Cloudflare Access for my Homelab

I decided to use Cloudflare to setup a Secure Web Gateway and establish some Zero Trust access for my homelab services. Cloudflare offers a great service called “Cloudflare Access”. Basically it leverages Cloudflare’s edge network to create secure web routing. Setting up this service is just a matter of running a simple daemon. Once configured you setup Cloudflare DNS to route traffic. Let’s discuss how I setup Cloudflare Access.

Create an SSH Bastion with Cloudflared

Setup a Raspberry Pi with Raspberry Pi OS or Ubuntu
  1. Install Cloudflared
    • Ubuntu/Debian install
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
    dpkg -i cloudflared-stable-linux-amd64.deb
    
    • Raspberry Pi
    wget -q https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
    tar -xyzf cloudflared-stable-linux-arm.tgz
    sudo cp ./cloudflared /usr/local/bin
    sudo chmod +x /usr/local/bin/cloudflared
    cloudflared -v
    
  2. Create a tunnel with Cloudflared

    cloudflared tunnel loginย A browser window will open asking for authentication from Cloudflare.

  3. Setup a “Self-hosted App” on Cloudflare Teams.
  4. Configure tunnel on Raspberry Pi (or jump host)
    1. Find tunnel Id

      cloudflared tunnel list

    2. Create/Edit Cloudflared Configurations
      • location:ย /home/pi/.cloudflared/config.yml
      tunnel: TUNNEL_ID_GOES_HERE
      credentials-file: /home/pi/.cloudflared/TUNNEL_ID.json
      
      ingress:
        - hostname: term.yourdomain.com
          service: ssh://localhost:22
        - service: http_status:404
      
    3. Execute the tunnel

      cloudflared tunnel run TUNNEL_NAME

    4. Route DNS for tunnel

      cloudflared tunnel route dns TUNNEL_ID term.yourdomain.com

  5. Access Raspberry Pi (or jump host)
  6. Connect from a client machine
    • Install Cloudflared
    • Configure SSH Config
    Host term.yourdomain.com
      ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
    
  7. Adding another service
    • Add settings to config.yml file
      • Delete old config fileย /etc/cloudflared/config.yml
        • Install service again

     

 

Accessing All of my Services

If you followed along you can see that in the last step we can add multiple ingress rules. For each service you want to router traffic to simply add it your configurations. In the example above I setup SSH access to my Raspberry Pi. Cloudflare can even render the SSH session in the browser for you.

rendering an SSH session in the browser

You can setup another machine with SSH to proxy your connection. But adding multiple ingress points allows you to access any and all of your services. Since you are using a Secure Web Gateway, your services are not automatically open on the internet.

I also a Zero Trust Policy was setup which allows for very locked down sites. I setup 2 Factor Authentication for my Web Gateway. In the end I feel happy with the results and recommend anyone try Cloudflare Access.

 

The Beginning

So if you hadn’t heard of the idea of a “homelab”, let me give you the quick run down of what is a “homelab”. Basically, a homelab is a collection of technologies (hardware and software) that you install, maintain, and configure in your home. Imagine a datacenter in your home or an electronics lab can also be a homelab. At the heart of the homelab movement is the idea of tinkering and learning.

Inspired by the idea of tinkering and learning I went down the path of building my own homelab. Luckily you don’t need a lot to started, older hardware can be a great start for beginners. That’s were my trusty old Dell Xeon workstation comes in. I was gifted this Dell Xeon workstation from a former client and I used it as a Ubuntu workstation for many years. It is a great machine and despite its age work like a champ. Unfortunately, it’s loud and does not meet the “Wife Approval Factor”. To keep my wife and to start a new journey for this Dell, I decided to turn into my Proxmox machine!

The Homelab

Now what is Proxmox?

Proxmox is Type 1 Hypervisor that you can install on your own hardware. It allows you to run multiple Virtual Machines and Linux Containers (LXC). This is how I’m going be able to run various technologies in my home. Proxmox is a great hypervisor, it’s user friendly and built on a stable Debian base. I’m quite comfortable on Debian based distros, so going with Proxmox was a no-brainer.

The Services

In order to stay a bit organized I made a list of services/technologies I wanted to run on my homelab. Below are the services I currently have installed.

  • File server
  • Plex server
  • Syncthing
  • Git server
  • Home Assistant
  • GNS3 VM

I kept it minimal for now but I plan on added more services in the near future. I also plan on creating blog posts on each individual service I run. But for now that’s my start into homelabbing. Another important feature of homelabbing is the network setup. I will discuss that in a future post as I’m still working on building that out. So keep an eye out for more post in the near future.

