| 1 | + | # Cloudflare Tunnels |
| 2 | + | |
| 3 | + | [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/) can be used to access PiKVM over the internet securely using Cloudflare Zero Trust with the ```cloudflared``` daemon. This is a convenient and free (for private use) tool for allowing access to web services running on your internal network without port forwarding or IPv4/IPv6 compatability issues. This document is provided as an example for accessing your pikvm over the internet but you can also use zerotier/tailscale/insert xyz vpn service here. Basic support like whats shown below is provided as an example, any other setting or functionality needs to be redirected to the appropriate community. |
| 4 | + | |
| 5 | + | ## Prequisites |
| 6 | + | |
| 7 | + | 1. A domain utilizing Cloudflare for DNS |
| 8 | + | 2. A Cloudflare tunnel configured with an application created and secured by an access policy |
| 9 | + | |
| 10 | + | ## Cloudflare Tunnel Steps |
| 11 | + | |
| 12 | + | 1. Login to Cloudflare and provision a tunnel using the steps [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/). Save the tunnel token as we will need this later. In most cases the target will be https://localhost |
| 13 | + | 2. Create a self-hosted application with the url matching one created in the previous step by following the steps [here](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/self-hosted-apps/). |
| 14 | + | * You will need to check the http options to disable SSL certificate verification under Tunnels -> Configure -> Public Hostname -> yourapplication.yourdomain -> Edit -> TLS Settings -> No TLS Verify as the PiKVM uses self-signed certificates. |
| 15 | + | |
| 16 | + | * Don't skip the access policies as this important to preventing randoms from the internet from gaining access to your PiKVM. Cloudflare offers a variety of login options with the simplest being One-time PINs that are emailed to you. NOTE: This external authentication will not replace the username/password for the PiKVM but instead supplement it acting as a first line of defense from the internet. |
| 17 | + | |
| 18 | + | ## Installation |
| 19 | + | |
| 20 | + | Unfortunately Cloudflare does not provide binaries for armv7hf so we need to compile from source to generate a working build. |
| 21 | + | |
| 22 | + | ### On the PiKVM side |
| 23 | + | |
| 24 | + | 1. Use these commands: |
| 25 | + | |
| 26 | + | ``` |
| 27 | + | # rw |
| 28 | + | # pacman -Syu go |
| 29 | + | # curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | grep "tarball_url" | cut -d '"' -f 4 | xargs curl -LJo cloudflared-latest.tar.gz |
| 30 | + | # tar -xzvf cloudflared-latest.tar.gz --transform 's|[^/]*/|cloudflared/|' |
| 31 | + | # cd cloudflared/cmd/cloudflared/ |
| 32 | + | # go build |
| 33 | + | # mv cloudflared /usr/bin/cloudflared |
| 34 | + | # cloudflared version |
| 35 | + | ``` |
| 36 | + | |
| 37 | + | 2. Create the service configuration file |
| 38 | + | |
| 39 | + | ``` |
| 40 | + | # systemctl edit --full cloudflared.service |
| 41 | + | ``` |
| 42 | + | |
| 43 | + | 3. Insert the following configuration replacing TOKEN VALUE with your token from the Cloudflare tunnel step. |
| 44 | + | |
| 45 | + | ``` |
| 46 | + | [Unit] |
| 47 | + | Description=Cloudflare Tunnel |
| 48 | + | After=network.target |
| 49 | + | |
| 50 | + | [Service] |
| 51 | + | TimeoutStartSec=0 |
| 52 | + | Type=notify |
| 53 | + | ExecStart=/usr/bin/cloudflared --protocol quic tunnel run --token <TOKEN VALUE> |
| 54 | + | Restart=on-failure |
| 55 | + | RestartSec=5s |
| 56 | + | ``` |
| 57 | + | |
| 58 | + | 4. Afterwards verify service is started and stays running |
| 59 | + | |
| 60 | + | ``` |
| 61 | + | # systemctl enable --now cloudflared |
| 62 | + | # systemctl status cloudflared |
| 63 | + | ``` |
| 64 | + | 5. Open a web browser and attempt |
| 65 | + | |
| 66 | + | ## Updating cloudflared |
| 67 | + | |
| 68 | + | 1. Use these commands to update the ```cloudflared``` daemon: |
| 69 | + | |
| 70 | + | ``` |
| 71 | + | # rw |
| 72 | + | # rm -rf cloudflared/ |
| 73 | + | # curl -s https://api.github.com/repos/cloudflare/cloudflared/releases/latest | grep "tarball_url" | cut -d '"' -f 4 | xargs curl -LJo cloudflared-latest.tar.gz |
| 74 | + | # tar -xzvf cloudflared-latest.tar.gz --transform 's|[^/]*/|cloudflared/|' |
| 75 | + | # cd cloudflared/cmd/cloudflared/ |
| 76 | + | # go build && mv cloudflared /usr/bin/cloudflared |
| 77 | + | # systemctl restart cloudflared |
| 78 | + | ``` |
| 79 | + | |