Secure Your Home Lab in 10 Mins with Cloudflare & Zimaboard

Secure Your Home Lab in 10 Mins with Cloudflare & Zimaboard

Show Video

Today, I'm going to show you a simple yet complete home lab setup, remotely accessible yet locked down with strong authentication from Cloudflare. The idea here is to demonstrate that it's really easy to use some simple tools to create a nice home lab environment that you can use as a learning platform for all kinds of different projects and technologies. We're going to use a combination of the Xemaboard platform with Cloudflare tunnels. And you'll see just how easy it is to get this up and running.

We're going to use open speed test as an example so that by the time we're done here, you're going to be able to remotely run speed test to the Xemaboard from anywhere in the world. And as an added bonus, we'll be doing all of this through T-Mobile home internet, which utilizes CG NAT, meaning that you can't simply open up firewall ports through this internet connection. All right. Sound like a fun project? Let's get started. Like most tech folks, I love my coffee. Recently, a good buddy of mine who had retired from the armed forces started up his own premium coffee roasting business, and he offered to send me some.

And I said, oh, yeah, that's great, man. You know, I love coffee, right? Little did I know, though, that this is some of the absolute best coffee that I've ever tasted. I absolutely love it. We've got a full lineup of single origin coffee from various countries around the world, as well as some blends that are just amazing.

My favorites are the Bali Blue medium roast, as well as the whiskey barrel aged blend. I mean, so good. The company is called Wake and Brew Premium Coffee. So if you enjoy premium coffee, do yourself a favor and check them out. You'll be helping out a personal buddy of mine as well as a veteran owned business. And beyond that, you're going to get some amazing coffee.

Link is down in the description. And now back to the video. Cloudflare tunnels is a great way to get secure remote access to services inside your network. And it's so easy to set up, especially when paired with something like the Zima board, which has a one click install for Cloudflare. Zima board itself is a great home lab platform. It's super easy to get up and running with various projects and services. And these two things just marry together very, very well. Future Chris popping in here to add a little bit of context.

First and foremost, I was not compensated by either Cloudflare or Zima board for this video. I just think it's a really easy way to demonstrate this type of technology. And it's one of the small add on modules that I taught during Crosstalk's Fundamentals of Networking training course in Seattle last week. Now, if you missed that training, be sure to check out events.crosstalksolutions.com for more training events coming soon. And while I'm demonstrating how this works with the Zima board and Cloudflare, this same type of tunneling technology that can expose services in your network isn't limited to just those devices. On the client side, the Zima board is great, but the Cloudflare connector can be installed on Windows or on Mac in a Docker container on a Raspberry Pi.

There's many, many ways to accomplish the same thing. I'm using Zima board, though, because it's dead simple, as you'll see in just a moment. On the Cloudflare side, there's also numerous companies offering similar types of connectivity, such as tail scale and zero tier.

Now, I haven't personally tried out either of those options, and I know Cloudflare really well, so that's why I'm using it here. But if you have alternatives that work well for you, pop those down in the comments below. I'm sure other people would love to hear about your experiences. So let's start by taking a look at the overall infrastructure that we're dealing with here.

All right, so everything's going to center around this Zima board. And on the Zima board, there's an app store. In that app store, we're going to install Cloudflare connector. It's called Cloudflare D, and we're also going to install their one-click open speed test installation. This Zima board is hardwired directly into the back of this T-Mobile home internet gateway. Now, this T-Mobile home internet gateway is CG NAT, meaning that there's no firewall that I can poke holes through if I wanted to open up services into the Zima board.

So instead, the Cloudflare connector connects out to Cloudflare and maintains that connection securely with VPN. Then utilizing DNS, if I'm opening up, you know, openspeedtest.whateverdomain.com, that's going to go to Cloudflare. And Cloudflare knows, hey, send that request down this tunnel, and then it will go over to the service that is hosting openspeedtest. Now, this can all be done locally on the Zima board, but we can also open up other services in our network.

