Reusing Old Laptops As Servers Via Cloudflare Tunnel
This article is for documenting the steps to give my old Netbooks a new lease of life, by turning them into little crawler servers that are going to fetch and post-process RSS feeds of people that I follow on the Internet.
Installing Debian 11 on my Netbooks
Nothing too special here, aside from the fact that a lot of Linux distros
have stopped supporting the ‘i386’ architecture, which limits what I can
install. Debian is still a safe, mainstream distro that hits less of
installation and compatibility issues, so I just went with that. Also
.deb
packages are supported, which makes it easier to install
Cloudflare Tunnels (cloudflared
), the crucial ingredient to allow
computers without a public facing IP address to run as servers on the
Internet.
Installing Cloudflare Tunnel
It’s not often I find software that’s such a joy to use, and cloudflared
would be one of them. Support for the major architectures, documentation
and examples, as well as the command-line help made it an easy task to get
any machine to become a server on the Internet, without hassle and
additional costs.
ISPs usually put consumer’s devices behind a NAT, and it’s hardly possible to properly run a server when inbound traffic is blocked, and without a static IP address. Services like dynamic DNS only solves the problem part-way by running a daemon that updates each time your DHCP changes your IP address, but doesn’t really solve the NAT firewall issue.
In many ways, I’m so glad Cloudflare has made its tunnelling solution freely available, which allows a few of my old devices a new lease of life.
A Small Hiccup
Most of the instructions provided were fine, the only hiccup I hit was that
the arch
string part of .deb
file that was packaged was label ‘386’ rather
than ‘i386’ which is what Debian expects.
% dpkg -i cloudflared-linux-386.deb
dpkg: error processing archive cloudflared-linux-386.deb (--install):
package architecture (386) does not match system (i386)
Errors were encountered while processing:
cloudflared-linux-386.deb
That’s no issue, we can simply force
install the .deb
package, and be well on our way - the packaged contents
works without any dependency problems:
% dpkg -i cloudflared-linux-386.deb --force-architecture
Server-Side: Allow SSH Access
Not too many words here, but just a sample partial configuration in
.cloudflared/config.yml
:
ingress:
- hostname: your-subdomain.your-hostname.com
service: http://localhost:8000
- hostname: your-subdomain-ssh.your-hostname.com
service: ssh://localhost:22
- service: http_status:404
Client-Side: SSH Proxying
It isn’t possible to directly SSH to the machine without having the client
install cloudflared
and use it as a proxy. From the error messages, I seem
to think that how ‘Cloudflare Tunnel’ works is that it’s actually communicating
through HTTPS via WebSockets, and having cloudflared
proxying the data back
and forth. So in order to allow for communications to not be mistaken as ‘http’
traffic, we need to add the following into our .ssh/config
configuration:
Host netbook
User username
Hostname the-hostname-you-configured-with-cloudflare
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
This will allow your SSH to get to the endpoint machine.
Setting Up cloudflared
As A Service
Pretty painless step. Refer to cloudflared
’s
documentation:
% cloudflared service install
% systemctl start cloudflared
Side Comments
I had been looking for similar solutions in the past, and even contemplating writing something like that, but there were a lot of corner-case behaviours in trying to getting network communications to run smoothly, and it’s not a good tradeoff to work it all out for a hobbyist scenario, so I really appreciate how reliably this software has been.
Read The ‘Fine’ Manual!
The documentation is often sufficient enough for me to figure things out, even though I did go around in circles a few times to find the right information I need. In any case, the reference is available here.
Setting Up My Netbooks To Be Servers
The Netbooks need to be able to boot automatically upon power up, as well as
turn on its networks without any user logged in. With Debian, you get almost
everything, except that the network wouldn’t be on without a user logging in,
so let’s go fix that by adding the 2 lines into /etc/network/interfaces
:
auto eth0
auto wifi0
This obviously depends on how you connect your machine to your network. In
my case, it was wifi0
. You obviously need to also log in at least once
and go setup your network via ‘NetworkManager’, so that it has your network
configuration and credentials - normally they’ll be in
/etc/NetworkManager/system-connections
. I won’t go into details here, and
leave it as an exercise to the reader.
Stopping The Netbook From Going Into Hibernation On Lid Closure
The Netbooks are meant to be servers, they can’t go to sleep just because
we close their lids, so make changes to /etc/systemd/logind.conf
:
#HandleLidSwitch=suspend
HandleLidSwitch=ignore
Then restart the service with systemctl restart logind.service
.
Hardening SSH
The topic of suitable algorithm to choose for encryption changes with time,
and at time of writing, a strong one to pick would be would be ed25519
,
given Debian 11 (bullseye) will support it:
% ssh -V
OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
Then, the usual disabling of adding an SSH key instead of passwords to log into the new machine (even though it’s unlikely anybody will be knocking on the front door of your SSH port due to Cloudflare Tunnel):
ssh-copy-id -i <private_key> <user_and_host>
Then disabling password access to the machine
# In /etc/ssh/sshd_config
PasswordAuthentication no
And restart the service for the changes to take effect:
systemctl restart ssh
And voila, I now have a new Netbook Server!