/**/

Accessing Your Raspberry Pi Remotely Using Cloudflare

mhrsntrk

mhrsntrk / December 15, 2023

If you're looking to access your Raspberry Pi securely from anywhere in the world, you've come to the right place (I recently solve that problem, so I am writing it down to not forget it in the future). Often, we need remote access to our devices, whether for monitoring a home system, managing a server, or working on various projects. This guide will show you how to securely connect to your Raspberry Pi using Cloudflare.

Unlike traditional methods like port forwarding, which can expose your device to security risks, Cloudflare offers a safer alternative. It provides a secure, encrypted tunnel for remote access, reducing the risk of cyber-attacks and keeping your connection private. While there are other methods like VPN, RDP and VNC, Cloudflare stands out for its ease of setup and enhanced security features. Let's dive into how you can set up Cloudflare for secure, remote access to your Raspberry Pi.

Installing cloudflared to Raspberry Pi

  • Make sure everything is up-to-date
sudo apt update
sudo apt upgrade
  • Install prerequisite packages
sudo apt install curl lsb-release
  • Get the Cloudflare repo's GPG key
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
  • Get the Cloudflare repo
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee  /etc/apt/sources.list.d/cloudflared.list
  • Update the package list cache
sudo apt update
  • Get the Cloudflare repo cache
sudo apt install cloudflared

Setting up a Cloudflare Tunnel on the Raspberry Pi

  • Initiate the login
cloudflared tunnel login
  • Copy the displayed URL into your browser to authenticate
Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/-------------

Leave cloudflared running to download the cert automatically.
  • Initiate the login URL into your browser to authenticate
You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/{USER}/.cloudflared/cert.pem
  • Create a tunnel
cloudflared tunnel create {TUNNEL-NAME}
  • You will see the created tunnel ID, copy the shown tunnel ID
Tunnel credentials written to /home/{USER}/.cloudflared/1111111-2222-33333-44444-5555555555555.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel {TUNNEL-NAME} with id 1111111-2222-33333-44444-5555555555555
  • Route the tunnel to a Cloudflare managed domain name
cloudflared tunnel route dns {TUNNEL-NAME} {DOMAIN-NAME}
  • Upon a successful operation, you will see a success message similar to below
Added CNAME {DOMAIN-NAME} which will route to this tunnel tunnelID=1111111-2222-33333-44444-5555555555555
  • Create a config file for Cloudflare
sudo nano ~/.cloudflared/config.yml
  • Enter the following details into config file and save
tunnel: {TUNNEL-NAME}
credentials-file: /home/{USER}/.cloudflared/{TUNNEL-ID}.json

ingress:
    - hostname: {DOMAIN-NAME}
      service: ssh://localhost:22
    - service: http_status:404
  • Install cloudflared as a service
sudo cloudflared --config ~/.cloudflared/config.yml service install
  • Enable starting the service on boot
sudo systemctl enable cloudflared
  • Check if the service is currently running
sudo systemctl start cloudflared

Create a Cloudflare Zero Trust Application

  • Go to Zero Trust > Access > Applications on the Cloudflare dashboard
  • Click Add an Application
  • Select Self-hosted
  • Enter Application Name, Subdomain, Domain and click next
  • Enter Policy Name, Selector -> Email, Value -> Email Address and click next
  • Enable Enable automatic cloudflared authentication Disabled
  • Enable Enable automatic cloudflared authentication -> SSH`

Configure short-lived certificate

  • Make sure the {USER} matches the email identity (for example; user=mhrsntrk and email=[email protected] won't work but user=m and email=[email protected] will). You can either create a new user with same email identity or add the following command to Raspberry Pi's /etc/ssh/sshd_config
Match user mhrsntrk
  AuthorizedPrincipalsCommand /bin/echo 'm'
  AuthorizedPrincipalsCommandUser nobody
  • Generate a short-lived certificate public key by visiting Zero Trust > Access > Service Auth > SSH on the Cloudflare dashboard and clicking Generate certificate button
  • Copy the public key and paste it to below file on Raspberry Pi
sudo nano /etc/ssh/ca.pub
  • Open the sshd_config file
sudo nano /etc/ssh/sshd_config
  • Make sure PubkeyAuthentication is uncommented and set to yes
  • Add the below line and save the file
TrustedUserCAKeys /etc/ssh/ca.pub
  • Restart SSH service on Raspberry Pi
sudo systemctl restart ssh

Configure your client

  • Print the required configuration and copy the output
cloudflared access ssh-config --hostname {DOMAIN-NAME} --short-lived-cert
  • Open ~/.ssh/config file
sudo nano ~/.ssh/config
  • Enter the copied configuration into ~/.ssh/config and save

You've successfully set up a secure connection to your Raspberry Pi using Cloudflare. This approach not only keeps your Raspberry Pi accessible from anywhere but does so in a way that's far safer than traditional methods like port forwarding. By choosing Cloudflare, you've added an extra layer of security, keeping your projects and data safe from potential online threats.

As you continue exploring the vast potential of your Raspberry Pi, remember that the way you connect to it plays a crucial role in your overall experience and security. Whether it's for home automation, personal projects, or learning purposes, your Raspberry Pi is now more accessible and secure, thanks to Cloudflare.