 

Hi there!

Follow along with me in this video as I install Fog Server. To learn more about Fog Project check out there website https://fogproject.org/. The installation is done with a simple script that you download from the project website.

For this example I used Cent OS which you can get at the website here https://centos.org. You can use a Debian based OS as well but I chose Cent OS.

Somethings to keep in mind:

1. Never run as root. Create a user and elevate privileges.
2. Be sure to have a password ready, during the installation you will be prompted to create a MySQL account for the database.
3. The Fog Project login page is located at http://localhost.lan/fog/management
4. The installation can take a while so be patient.

Recently I wanted to access a Virtual Machine I had created on my desktop from my laptop. I had access to the desktop via SSH but I wanted access to the virtual machine. To make things more interesting I wanted to access the VM(virtual machine) via a graphical interface.

So I figured out that I could use SSH to “port forward” the VNC connection from the desktop to my laptop. It’s actually very easy and only requires a few basic SSH commands. All you have to know before hand is the IP addresses and ports of the application and what port you want to connect to locally.

Definitions:

pc-1: Is the computer you are connecting from, in this case the laptop.

pc-2: Is the computer you are connecting to, in this case the desktop with the VM.

So I use KVM to run the VM, so to get the VNC port from the running VM do the following.

sudo virsh dumpxml NameOfVM | grep vnc

You should see an output like this one.

<graphics type='vnc' port='5901' autoport='yes' listen='127.0.0.1'>

This tells you that KVM is running vnc on port 5901 on address 127.0.0.1 (localhost) for this virtual machine. Now it’s time to connect to the virtual machine from pc-1.

In pc-1 run the following command to create an SSH tunnel that port forward the VNC connection.

ssh [email protected] -L 5901:127.0.0.1:5901

What is is command doing?

  1. ssh [email protected] is establishing the SSH connection to pc-2 with the user “user”. In your case, the user and IP address might be different e.g [email protected].
  2. -L 5901:127.0.0.1:5901 is telling SSH agent to create a tunnel using local port 5901 and bind it to the remote machine address 127.0.0.1 on port 5901. The address on the remote machine might be different so that’s why we ran the virsh command to find it.

Now that the SSH tunnel is established connect to the VM via VNC. You can use any remote viewer software like Remmina, TightVNC, or even Remote Viewer (part of Virtual Machine Viewer). Simply connect with the following parameters.

vnc://localhost:5901

And the VNC connection should open up and start working. You can do everything you could locally via a remote VNC connection. Once you are done simply close the VNC connection and exit the SSH session.

In this tutorial I showed how to this in KVM but VirtualBox and VMware have their own methods of doing this. Simply search for “headless” virtual machine for each to find out how to accomplish the same procedure.

Congrats, you are now running a headless VM with a secure connection. SSH is cool tool that can do alot and if you combine it with other tools you can accomplish even more.

 

New Year, New Setup

Ubuntu 19.10 Desktop

I began the new year by buying a new 500GB SSD. My laptop had 2 drives: a 32GB SSD was my /root drive and a 120GB SSD was /home partition. This served me just well but obviously I would run out of space quickly if I was working with virtual machines. With a new drive I had to make the decision to start from scratch or use backups. I decided to start from scratch mainly because I wanted a clean and fast experience.

Operating System

Though I have used Pop!OS in the past this time around I decided to install Ubuntu 19.10. I have Ubuntu 19.10 installed on my desktop and I really enjoyed it’s speed and perfomance. Plus it helps to know that both my laptop and desktop are running the same OS and version. Other distro’s I considered were: Fedora, and Manjaro.

Theme

I recently came acros the Dracula theme for Emacs and I decided I needed this theme everywhere. Luckily you can go to https://draculatheme.com/ and see all the theme options for a lot of apps.

Apps

This is a list of my go to apps.

  1. Emacs
  2. Spotify
  3. Evolution (Email client)
  4. Audacity
  5. Tizonia (Spotify terminal client)
  6. VLC
  7. Keybase

Other apps I install depending on the use case:

  • VPN
  • Audacity
  • Open Broadcaster
  • GNOME Tweaks
  • Syncthing
  • Chromium

Configurations

Ok, so let’s talk how I setup my laptop the quickest way possible.

Sign into my Google account in GNOME online accounts.

