Cloudflare Access for my Homelab

I decided to use Cloudflare to setup a Secure Web Gateway and establish some Zero Trust access for my homelab services. Cloudflare offers a great service called “Cloudflare Access”. Basically it leverages Cloudflare’s edge network to create secure web routing. Setting up this service is just a matter of running a simple daemon. Once configured you setup Cloudflare DNS to route traffic. Let’s discuss how I setup Cloudflare Access.

Create an SSH Bastion with Cloudflared

Setup a Raspberry Pi with Raspberry Pi OS or Ubuntu
  1. Install Cloudflared
    • Ubuntu/Debian install
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
    dpkg -i cloudflared-stable-linux-amd64.deb
    
    • Raspberry Pi
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
    tar -xyzf cloudflared-stable-linux-arm.tgz
    sudo cp ./cloudflared /usr/local/bin
    sudo chmod +x /usr/local/bin/cloudflared
    cloudflared -v
    
  2. Create a tunnel with Cloudflared

    cloudflared tunnel loginย A browser window will open asking for authentication from Cloudflare.

  3. Setup a “Self-hosted App” on Cloudflare Teams.
  4. Configure tunnel on Raspberry Pi (or jump host)
    1. Find tunnel Id

      cloudflared tunnel list

    2. Create/Edit Cloudflared Configurations
      • location:ย /home/pi/.cloudflared/config.yml
      tunnel: TUNNEL_ID_GOES_HERE
      credentials-file: /home/pi/.cloudflared/TUNNEL_ID.json
      
      ingress:
        - hostname: term.yourdomain.com
          service: ssh://localhost:22
        - service: http_status:404
      
    3. Execute the tunnel

      cloudflared tunnel run TUNNEL_NAME

    4. Route DNS for tunnel

      cloudflared tunnel route dns TUNNEL_ID term.yourdomain.com

  5. Access Raspberry Pi (or jump host)
  6. Connect from a client machine
    • Install Cloudflared
    • Configure SSH Config
    Host term.yourdomain.com
      ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
    
  7. Adding another service
    • Add settings to config.yml file
      • Delete old config fileย /etc/cloudflared/config.yml
        • Install service again

     

 

Accessing All of my Services

If you followed along you can see that in the last step we can add multiple ingress rules. For each service you want to router traffic to simply add it your configurations. In the example above I setup SSH access to my Raspberry Pi. Cloudflare can even render the SSH session in the browser for you.

rendering an SSH session in the browser

You can setup another machine with SSH to proxy your connection. But adding multiple ingress points allows you to access any and all of your services. Since you are using a Secure Web Gateway, your services are not automatically open on the internet.

I also a Zero Trust Policy was setup which allows for very locked down sites. I setup 2 Factor Authentication for my Web Gateway. In the end I feel happy with the results and recommend anyone try Cloudflare Access.

 

The Beginning

So if you hadn’t heard of the idea of a “homelab”, let me give you the quick run down of what is a “homelab”. Basically, a homelab is a collection of technologies (hardware and software) that you install, maintain, and configure in your home. Imagine a datacenter in your home or an electronics lab can also be a homelab. At the heart of the homelab movement is the idea of tinkering and learning.

Inspired by the idea of tinkering and learning I went down the path of building my own homelab. Luckily you don’t need a lot to started, older hardware can be a great start for beginners. That’s were my trusty old Dell Xeon workstation comes in. I was gifted this Dell Xeon workstation from a former client and I used it as a Ubuntu workstation for many years. It is a great machine and despite its age work like a champ. Unfortunately, it’s loud and does not meet the “Wife Approval Factor”. To keep my wife and to start a new journey for this Dell, I decided to turn into my Proxmox machine!

The Homelab

Now what is Proxmox?

Proxmox is Type 1 Hypervisor that you can install on your own hardware. It allows you to run multiple Virtual Machines and Linux Containers (LXC). This is how I’m going be able to run various technologies in my home. Proxmox is a great hypervisor, it’s user friendly and built on a stable Debian base. I’m quite comfortable on Debian based distros, so going with Proxmox was a no-brainer.

The Services

In order to stay a bit organized I made a list of services/technologies I wanted to run on my homelab. Below are the services I currently have installed.

  • File server
  • Plex server
  • Syncthing
  • Git server
  • Home Assistant
  • GNS3 VM

I kept it minimal for now but I plan on added more services in the near future. I also plan on creating blog posts on each individual service I run. But for now that’s my start into homelabbing. Another important feature of homelabbing is the network setup. I will discuss that in a future post as I’m still working on building that out. So keep an eye out for more post in the near future.