Reusing Old Laptops As Servers Via Cloudflare Tunnel

This article is for documenting the steps to give my old Netbooks a new lease of life, by turning them into little crawler servers that are going to fetch and post-process RSS feeds of people that I follow on the Internet.

Installing Debian 11 on my Netbooks

Nothing too special here, aside from the fact that a lot of Linux distros have stopped supporting the ‘i386’ architecture, which limits what I can install. Debian is still a safe, mainstream distro that hits less of installation and compatibility issues, so I just went with that. Also .deb packages are supported, which makes it easier to install Cloudflare Tunnels (cloudflared), the crucial ingredient to allow computers without a public facing IP address to run as servers on the Internet.

Installing Cloudflare Tunnel

It’s not often I find software that’s such a joy to use, and cloudflared would be one of them. Support for the major architectures, documentation and examples, as well as the command-line help made it an easy task to get any machine to become a server on the Internet, without hassle and additional costs.

ISPs usually put consumer’s devices behind a NAT, and it’s hardly possible to properly run a server when inbound traffic is blocked, and without a static IP address. Services like dynamic DNS only solves the problem part-way by running a daemon that updates each time your DHCP changes your IP address, but doesn’t really solve the NAT firewall issue.

In many ways, I’m so glad Cloudflare has made its tunnelling solution freely available, which allows a few of my old devices a new lease of life.

A Small Hiccup

Most of the instructions provided were fine, the only hiccup I hit was that the arch string part of .deb file that was packaged was label ‘386’ rather than ‘i386’ which is what Debian expects.

% dpkg -i cloudflared-linux-386.deb
dpkg: error processing archive cloudflared-linux-386.deb (--install):
 package architecture (386) does not match system (i386)
Errors were encountered while processing:
 cloudflared-linux-386.deb

That’s no issue, we can simply force install the .deb package, and be well on our way - the packaged contents works without any dependency problems:

% dpkg -i cloudflared-linux-386.deb --force-architecture

Server-Side: Allow SSH Access

Not too many words here, but just a sample partial configuration in .cloudflared/config.yml:

ingress:
  - hostname: your-subdomain.your-hostname.com
    service: http://localhost:8000
  - hostname: your-subdomain-ssh.your-hostname.com
    service: ssh://localhost:22
  - service: http_status:404

Client-Side: SSH Proxying

It isn’t possible to directly SSH to the machine without having the client install cloudflared and use it as a proxy. From the error messages, I seem to think that how ‘Cloudflare Tunnel’ works is that it’s actually communicating through HTTPS via WebSockets, and having cloudflared proxying the data back and forth. So in order to allow for communications to not be mistaken as ‘http’ traffic, we need to add the following into our .ssh/config configuration:

Host netbook
  User username
  Hostname the-hostname-you-configured-with-cloudflare
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

This will allow your SSH to get to the endpoint machine.

Setting Up cloudflared As A Service

Pretty painless step. Refer to cloudflared’s documentation:

% cloudflared service install
% systemctl start cloudflared

Side Comments

I had been looking for similar solutions in the past, and even contemplating writing something like that, but there were a lot of corner-case behaviours in trying to getting network communications to run smoothly, and it’s not a good tradeoff to work it all out for a hobbyist scenario, so I really appreciate how reliably this software has been.

Read The ‘Fine’ Manual!

The documentation is often sufficient enough for me to figure things out, even though I did go around in circles a few times to find the right information I need. In any case, the reference is available here.

Setting Up My Netbooks To Be Servers

The Netbooks need to be able to boot automatically upon power up, as well as turn on its networks without any user logged in. With Debian, you get almost everything, except that the network wouldn’t be on without a user logging in, so let’s go fix that by adding the 2 lines into /etc/network/interfaces:

auto eth0
auto wifi0

This obviously depends on how you connect your machine to your network. In my case, it was wifi0. You obviously need to also log in at least once and go setup your network via ‘NetworkManager’, so that it has your network configuration and credentials - normally they’ll be in /etc/NetworkManager/system-connections. I won’t go into details here, and leave it as an exercise to the reader.

Stopping The Netbook From Going Into Hibernation On Lid Closure

The Netbooks are meant to be servers, they can’t go to sleep just because we close their lids, so make changes to /etc/systemd/logind.conf:

#HandleLidSwitch=suspend
HandleLidSwitch=ignore

Then restart the service with systemctl restart logind.service.

Hardening SSH

The topic of suitable algorithm to choose for encryption changes with time, and at time of writing, a strong one to pick would be would be ed25519, given Debian 11 (bullseye) will support it:

% ssh -V
OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n  15 Mar 2022

Then, the usual disabling of adding an SSH key instead of passwords to log into the new machine (even though it’s unlikely anybody will be knocking on the front door of your SSH port due to Cloudflare Tunnel):

ssh-copy-id -i <private_key> <user_and_host>

Then disabling password access to the machine

# In /etc/ssh/sshd_config
PasswordAuthentication no

And restart the service for the changes to take effect:

systemctl restart ssh

And voila, I now have a new Netbook Server!