mishraJi

Part 0: Cloudflare One Client (Warp Client) Initial Setup

Introduction

If you have been working in IT or security for a while, you have probably heard the term Zero Trust thrown around a lot. But what does it actually mean in practice?

Traditional network security worked on a simple assumption — if you are inside the network, you are trusted. VPNs were the go-to solution. You connect to the VPN, and suddenly you are “on the network” with access to everything. The problem? Once an attacker gets in — through a compromised credential, a phishing attack, or a misconfigured endpoint — they can move laterally across the entire network with very little resistance. Trust was implicit, and that was the fundamental flaw.

Zero Trust Network Access (ZTNA) flips this model on its head. The core principle is simple — never trust, always verify. It does not matter if you are sitting in the office or connecting from a coffee shop. Every access request is evaluated based on identity, device posture, and context before granting access to any resource.

Cloudflare Zero Trust brings all of this together under one roof. In this blog (Part 0 of a 4-part series), I will walk you through setting up Cloudflare One Client from scratch and testing a successful connectivity.

Prerequisites

Before we dive in, let me set some context. Everything in this blog has been tested on a Mac. If you are on Linux, most of it should translate directly. Windows users — you might hit a few rough edges, but the concepts remain the same.

Here is what you should be comfortable with before following along —

  • ZTNA concepts — You do not need to be an expert, but a basic understanding of how Zero Trust Network Access works will help you follow the why behind each step.
  • OpenID Connect (OIDC) — We will be configuring AWS Cognito as the Identity Provider (IdP). In a typical corporate environment this would be something like Okta or Microsoft Entra ID, but for this lab we are using Cognito to mimic that setup. Familiarity with OIDC fundamentals and a bit of AWS will help you follow along.
  • Terraform — A bit of Terraform knowledge goes a long way. We will be provisioning all the resources using it.

Cloudflare Account

Sign up for a Cloudflare Zero Trust free plan at cloudflare.com. One thing worth noting — Cloudflare does ask for a payment method during signup even for the free tier. Your card will not be charged as long as you stay within the free plan limits, but it is a mandatory step to complete the registration.

Cloudflare Dashboard

Once your account is set up, create a Cloudflare API Token (Left Pane->Zero Trust->Manage Account->Account API tokens). This token will be used by Terraform to provision Cloudflare resources. Make sure the token has the following permissions —

Scope Permission
Access: Apps and Policies Edit
Access: Organizations, Identity Providers and Groups Edit
Access: Service Tokens Edit
Account Filter Lists Edit
Account Firewall Access Rules Edit
Account Rulesets Edit
Cloudflare Tunnel Edit
Zero Trust Edit

Once you have the token, store it as an environment variable. Hardcoding credentials in Terraform files is never a good idea, and Terraform will pick it up automatically from the environment.

export CLOUDFLARE_API_TOKEN="your_token_here"

AWS Account

For this setup, I am using AWS Cognito as the Identity Provider (IdP) to authenticate users into Cloudflare Zero Trust. To follow along, you will need an AWS account with an IAM user that has the following permissions

  • SignInLocalDevelopmentAccess — to use the aws login command for temporary credentials
  • AmazonCognitoPowerUser — to create and manage Cognito User Pools and OAuth clients

Instead of generating permanent IAM access keys (a bad practice and a security risk waiting to happen), I am using AWS’s temporary credentials via the aws login command.

I won’t go deep into either setup here — the official AWS docs cover both perfectly:

📖 Creating an IAM user and attaching policies — follow this to create your IAM user and attach the two policies mentioned above.

📖 Simplified developer access to AWS with ‘aws login’ — follow this to configure temporary credentials once your IAM user is ready.

Once your IAM user and temporary credentials are set up, export them for Terraform to consume —

export $(aws configure export-credentials --profile <your-profile> --format env)

Before moving ahead, verify that the AWS credentials are properly set up —

env | grep -i aws

This should display your temporary AWS credentials — AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

Other Tools

  • HashiCorp Terraform — I have used a version constraint in the provider block, so make sure you download the appropriate version. I am using version 1.14.6. 📖 Download Terraform

  • Cloudflare One Client — This is what we will use to test the Zero Trust connectivity at the end of this blog. 📖 Download Cloudflare One Client

Setup

Before we jump into commands, let me quickly explain what we are building here.