This is to have Evolution setup as soon as it’s installed and launched.

Run my setup scripts

I came across this great post by software dev Victoria Drake. She wrote a great bash script that she uses to setup her Ubuntu laptop (or even a VM). So I cloned it and modified it for my use. Here are some key take aways.

# Snap packages

sudo snap install spotify

sudo snap install chromium

sudo snap install tizonia

# GNOME
install gnome-tweaks

# File Backup
install deja-dup
install git
install curl

# add more apps as needed

This is the script that is called to install my apps. This is only an example, in the real world I edited the script to add or remove apps that I wanted installed or removed. Another part of my setup scripts is the desktop.sh script.

# Set GNOME Settings
gsettings set org.gnome.desktop.wm.preferences titlebar-font 'IBM Plex Sans Bold 11'
gsettings set org.gnome.desktop.interface monospace-font-name 'IBM Plex Mono 13'
gsettings set org.gnome.desktop.interface document-font-name 'IBM Plex Sans Medium 11'
gsettings set org.gnome.desktop.interface font-name 'IBM Plex Sans 11'

Ubuntu 19.10 Terminal Dracula Theme

I use this script to setup my fonts. It downloads IBM Plex font and installs it on my system. I love this font and thus I use it everywhere. My setup scripts do other things depending on what I want to do, like setup some PPA’s or change other GNOME settings.

One thing that I found after I setup my laptop was this great script to change the terminal theme. It’s called Gogh and you can find it here https://github.com/Mayccoll/Gogh.

GPG, Git, and Emacs setup

I do the basic GPG configurations, like download my GPG keys and setup my SSH keys. I also setup Git by adding SSH login, user name and email. Then I setup Emacs by downloading my configuration from my private repo. I set Emacs to run in daemon mode cause it’s faster than lighting this way :smile:. To run Emacs in daemon mode I simply run systemctl --user enable emacs.service and systemctl start emacs.service.

Emacs 26.3

And that’s it

The setup scripts do most of the grunt work. So I simply run them and a few minutes later all my apps and laptop is setup. After I do some post installation tweaks I’m ready to get to work in about 15 minutes. So I hope you all found this post insightful and useful. Some things that I didn’t discuss here but I did do were: I encrypted my drive on initial installation and I downloaded updates while I installed Ubuntu.

ย 

Ubuntu Desktop

I recently decided to move my Ubuntu installation from my laptop to my desktop without having to reinstall. So basically all I wanted to do is move the SSD (which had Ubuntu 19.10 installed) in my laptop to my desktop. This process is not hard at all but in my case it was a little more complicated. I wanted to do a dual boot on my desktop computer with 2 different hard drives. One spinning disk hard drive will have a Windows 10 installation while the SSD from my laptop will have Ubuntu 19.10. Again I did not want to do any reinstall of Windows 10 or Ubuntu. So how can you accomplish this? Simple with the command update-grub.

 

First I removed the SSD in the laptop and installed it in my desktop. I ensured that it was on the first SATA port so it can be the first hard drive the system recognizes. Once installed I booted up the computer and Ubuntu booted up correctly. Ok, so now I knew Ubuntu worked fine on the desktop.

Next, I had to update grub inside of Ubuntu in order to add the Windows 10 disk to my boot order. Grub is actually pretty good at adding additional operating systems to the boot order. So turned off the computer ensured that my drives were in the correct SATA ports. After this step I ran into a small problem, Grub was not updating inside my Ubuntu installation. So I decided to boot into a Linux LiveUSB to help troubleshoot the errors.

Inside the LiveUSB Linux environment I used a chroot environment to reach my Ubuntuย  19.10 installation. To do so simply follow these steps.


sudo mount /dev/sdaX /mnt

for i in /dev/ /dev/pts /proc /sys /run; do sudo mount -B $i /mnt$i; done

sudo chroot /mnt

Once in the chroot environment I ran update-grub and I still got an error. So I decided it would be best to simply reinstall grub. To do so simply run reinstall grub-pc (if you’re on a efi system please use grub-efi-amd64). This command worked and prompted me to chose where I wanted to install grub. I chose on the main disk since this is where I wanted to have grub installed. Once that process was done, I rebooted the system and was prompted with a working grub boot screen with both operating systems showing up correctly.

Tip: If you want to customize your Grub boot screen you can do with the app Grub Customizer. Simply install it with sudo apt install grub-customizer. This allows you to add a background to Grub bootscreen, change the boot order, and much more.

Buy Me A Coffee