So for example, if I wanted to open up the configuration interface for this T-Mobile home internet router, I could create a different DNS name through Cloudflare and route outside packets into the T-Mobile interface. And then of course, we're also going to secure that down so that not anyone can have access to our internal stuff. Okay, so the full overview of what we're going to do here, we are going to set up the Zima board first. We're going to install openspeedtest on the Zima board. We're going to do a Cloudflare tunnel setup. We're going to install Cloudflare D, which is the service that connects out to Cloudflare on the Zima board. Then we're going to open up access to those applications I talked about, and then finally, we're going to secure everything down.

Now, this Zima board, I don't want this to be a Zima board commercial, because again, they're not compensating me for this, but this is a cool little platform, right? So this is 199 bucks. This is the Zima board 832. It's got an Intel Celeron CPU, 8 gigs of RAM, 32 gigs of onboard storage. I also actually have an attached hard drive on here because it has two SATA ports, two gigabit ethernet ports, two USB 3 ports, and then one really odd mini display to HDMI port, which I'm using actually right here plugged into this sort of temporary monitor. So the first thing we want to do is plug in the Zima board. It's going to connect into the network,

and then we can get to that Zima board by browsing to casaos.local in our browser. Now, if for some reason that name casaos.local does not work for you, then there's a couple other ways that you can actually find the IP address of the Zima board.

First of all, you can look in your DHCP leases, like if you go into your firewall, your DHCP server should say, hey, here's all the devices I've handed out IP addresses to, and the Zima board should be in there somewhere. The other way you can do it is actually by hooking up a monitor and keyboard and mouse to the Zima board, and then you can go up to the network settings, and it'll show you the IP address there. Okay, so here is the CasaOS dashboard. Now, when you first boot it up, I've already gone through the initial setup here, but it's super simple. You just put in a username and then a strong password, and you're brought to this dashboard. Once you're at this dashboard, the first thing that you want to do is come up here to settings and choose update. Now, by default, there probably will be an update for you, or when you initially set it up, I've already gone through that process, I've already updated this one, so I don't have any updates actually showing.

So, the first thing we're going to do is get OpenSpeedTest installed. So, we're going to go to the App Store, and take a look at all of these different applications in here. AdGuard Home, they've got Piehole, they've got Home Assistant, they've got Plex, you know, all of these sort of one-click installs for very common kind of home lab type stuff that you can do on the Zima board.

The one I want is OpenSpeedTest, so we're going to say install, and then it's going to go ahead and install it. Again, one-click install, I just clicked it. Once this is done, we'll be able to browse directly to OpenSpeedTest, which runs on port 3004 on the Zima board. There we go, now it's done. Let's try to open that up. So, I can just do casos.local colon 3004, and there we have OpenSpeedTest. If I hit start, it's going to run a speed test between my laptop and the Zima board.

So, part one done. Now, we need to go to Cloudflare, and we need to actually set up the Cloudflare side to get it ready for a connector to connect out to Cloudflare. So, I'm at the Cloudflare dashboard, and I can see all of my available domains that Cloudflare has access to. Now, in terms of domains, you can purchase a domain directly from Cloudflare, and then it'll just automatically show up in this interface, or you can add a domain if you have it registered with a different registrar. So, if I had crosstalksolutions.com registered with Namecheap or some other registrar,

I can add it to Cloudflare, and then Cloudflare will give me some root DNS servers that I then need to go over to Namecheap, and for that domain, I say, Hey, use these name servers, right? And then once you've done that, you've got full control over the DNS for that particular domain from within the Cloudflare interface, and that's what you want to get to. In my case, though, I've just bought a couple of domains. For this video, we're going to be using the domain zimaboard.org.

So, we want to create a Cloudflare tunnel. So, I'm going to go over here to the Zero Trust interface. This is where you do all that sort of networking configuration. And then under Networks, we have Tunnels. And right now, I just have a single tunnel for my own personal Home Assistant server.

We're going to add a new tunnel, so I'm going to say Create a Tunnel. For the Connector, we're going to use Cloudflare D. We're going to say Next.

