Reusing Old Laptops As Servers Via Cloudflare Tunnel
This article is for documenting the steps to give my old Netbooks a new lease of life, by turning them into little crawler servers that are going to fetch and post-process RSS feeds of people that I follow on the Internet.
Installing Debian 11 on my Netbooks
Nothing too special here, aside from the fact that a lot of Linux distros
have stopped supporting the ‘i386’ architecture, which limits what I can
install. Debian is still a safe, mainstream distro that hits less of
installation and compatibility issues, so I just went with that. Also
.deb packages are supported, which makes it easier to install
Cloudflare Tunnels (
cloudflared), the crucial ingredient to allow
computers without a public facing IP address to run as servers on the
Installing Cloudflare Tunnel
It’s not often I find software that’s such a joy to use, and
would be one of them. Support for the major architectures, documentation
and examples, as well as the command-line help made it an easy task to get
any machine to become a server on the Internet, without hassle and
ISPs usually put consumer’s devices behind a NAT, and it’s hardly possible to properly run a server when inbound traffic is blocked, and without a static IP address. Services like dynamic DNS only solves the problem part-way by running a daemon that updates each time your DHCP changes your IP address, but doesn’t really solve the NAT firewall issue.
In many ways, I’m so glad Cloudflare has made its tunnelling solution freely available, which allows a few of my old devices a new lease of life.
A Small Hiccup
Most of the instructions provided were fine, the only hiccup I hit was that
arch string part of
.deb file that was packaged was label ‘386’ rather
than ‘i386’ which is what Debian expects.
% dpkg -i cloudflared-linux-386.deb dpkg: error processing archive cloudflared-linux-386.deb (--install): package architecture (386) does not match system (i386) Errors were encountered while processing: cloudflared-linux-386.deb
That’s no issue, we can simply force
.deb package, and be well on our way - the packaged contents
works without any dependency problems:
% dpkg -i cloudflared-linux-386.deb --force-architecture
Server-Side: Allow SSH Access
Not too many words here, but just a sample partial configuration in
ingress: - hostname: your-subdomain.your-hostname.com service: http://localhost:8000 - hostname: your-subdomain-ssh.your-hostname.com service: ssh://localhost:22 - service: http_status:404
Client-Side: SSH Proxying
It isn’t possible to directly SSH to the machine without having the client
cloudflared and use it as a proxy. From the error messages, I seem
to think that how ‘Cloudflare Tunnel’ works is that it’s actually communicating
through HTTPS via WebSockets, and having
cloudflared proxying the data back
and forth. So in order to allow for communications to not be mistaken as ‘http’
traffic, we need to add the following into our
Host netbook User username Hostname the-hostname-you-configured-with-cloudflare ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
This will allow your SSH to get to the endpoint machine.
cloudflared As A Service
Pretty painless step. Refer to
% cloudflared service install % systemctl start cloudflared
I had been looking for similar solutions in the past, and even contemplating writing something like that, but there were a lot of corner-case behaviours in trying to getting network communications to run smoothly, and it’s not a good tradeoff to work it all out for a hobbyist scenario, so I really appreciate how reliably this software has been.
Read The ‘Fine’ Manual!
The documentation is often sufficient enough for me to figure things out, even though I did go around in circles a few times to find the right information I need. In any case, the reference is available here.
Setting Up My Netbooks To Be Servers
The Netbooks need to be able to boot automatically upon power up, as well as
turn on its networks without any user logged in. With Debian, you get almost
everything, except that the network wouldn’t be on without a user logging in,
so let’s go fix that by adding the 2 lines into
auto eth0 auto wifi0
This obviously depends on how you connect your machine to your network. In
my case, it was
wifi0. You obviously need to also log in at least once
and go setup your network via ‘NetworkManager’, so that it has your network
configuration and credentials - normally they’ll be in
/etc/NetworkManager/system-connections. I won’t go into details here, and
leave it as an exercise to the reader.
Stopping The Netbook From Going Into Hibernation On Lid Closure
The Netbooks are meant to be servers, they can’t go to sleep just because
we close their lids, so make changes to
Then restart the service with
systemctl restart logind.service.
The topic of suitable algorithm to choose for encryption changes with time,
and at time of writing, a strong one to pick would be would be
given Debian 11 (bullseye) will support it:
% ssh -V OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022
Then, the usual disabling of adding an SSH key instead of passwords to log into the new machine (even though it’s unlikely anybody will be knocking on the front door of your SSH port due to Cloudflare Tunnel):
ssh-copy-id -i <private_key> <user_and_host>
Then disabling password access to the machine
# In /etc/ssh/sshd_config PasswordAuthentication no
And restart the service for the changes to take effect:
systemctl restart ssh
And voila, I now have a new Netbook Server!