We are using AWS Cognito as our Identity Provider (IdP) and wiring it into Cloudflare Zero Trust using OIDC (OpenID Connect). When a user tries to connect via the Cloudflare One Client, Cloudflare will redirect them to Cognito for authentication. Once Cognito validates the credentials, it hands back a token to Cloudflare, which then decides whether to allow access. Clean, standards-based, and no passwords ever touch Cloudflare directly. Here is the high-level flow —

Cloudflare One Client → Cloudflare Zero Trust → OIDC → AWS Cognito → Authenticated ✅

(Architecture diagram will be updated)

Cloning the Project

I have put together a Terraform project that automates the entire setup. Clone it and get into the directory —

git clone (repo name to be updated later)
cd <repo-name>

Terraform Init, Plan and Apply

Make sure your Cloudflare API token and temporary AWS credentials are exported in the current shell session (covered in the Prerequisites section). Then run —

terraform init
terraform plan
terraform apply

The apply will take a minute or two. Once it completes, Terraform will provision everything needed on both AWS and Cloudflare.

What Gets Created

On the Cloudflare side —

  • A Cloudflare One Client Application — the Zero Trust application that the Cloudflare One Client will authenticate against
  • An Identity Provider policy — configured to use AWS Cognito over OIDC

Cloudflare One Client App

On the AWS side —

  • A Cognito User Pool with an OAuth 2.0 App Client
  • 3 Cognito users — all pre-created with the same password for testing purposes AWS Cognito

To get the password for these users, run —

terraform output password

⚠️ Hold onto this — you will need it in the next step.

Testing the Connection

Open the Cloudflare One Client on your machine. Go to Account and enter your Zero Trust team name. You can find this in the Cloudflare Zero Trust dashboard under Settings.

Hit Connect — this will open a browser window and redirect you to AWS Cognito (your configured Identity Provider). Enter one of the pre-created usernames and the password you grabbed from terraform output.

Hit login. Cognito validates the credentials, hands the token back to Cloudflare, and the browser redirects back to the locally installed Cloudflare One Client. Just like that — your traffic is now flowing through the Cloudflare network.

Cloudflare Zero Trust Connectivity Test

Important Note

You can also connect to the Cloudflare One Client without any of the steps above but you won’t be able to configure anything like web filtering or TLS inspection that we are going to look into another post. Unregistered Cloudflare One Client

Verifying the Connection

To confirm everything worked, head over to the Cloudflare Zero Trust dashboard → Team & Resources → Users. You should see the user you just authenticated listed there.

If you see them — you are done. ZTNA is up, the IdP is working, and the Cloudflare One Client is connected successfully. ✅

Cloudflare Users Dashboard

Known Issues and Troubleshooting

Edge Browser DNS Interception — CF_DNS_PROXY_FAILURE

If after connecting you see this staring back at you —

Status:       Unable to Connect
Error reason: DNS proxy failure
Error code:   CF_DNS_PROXY_FAILURE
Error description: A third-party process is performing DNS resolution on
this device: Microsoft\x20Edge\x20Hel…. Remove the process's DNS
interception or contact your administrator to update WARP modes.
Learn more:   https://cfl.re/CF_DNS_PROXY_FAILURE

— you are not alone. This one caught me off guard too.

The Cloudflare One Client needs full control over DNS resolution on your device. When it detects another process intercepting DNS queries, it refuses to connect. In this case, the culprit is Microsoft Edge’s DNS helper process running in the background — even when you have already turned off the Secure DNS setting in Edge’s browser settings.

Yes, even with Secure DNS disabled, Edge’s helper process can still be sitting in the background doing its thing. Annoying, but here is the fix that worked for me —

  1. Go to Edge settings → Privacy, search, and services → scroll down to Security → turn off “Use secure DNS”
  2. Fully quit Microsoft Edge — not just close the window, actually quit it from the taskbar
  3. Restart your machine

A system restart is what finally did it for me. After that, the Cloudflare One Client connected without any issues.