help you get started.

I’m going to only allow myself to enroll, but I could add rules to allow my entire team, identity provider groups, or even users from multiple identity providers.

device settings

Once saved, I can leave this page and configure my account’s network settings.

device settings

Configuring my network

Second, I need to configure the settings that will be applied when users enroll. I’ll stay in the Settings page, but navigate over to the Network section. In this case, I need to make sure that TLS inspection and the Proxy mode settings are both enabled.

network settings

One last thing here – the WARP agent, which is going to be my on-ramp to connect to this resource, excludes a list of private IP ranges by default. I need to delete any ranges that include the IP I configured previously.

split tunnel

Enrolling my device

I’ll begin the third step by adding a certificate to my device. I’ll navigate to the Certificates card of the Devices page in the Settings section to download the certificate, then I’ll follow these instructions to add the certificate to my machine.

The WARP agent, and this private routing use case, can work alongside Cloudflare’s Secure Web Gateway, which performs traffic inspection using the certificate installed above. We’re going to make this easier and remove this requirement for purely private routing use cases.

I can now download the WARP agent (links are available in the same Device settings page).

warp mode

Once installed, I need to enroll the agent into my Cloudflare account.

warp mode

To do so, I’ll click the gear icon and navigate to the Account view.

account

I’m going to input my Cloudflare for Teams name; if you don’t remember this value, you can find it in the General page of the Settings section. Once entered, I’ll be prompted to authenticate with my identity provider.

org name

Finally, I need to make sure the agent is running in “WARP” mode – the proxy version – rather than just DNS mode.

split tunnel

For large organizations, these steps can be completed via an MDM deployment to avoid requiring users to manually complete them.

Connecting to the Server

With WARP enabled, I can now connect to the Samba share for my device. I’ll input the IP of the resource.

input IP

I’ll authenticate with the credentials created earlier.

smb login

And I’m connected! Behind the scenes, Cloudflare checked that my user identity (stored in WARP) is allowed to reach this IP and connected me through.

smb view

What’s next?

I like this. I now have a private file storage that doesn’t rely on any one consumer-focused service. I can also keep my device safe by adding Secure Web Gateway or DNS filtering rules with just a few clicks. I can access it from any location (and even see logs).

logs

Reference: Original Post from https://blog.samrhea.com/posts/2021/zero-trust-samba

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.