...
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
In simple terms: it’s a combination of
You can archive roughly the same with SSH reverse shells and tunnels. But you won’t because you want someone else to simplify this for you. At scale. |
...
| Drawio sketch | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
access on the Service Edge (perimeter)
DNS (probably)
tunnel termination (cloudflared uses QUIC or Wireguard)
channels get opened, HTTP ↔︎ ↔ï¸ TCP (for SSH or RDP) ↔︎ ↔ï¸ trusted request (identified)
HTTP ↔︎ ↔ï¸ request (reverse tunneled via the Service Edge, CDN - accelerated)
...
Login policies etc. are applied. This is a useless host. When people hear fuzzing, they associate Zero Days. I assure you, if I had many Zero Days, I’d be somewhere in the Bahamas. And I wouldn’t host them this way 
A request comes in:
DNS resolution of
fuzzing.osroadwarrior.infoto Service EdgeRequest gets forwarded to the public hostname of that tunnel service (HTTP)
Request gets translated here (RDP), and routed to the
cloudflareddaemonThe daemon takes the request and forwards it to our KVM guest (
192.168/24)
...
Essentially, this is application level NATing. Or Zero Trust RDP 
On my local laptop here, I may not be on the WARP+ network. WARP is the Wireguard-based VPN service, which is linked to the Zero Trust / Secure Gateway architecture. Essentially, you can use Cloudflare tools to interconnect various systems. With, or without VPN:
...