Accessing Your Raspberry Pi Remotely Using Cloudflare

If you're looking to access your Raspberry Pi securely from anywhere in the world, you've come to the right place (I recently solve that problem, so I am writing it down to not forget it in the future). Often, we need remote access to our devices, whether for monitoring a home system, managing a server, or working on various projects. This guide will show you how to securely connect to your Raspberry Pi using Cloudflare.

Unlike traditional methods like port forwarding, which can expose your device to security risks, Cloudflare offers a safer alternative. It provides a secure, encrypted tunnel for remote access, reducing the risk of cyber-attacks and keeping your connection private. While there are other methods like VPN, RDP and VNC, Cloudflare stands out for its ease of setup and enhanced security features. Let's dive into how you can set up Cloudflare for secure, remote access to your Raspberry Pi.

Installing cloudflared to Raspberry Pi

• Make sure everything is up-to-date

sudo apt update
sudo apt upgrade

• Install prerequisite packages

sudo apt install curl lsb-release

• Get the Cloudflare repo's GPG key

curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null

• Get the Cloudflare repo

echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee  /etc/apt/sources.list.d/cloudflared.list

• Update the package list cache

sudo apt update

• Get the Cloudflare repo cache

sudo apt install cloudflared

Setting up a Cloudflare Tunnel on the Raspberry Pi

• Initiate the login

cloudflared tunnel login

• Copy the displayed URL into your browser to authenticate

Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/-------------

Leave cloudflared running to download the cert automatically.

• Initiate the login URL into your browser to authenticate

You have successfully logged in.
If you wish to copy your credentials to a server, they have been saved to:
/home/{USER}/.cloudflared/cert.pem

• Create a tunnel

cloudflared tunnel create {TUNNEL-NAME}

• You will see the created tunnel ID, copy the shown tunnel ID

Tunnel credentials written to /home/{USER}/.cloudflared/1111111-2222-33333-44444-5555555555555.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel {TUNNEL-NAME} with id 1111111-2222-33333-44444-5555555555555

• Route the tunnel to a Cloudflare managed domain name

cloudflared tunnel route dns {TUNNEL-NAME} {DOMAIN-NAME}

• Upon a successful operation, you will see a success message similar to below

Added CNAME {DOMAIN-NAME} which will route to this tunnel tunnelID=1111111-2222-33333-44444-5555555555555

• Create a config file for Cloudflare

sudo nano ~/.cloudflared/config.yml

• Enter the following details into config file and save

tunnel: {TUNNEL-NAME}
credentials-file: /home/{USER}/.cloudflared/{TUNNEL-ID}.json

ingress:
    - hostname: {DOMAIN-NAME}
      service: ssh://localhost:22
    - service: http_status:404

• Install cloudflared as a service

sudo cloudflared --config ~/.cloudflared/config.yml service install

• Enable starting the service on boot

sudo systemctl enable cloudflared

• Check if the service is currently running

sudo systemctl start cloudflared

Create a Cloudflare Zero Trust Application

• Go to Zero Trust > Access > Applications on the Cloudflare dashboard
• Click Add an Application
• Select Self-hosted
• Enter Application Name, Subdomain, Domain and click next
• Enter Policy Name, Selector -> Email, Value -> Email Address and click next
• Enable Enable automatic cloudflared authentication Disabled
• Enable Enable automatic cloudflared authentication -> SSH`

Configure short-lived certificate

• Make sure the {USER} matches the email identity (for example; user=mhrsntrk and email=[email protected] won't work but user=m and email=[email protected] will). You can either create a new user with same email identity or add the following command to Raspberry Pi's /etc/ssh/sshd_config

Match user mhrsntrk
  AuthorizedPrincipalsCommand /bin/echo 'm'
  AuthorizedPrincipalsCommandUser nobody

• Generate a short-lived certificate public key by visiting Zero Trust > Access > Service Auth > SSH on the Cloudflare dashboard and clicking Generate certificate button
• Copy the public key and paste it to below file on Raspberry Pi

sudo nano /etc/ssh/ca.pub

• Open the sshd_config file

sudo nano /etc/ssh/sshd_config

• Make sure PubkeyAuthentication is uncommented and set to yes
• Add the below line and save the file

TrustedUserCAKeys /etc/ssh/ca.pub

• Restart SSH service on Raspberry Pi

sudo systemctl restart ssh

Configure your client

• Print the required configuration and copy the output

cloudflared access ssh-config --hostname {DOMAIN-NAME} --short-lived-cert

• Open ~/.ssh/config file

sudo nano ~/.ssh/config

• Enter the copied configuration into ~/.ssh/config and save

You've successfully set up a secure connection to your Raspberry Pi using Cloudflare. This approach not only keeps your Raspberry Pi accessible from anywhere but does so in a way that's far safer than traditional methods like port forwarding. By choosing Cloudflare, you've added an extra layer of security, keeping your projects and data safe from potential online threats.

As you continue exploring the vast potential of your Raspberry Pi, remember that the way you connect to it plays a crucial role in your overall experience and security. Whether it's for home automation, personal projects, or learning purposes, your Raspberry Pi is now more accessible and secure, thanks to Cloudflare.