Name your tunnel. I'm going to call this Zimaboard, and save that tunnel. Okay, so now, we have the information that we need for our Cloudflare Connector, and that is going to be this stuff down here. Now, right now, it's on Windows. We're going to put it over to Red Hat, and then you see this command here, sudo Cloudflare D, and then it's going to have some sort of authentication token that comes along with that string. So, we're just going to copy that whole string, and then we're going to say Next, and we're going to route a domain, a root domain, to this tunnel.

So, we're going to say zimaboard.org. We're going to say HTTP, and the URL is going to be the IP address of the Zimaboard. So, I'm basically going to say any requests to zimaboard.org are going to come through that Cloudflare tunnel, and actually go to the CasaOS dashboard of the Zimaboard.

All right, so if I ping casaos.local, I can see the IP address is 192.168.12.233. So, we're going to say type is HTTP, and the IP is 192.168.12.233, and we're going to save that tunnel. Okay, so that tunnel's saved, but notice that right now it says inactive, and it's inactive because we haven't connected out to it yet with a Cloudflare D service provider, right? So, that can be running on the Zimaboard. That can be in a Docker container.

The one that I have personally is on my Synology NAS. I think it's in a Docker container. You can use a Raspberry Pi for this, right? There's all sorts of different ways to create that Cloudflare D connection out to Cloudflare.

You can even do it with Windows or Mac. So, back in the Zimaboard, I'm going to click on the App Store. We're going to find Cloudflare. There it is right there, Cloudflare D, and we're going to say install.

Once again, one-click install, and then once this has installed, all we have to do is paste that line in, and it's going to extract the authentication token that we need, and just connect straight out to Cloudflare. Okay, installation complete. That took about a minute or so, and here we now have Cloudflare D on the dashboard of Casa OS. So, we're going to open that up, and it says, enter your Cloudflare connector token.

So, we're just going to click in here, and we're going to paste in that sudo command that we copied from the Cloudflare interface, and we're going to say save. Now, just to make sure that this is running successfully, we're going to say stop, and then we're going to start it again. Just make sure we're pushing that connection out to Cloudflare, and now if I go back to Cloudflare and refresh, we can now see that my Xemaboard tunnel is status healthy. That's exactly what we want to see.

So, now I can click on the Xemaboard tunnel, click configure, and then if I come over here to public hostname, we can see the sort of root domain. If I HTTP or HTTPS in this case to Xemaboard.org, there we go, it pops up the Casa OS login because it's the main interface of the Xemaboard. Let's now add in Open Speed Test. So, back in Cloudflare, I've clicked on the tunnel. I've clicked on the public hostname tab.

I'm going to say add a public hostname. We're going to call this openspeedtest. And then I'm going to select my domain, Xemaboard.org, and that's going to go over to HTTP 192.168.12.233 colon 3004

because Open Speed Test is running on the IP address of the Xemaboard on port 3004. We're going to say save hostname, and there we go. Now, if I click on openspeedtest.xemaboard.org,

and then click to open that URL, we are directed to Open Speed Test. And this is going to work from anywhere in the world at this point. The only problem is we're not locked down yet, right? So, anyone can go to that URL at this moment and get to Open Speed Test running on this Xemaboard. Let's add one more fully qualified domain name. We're going to say add a public hostname.

We're going to call this tmobile.xemaboard.org, and we're going to go to HTTP, and then the gateway address of my tmobile internet, which is 192.168.12.1, and save that hostname. Click on it, open it up, and there we can see we have now also granted access to our tmobile home internet gateway. In order to lock everything down, we want to go back to the Zero Trust dashboard, and we're going to lock stuff down with an email PIN code, meaning that when I try to access the application, it's going to prompt me to enter an email address. As long as that email address is something that I have previously authorized, it will then send a six-digit code to that email address. I put the code into Cloudflare, and that's my two-factor authentication login.

