Cloudflare Access for my Homelab

I decided to use Cloudflare to setup a Secure Web Gateway and establish some Zero Trust access for my homelab services. Cloudflare offers a great service called “Cloudflare Access”. Basically it leverages Cloudflare’s edge network to create secure web routing. Setting up this service is just a matter of running a simple daemon. Once configured you setup Cloudflare DNS to route traffic. Let’s discuss how I setup Cloudflare Access.

Create an SSH Bastion with Cloudflared

Setup a Raspberry Pi with Raspberry Pi OS or Ubuntu
  1. Install Cloudflared
    • Ubuntu/Debian install
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
    dpkg -i cloudflared-stable-linux-amd64.deb
    
    • Raspberry Pi
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
    tar -xyzf cloudflared-stable-linux-arm.tgz
    sudo cp ./cloudflared /usr/local/bin
    sudo chmod +x /usr/local/bin/cloudflared
    cloudflared -v
    
  2. Create a tunnel with Cloudflared

    cloudflared tunnel loginย A browser window will open asking for authentication from Cloudflare.

  3. Setup a “Self-hosted App” on Cloudflare Teams.
  4. Configure tunnel on Raspberry Pi (or jump host)
    1. Find tunnel Id

      cloudflared tunnel list

    2. Create/Edit Cloudflared Configurations
      • location:ย /home/pi/.cloudflared/config.yml
      tunnel: TUNNEL_ID_GOES_HERE
      credentials-file: /home/pi/.cloudflared/TUNNEL_ID.json
      
      ingress:
        - hostname: rterm.eduardorobles.com
          service: ssh://localhost:22
        - service: http_status:404
      
    3. Execute the tunnel

      cloudflared tunnel run TUNNEL_NAME

    4. Route DNS for tunnel

      cloudflared tunnel route dns TUNNEL_ID rterm.eduardorobles.com

  5. Access Raspberry Pi (or jump host)
  6. Connect from a client machine
    • Install Cloudflared
    • Configure SSH Config
    Host rterm.eduardorobles.com
      ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
    
  7. Adding another service
    • Add settings to config.yml file
      • Delete old config fileย /etc/cloudflared/config.yml
        • Install service again

     

 

Accessing All of my Services

If you followed along you can see that in the last step we can add multiple ingress rules. For each service you want to router traffic to simply add it your configurations. In the example above I setup SSH access to my Raspberry Pi. Cloudflare can even render the SSH session in the browser for you.

rendering an SSH session in the browser

You can setup another machine with SSH to proxy your connection. But adding multiple ingress points allows you to access any and all of your services. Since you are using a Secure Web Gateway, your services are not automatically open on the internet.

I also a Zero Trust Policy was setup which allows for very locked down sites. I setup 2 Factor Authentication for my Web Gateway. In the end I feel happy with the results and recommend anyone try Cloudflare Access.

 

Leave a Reply

Your email address will not be published. Required fields are marked *