Access an SMB drive through Cloudflare Tunnel
The Server Message Block (SMB) protocol allows users to read, write, and access shared resources on a network. Due to security risks, firewalls and ISPs usually block public connections to an SMB file share. With Cloudflare Tunnel, you can provide secure and simple SMB access to users outside of your network.
Cloudflare Zero Trust offers two solutions for connecting to SMB servers:
- Private subnet routing with Cloudflare WARP to Tunnel
- Public hostname routing with
cloudflared access
Set up an SMB server on Linux
While SMB was developed for Microsoft Windows, Samba provides SMB connectivity from UNIX-like and BSD systems. A Samba server can be set up using this guide on an Ubuntu machine.
Connect to SMB server with WARP to Tunnel
You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare’s edge. This requires running thecloudflared
daemon on the server. Users reach the service by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users. 1. Connect the server to Cloudflare
Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).
(Optional) Set up Zero Trust policies to fine-tune access to your server.
2. Set up the client
In order for devices to connect to your Zero Trust organization, you will need to:
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode. The Cloudflare certificate is only required if you want to display a custom block page or filter HTTPS traffic.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
3. Route private network IPs through WARP
By default, WARP excludes traffic bound for RFC 1918 space as part of its Split Tunnel feature. For example, WARP automatically excludes 10.0.0.0/8
, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, the IP/CIDR that you specified for your tunnel must be included in your Split Tunnel configuration.
To configure Split Tunnels for private network access:
- First, check whether your Split Tunnels mode is set to Exclude or Include mode.
- If you are using Include mode, add your network’s IP/CIDR range to the list.
- If you are using Exclude mode:
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
172.31.0.0/16
, delete172.16.0.0/12
. - Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for
172.16.0.0/13
,172.24.0.0/14
,172.28.0.0/15
, and172.30.0.0/16
. This ensures that that only traffic to172.31.0.0/16
routes through WARP.
- Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of
By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.
4. Connect as a user
macOS
In the Finder menu, select Go > Connect to Server.
Enter
smb://<smb-server-ip-address>/sambashare
.Sign in with the username and password created while setting up the server.
Windows
- Open File Explorer and right-click Network > Map Network Drive.
- For Folder, enter
\\<server-private-ip>\sambashare
. - Select Connect using different credentials.
- Select Finish.
- Sign in with the username and password created while setting up the server.
Connect to SMB server with cloudflared access
Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having cloudflared
installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials.
The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes.
1. Connect the server to Cloudflare
Create a Cloudflare Tunnel by following our dashboard setup guide.
In the Public Hostnames tab, choose a domain from the drop-down menu and specify any subdomain (for example,
smb.example.com
).For Service, select TCP and enter the SMB listening port (for example,
localhost:445
). SMB drives listen on port139
or445
by default.Select Save hostname.
(Recommended) Add a self-hosted application to Cloudflare Access in order to manage access to your server.
2. Connect as a user
Install
cloudflared
on the client machine.Run the following command to open an SMB listening port. You can specify any available port on the client machine.
$ cloudflared access tcp --hostname smb.example.com --url localhost:8445This command can be wrapped as a desktop shortcut so that end users do not need to use the command line.
Open your SMB client and configure the client to point to
smb://localhost:8445/sambashare
. Do not input the hostname.Sign in with the username and password created while setting up the server.
Windows-specific requirements
If you are using a Windows machine and cannot specify the port for SMB, you might need to disable the local server. The local server on a client machine uses the same default port 445
for CIFS/SMB. By listening on that port, the local server can block the cloudflare access
connection.
To disable the local server on a Windows machine:
- Select Win+R to open the Run window.
- Type
services.msc
and select Enter. - Locate the local server process, likely called
Server
. - Stop the service and set Startup type to Disabled.
- Repeat steps 3 and 4 for
TCP/IP NetBIOS Helper
.