So, from the Zero Trust dashboard, if we go to settings, and then we click on authentication, if I scroll down, right now, we have two different login methods. We have one-time PIN, that's the email thing I just explained, and I also have Google, right, because I've set this up separately to authenticate with my own Google domain, my Google Workspace domain. If I click add new, though, look at all these different options. You've got Azure and Facebook and GitHub, and you can do all sorts of single sign-on connections to all of these different types of services. So, whichever one works best for you, you know, if you're an Azure domain instead of a Google domain or something like that, use Azure, right, and actually get that connector going, which really just involves, like, giving Cloudflare an API key to connect into your authentication database, and then you can use that for authenticating your users. So, right now, if you don't have any of that stuff, just do one-time PIN, and then you want to come up here to access and applications, and we're going to say add an application.

Self-hosted is fine. We're going to say select. We're going to call this Zimaboard lockdown, and then I'm going to choose zimaboard.org for the domain. Now, pay special attention to the subdomain because if we leave this blank, that means that our email PIN lockdown is only going to apply to the root domain zimaboard.org,

which we have forwarding to the CASA OS dashboard. If I also want to secure down the connection over to my T-Mobile home internet gateway as well as the connection over to OpenSpeedTest, I can either add those in here manually and then keep adding more and more domains, or I can just use a wildcard character such as asterisk, and then that way it covers any Cloudflare tunnel redirection in the zimaboard.org domain. Now, here for identity providers, for the purposes of this demonstration, I'm going to disable my Gmail logins, right? So I'm going to uncheck this, and I'm going to uncheck Google, right? So the only authentication mechanism that we're going to use for the purposes of this video is that one-time PIN. Then I'm going to say next. We're going to give it a new policy.

Now, this can be done here, or you can create policy groups if you're going to use groups across multiple different applications within Cloudflare. Since we're just doing this one thing, I'm not going to deal with the groups for now. I'm just going to set it up here.

We'll call the same thing, zimaboard lockdown. We want to have action set to allow, and then for configure rules, we're going to include emails ending in and give it the entire domain. So we're going to say at crosstalksolutions.com. So basically, as long as you have an email in that domain, Cloudflare is going to let you get through that one-time PIN passcode. You put in your email address. It's going to send the code to you in email, and then you can use that to log in.

I'm also going to add a require here. Now, this is not necessary, but I like to lock it down just a little bit more, and I'm going to require a country of United States. So basically, if you're outside the US, even if you're trying to get in with the correct email address, it's just not going to work for you. Now, I know that you can bypass that with VPN very easily and that kind of thing, but anyways, it's just a way to lock it down a little bit more.

There's also other ways you can lock it down. For instance, if you wanted to lock it down to just specific IP address ranges. Maybe you only want to lock it down for a satellite office that you have or something like that. There's a lot of options for how you can tighten your security. Okay, so we're going to say next, and then on the final screen here, we're just going to say add application, and that's it. So now, if I try to browse to any of the fully qualified domain names that I set up in Cloudflare, it's going to prompt me for my email address.

Say, hey, what's your email? If I put anything other than something at crosstalksolutions.com, it's not going to let me do anything with that. But if I put in a crosstalksolutions.com email address, it's going to send that email a PIN code. The PIN code can then be used to log in, and then I get to the interfaces of the T-Mobile gateway or Open Speed Test or CASA OS dashboard, right? Whatever I've allowed through that Cloudflare tunnel, whatever services I've allowed through there. Even with me stopping to explain each step of this process, the whole thing took less than 10 minutes or so.

I mean, it's a very, very easy way to securely expose your home lab services to the outside world, even if you're dealing with a CGNAT internet service such as T-Mobile home internet or Starlink. If you enjoyed this video, make sure you subscribe to crosstalksolutions here on YouTube. Check out our Twitter at crosstalksol as well as crosstalksolutions on TikTok, which is absolutely blowing up.

Almost 20,000 followers now over there on the old TikTok. All right, if you'd like to keep this party going, I have hand selected a couple of videos on the right here for you to watch next. The top video is my original Cloudflare tunnels video, where I go even more in depth on this technology. And the bottom video is my recent review of the new Gen 3 Starlink equipment.

2024-02-15 22:39

Show Video

Other news