SaFi Bank Space : Connecting to Cloudflare VPN

Overview:

Cloudflare Zero Trust solution is used as a VPN provider for connection to GCP. This solution uses an application called Warp Client, which routes the traffic towards the private address space in GCP.

Installation:

Installation steps (Desktop):

Follow the getting started guide https://developers.cloudflare.com/warp-client/get-started/ you will find the necessary filles and steps there, you can skip the certificate installation since we are not using that.
Enroll into the team, can be either done trough the Gui (Windows\Mac) or CLI (Linux) that will point you towards this website https://safibank.cloudflareaccess.com/warp . Our Team\Organization name is safibank. (more specific howto can be found here)
The command that you need to use is warp-cli teams-enroll safibank
You will be asked for your Okta credentials fill them out, and you should see this screen.
After enrollment traffic will be routed trough the Warp client. Status of enrollment can be seen here https://help.teams.cloudflare.com/ correct connection will look like this:

Installation steps(Mobile):

Find the 1.1.1.1 Faster and Safer Internet in your app store. And install it.
Accept the privacy information, go to the settings (the icon in the right corner) and select account.
Under Account select Login to Cloudflare Zero Trust
Accept the privacy notification and fill the Organization Name → safibank
You will be moved to a browser and shown a prompt for
Okta login. Select that.
Login with your account, after successful login you should see this screen
Go back to the starting screen and move the toggle to the right.
You will be asked to install VPN.
After VPN installation you should see this at the main screen of the 1.1.1.1 App
You can check if everything worked at this link https://help.teams.cloudflare.com/ successful connection looks like this:

Known issues:

On Linux when trying to reach the resources you might get this error curl: (35) error:0A000126:SSL routines::unexpected eof while reading. This is a problem with openssl, you need to update to a newer version of the library.

Following version works:
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
The steps I took:
1. sudo rm /usr/lib/x86_64-linux-gnu/libssl.so.3 -> openssl should stop working, since you deleted the library
2. install this package http://us.archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl3_3.0.5-2ubuntu1_amd64.deb
3. sudo ldconfig

What also worked was following this answer on stack overflow : https://stackoverflow.com/questions/54124906/openssl-error-while-loading-shared-libraries-libssl-so-3/66049182#66049182

Sometimes Cloudflare doesn’t offer the re-authentication window, so you loose access to all resources in that case you need to do it manually at https://safibank.cloudflareaccess.com/cdn-cgi/access/refresh-identity or via cli with warp-cli access-reauth
If warp service(Daemon) is not running either restart of your device or starting the service manually with sudo systemctl start warp-svc.service
On Mac you might have problem with Warp Connecting and Disconnecting all the time, there is a bug report for it, which you can find here. The solution is to move to older version the one that is confirmed working is 2022.4.114.0 (20220407.11)
If warp teams-enroll doesn’t download the settings the problem might be that you have another VPN software in there, please uninstall it and try again.
Docker uses the the network 172.17.0.0/16 as it’s bridge network, but we use it as our network in our Staging environment so it’s sent over VPN. If you want to use Docker while on VPN you have to change that bridge network how to can be found here
On Arch Based Linux distribution there was an issue with the version 2022.8.936 not enrolling into our team successfully, the version 2022.7.472 works.