London Office 128 City Rd, EC1V 2NX UK

Hetzner Cloud resources and a ZTNA

That’s an ambitious and smart plan! Since ZTNA is more of a methodology enforced by a third-party service than a single server component, the setup is a hybrid of Hetzner Cloud resources and a ZTNA vendor platform.

I will provide a step-by-step guide using Cloudflare Zero Trust (Cloudflare Access/Tunnel), as it’s one of the most popular and straightforward solutions for a lab environment.

Zero Trust Lab Setup (ZTNA Connector on Hetzner Cloud)

This lab setup will hide your server from the public internet entirely, making it accessible only through the Zero Trust platform after a user authenticates.

Phase 1: Hetzner Cloud Setup (The “Protected Resources”)

Step 1: Create the Server and Initial Security

  1. Create Server: In the Hetzner Cloud Console, create a new server (e.g., Ubuntu LTS) that will host your “protected application” and the ZTNA connector.
  2. Install Application (Optional): Install a simple application you want to protect, like an internal dashboard or a basic web server (e.g., Nginx on Port 80) to test access later.Bashsudo apt update && sudo apt install nginx -y sudo systemctl enable nginx sudo systemctl start nginx
  3. Hetzner Firewall Setup:
    • Go to Firewalls in the Hetzner console and create a new firewall.
    • Crucially, block all incoming traffic except SSH (Port 22/TCP) from your own static IP address (your home/office IP). This immediately hardens the server.
    • Do NOT open Port 80 or 443. The ZTNA connector will open a private tunnel, not a public port.

Step 2: Install UFW (OS-Level Firewall)

  1. Install UFW on the Server:Bashsudo apt install ufw -y
  2. Configure UFW for Initial Access:
    • Deny all incoming traffic by default.
    • Allow only your SSH port (22/TCP).
    Bashsudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp
    • Enable UFW:
    Bashsudo ufw enable (Confirm the warning to proceed: y)

Your server is now secure and ready to be “connected” to the ZTNA platform.

Phase 2: Cloudflare Zero Trust Setup (The “Policy Engine”)

Step 3: Cloudflare Zero Trust Account Setup

  1. Create a Cloudflare Account: Sign up for a free Cloudflare account (if you don’t have one).
  2. Access Zero Trust: Log in and navigate to the Zero Trust dashboard (often under the “Zero Trust” icon on the left-hand side).
  3. Setup Organization: Follow the prompts to create your Zero Trust organization and choose a team name (e.g., my-hetzner-lab.cloudflareaccess.com).

Step 4: Configure the ZTNA Connector (Cloudflare Tunnel)

The Cloudflare Tunnel (cloudflared) will be the ZTNA connector that runs on your Hetzner server and reaches out to the Cloudflare edge network, allowing access in without opening any public ports.

  1. Create a Tunnel:
    • In the Cloudflare Zero Trust dashboard, go to Access > Tunnels and click Create a Tunnel.
    • Give it a name (e.g., Hetzner-Lab-Connector).
  2. Install the Connector:
    • Select the OS and architecture of your Hetzner server (e.g., Debian/Ubuntu 64-bit).
    • Cloudflare will provide a specific command to download, install, and run the connector on your server. It will look something like this:Bash# Example installation command from Cloudflare wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb sudo dpkg -i cloudflared-linux-amd64.deb # Example login/run command - THIS IS THE CRITICAL STEP cloudflared tunnel run --token <YOUR_UNIQUE_TOKEN>
    • Run the command on your Hetzner Server (SSH session). The command will install the agent and start the tunnel service, which will connect back to Cloudflare.
  3. Define Routing:
    • Back in the Cloudflare dashboard, the tunnel status will turn Healthy.
    • Click Next and define the Public Hostnames (the routes):
      • Subdomain: lab-nginx.yourdomain.com (use a domain you own and connect to Cloudflare, or just use a dummy one if you only plan on using the WARP client).
      • Type: HTTP
      • URL: localhost:80 (This points to the Nginx server you set up in Step 1).
    • Save the Tunnel.

Phase 3: Enforce Zero Trust Policy (The “Access Control”)

Step 5: Configure an Application Access Policy

  1. Create an Application:
    • In the Cloudflare Zero Trust dashboard, go to Access > Applications.
    • Click Add an Application > Self-hosted.
    • Application Domain: Enter the Public Hostname you defined in Step 4 (e.g., lab-nginx.yourdomain.com).
  2. Create the Policy (The ZTNA Core):
    • Under the Policy section, click Configure.
    • Policy Name: Allow-Lab-Admins
    • Action: Allow
    • Include: Define who is allowed access. The simplest way is:
    • Save Policy.

Now, when you try to visit lab-nginx.yourdomain.com, Cloudflare will intercept the request and force you to authenticate via email (or whatever IdP you set up) before passing the traffic through the secure tunnel to your hidden Hetzner server.

Note: If you are looking to access the server by its private IP (like an SSH session or RDP), you would use the Cloudflare WARP Client instead of the Public Hostname configuration, and set up a “Split Tunnel” rule to route traffic for your server’s private network range (e.g., 10.0.0.0/8) through the ZTNA fabric.

witch i have to select ? Cloudflare or WARP ?

Google Search

Google Search

Try again without apps

That’s a great question, and it gets right to the heart of Cloudflare’s ZTNA architecture.

The short answer is: You need to use both, but for different parts of the overall solution.

Here is the breakdown of what each one does for your lab:

1. Cloudflare Tunnel (The Connector on Hetzner)

What It IsThe cloudflared service you install on your Hetzner Server (the “protected resource”).
Purpose in ZTNACreates a secure, outbound-only connection from your Hetzner Server to the Cloudflare network. It never opens a public port (like 80 or 22) on your server.
What It ProtectsThe Application itself (your Nginx, SSH, or other service).
How You Use ItYou install it once, authenticate it with a token, and it runs as a service in the background on your Hetzner VM.
Access TypeClientless Access: Allows users to access a web application directly through a browser after a successful login to a web portal (e.g., lab-nginx.yourdomain.com).

Export to Sheets

2. Cloudflare WARP (The Client on Your Laptop/PC)

What It IsThe lightweight agent/app you install on your personal device (your laptop, phone, etc.).
Purpose in ZTNACreates a secure tunnel from your device to the Cloudflare network. It is the “on-ramp” for the user.
What It ProtectsThe User/Device and their entire network connection (if enabled).
How You Use ItYou log in with your Zero Trust Team Name, and it runs like a secure, identity-aware VPN client.
Access TypeNetwork-Level Access: Allows you to access the Hetzner Server by its private IP address or hostname, which is necessary for things like SSH and RDP.