During my undergraduate studies, I relied on a gaming laptop for most of my university projects because I needed a powerful CPU and GPU. Carrying it around in my backpack was cumbersome, but at the time, I didn’t see a better option. I couldn’t understand why anyone would choose an expensive lightweight laptop with better battery life or screen quality.

Over time, my perspective has changed. If you can afford it, the ideal setup is a powerful desktop (or homelab) combined with a lightweight laptop. The desktop handles resource-intensive tasks, while the lightweight laptop provides portability for everyday use. With this setup, you can remotely access your homelab from anywhere, essentially creating your own private cloud server.

This convenience raises a critical question: how can you securely connect to your homelab via SSH from outside your local network? There are several approaches, each with its own trade-offs. In this post, we’ll focus on a solution that requires no static IP, no domain name, and is completely free. We’ll explore the available methods, weigh their pros and cons, and explain why Cloudflare Zero Trust could be the best option.

Cloudflare Remote SSH Step-by-Step Guide

This guide assumes that you have already set up an SSH server on your homelab and can successfully connect to it within your local network. The focus here is on configuring Cloudflare Zero Trust to enable secure remote access to your homelab.

Connect to Zero-Trust Network from Client

  1. Log in or Sign up:
    Go to Cloudflare and log in or create a new account.

  2. Access Zero Trust:
    From the side menu, click on the “Zero Trust” section.
    Zero Trust

  3. Set Up Team Name (First-Time Only):

    • If this is your first time setting up, Cloudflare will ask you to create a unique team name for your Zero Trust network.
    • This team name is required for connecting clients to your Zero Trust network.
    • Follow the setup process, choose the free plan, and provide the necessary information.
      Set Up Team Name

  4. Add an Access Group:

    • Navigate to “Access” → “Access Groups” → “Add a Group”.
      Add Access Group
    • Specify a name for the group, mark it as the default, and in the Include section, select “Emails” and enter your email.
      Note: For this tutorial, we use email-based access, but other methods are also available.
      Access Group Configuration

  5. Configure WARP Client Enrollment:

    • Go to “Settings” → “WARP Client”, then click on “Manage” under the Device Enrollment section.
      WARP Client Enrollment Email Selector Rule
    • Create a new rule:
      • Provide a Rule Name.
      • Set Email as the selector and enter the email you specified earlier.
        Email Selector Rule

  6. Download and Configure Cloudflare Client:

    • Download the Cloudflare WARP client from here.
    • After installation:
      1. Go to Preferences > Account.
      2. Click “Login with Cloudflare Zero Trust”.
      3. Enter your team name created earlier.
      4. Follow the authentication steps.
    • Once completed, return to the WARP client, click Connect, and verify that the Zero Trust title appears.
      WARP Client Connected

Connect Your Homelab to Cloudflare

  1. Create a Tunnel:
    Navigate to “Networks” → “Tunnels” → “Create a Tunnel”.
    Create Tunnel

  2. Select Cloudflared:
    From the Cloudflared section, click on “Select Cloudflared”.
    Select Cloudflared

  3. Name the Tunnel:
    Enter a name for your tunnel and click Save Tunnel.

  4. Set Up the Tunnel:

    • Choose a method based on your operating system.
    • For this tutorial, use Docker: run the provided Docker command on the PC you want to SSH into.

  5. Verify Tunnel Status:

    • Go to the Tunnel section, and ensure the status displays “Healthy”.

  6. Configure SSH Connection:

    • Click on your SSH connection configuration and then “Configure”.
      Configure SSH Connection

  7. Add a Private Network:

    • Navigate to “Private Network” → “Add a Private Network”.
      Add Private Network
    • Enter your server’s local IP address. Local IP Address

  8. Configure WARP Client for Split Tunneling:

    • Go to “Settings” → “WARP Client”. WARP Client Settings
    • Under Device Settings, select “Configure Managed Profile”. Managed Profile
    • In the Split Tunnels section, click “Include IPs and Domains”. Split Tunnels
    • Add the homelab local IP address as the selector and save the configuration. Save IP Selector

Test the Connection

  1. Enable WARP Client:

    • Turn on the WARP client on your device.

  2. SSH into Your Device:

    • Use an SSH client to connect to your homelab.
    • For Linux or Mac, run the following command:
      ssh <username>@<server-local-ip>
    • If everything is set up correctly, you should successfully connect to your homelab.

Why Cloudflare Zero Trust?

Connecting to your homelab remotely has always been a tricky problem, and there are several methods to achieve it. Each has its own strengths and weaknesses. Let’s explore the common solutions and how Cloudflare Zero Trust fits into the picture.

Static IP Address

One of the most well-known methods is to purchase a static IP address from your ISP. With a static IP, your router becomes accessible from outside your local network. By configuring port forwarding, you can redirect traffic from specific ports (like port 22 for SSH) to the correct device on your network.

However, this approach comes with a few downsides. First, static IPs are not free, and some ISPs don’t even offer them for residential users. Second, security is a major concern. Open ports on your router make your network vulnerable to brute-force attacks from bots scanning the internet. If someone manages to crack your SSH credentials, they effectively have free rein over your local network. All security responsibilities fall squarely on you.

Dynamic DNS

Dynamic DNS offers an alternative for those without a static IP. With this method, you use a service to map a domain name to your router’s constantly changing public IP. A client running on your machine regularly updates the DNS record whenever your IP changes.

While this approach avoids the need for a static IP, it doesn’t solve the security issue. You’re still exposing ports to the public internet, and the responsibility for securing them remains entirely on you. Additionally, setting up dynamic DNS requires purchasing a domain, and not all DNS providers support dynamic updates.

Virtual Private Network (VPN)

A more secure option is to use a Virtual Private Network (VPN). By hosting a VPN server, you can extend its local network to remote devices running the VPN client. This effectively creates a private connection between your devices, as if they were all on the same local network.

VPNs are undoubtedly more secure than exposing ports directly. They use advanced authentication protocols to ensure the connection is encrypted and tamper-proof. However, VPNs aren’t without their challenges. Setting up a VPN server can be complex, and maintaining it requires some technical expertise. Additionally, all traffic from connected clients is routed through the VPN server, which can slow down the connection and raise privacy concerns. On top of that, VPNs tend to operate on a “moat” model—once someone is inside the network, they often have unrestricted access to everything.

To make the VPN server reachable, you’ll still need a static IP or a domain. Another option is to use third-party VPN services, which require running the VPN client on both your server and client machine. This approach is the closest alternative to the “Cloudflare Zero Trust” method.

Cloudflare Zero Trust

Cloudflare Zero Trust offers a modern alternative that combines the best aspects of reverse proxies and VPNs. The idea is simple: you install a lightweight daemon on your homelab, which securely connects it to Cloudflare’s global network. On the client side, you use the Cloudflare Warp application to access your resources. This eliminates the need for static IPs, dynamic DNS, or complex VPN setups.

Diagram illustrating how Cloudflare Zero Trust connects a private network to a remote device via a reverse proxy and Warp client.

Diagram illustrating how Cloudflare Zero Trust connects a private network to a remote device via a reverse proxy and Warp client.

The diagram above illustrates how Cloudflare Zero Trust works:

  • PC 1 are securely connected to Cloudflare’s global network using a reverse proxy.
  • Remote devices, such as a laptop, access the private network via the Cloudflare Warp client, ensuring secure and authenticated connections.

There are several advantages to this approach:

  • Simplicity: The setup process is straightforward, requiring only the Cloudflare daemon on your homelab and the Warp client on your remote device.
  • Security: Since no ports are exposed to the public internet, the risks of brute-force attacks and scanning bots are eliminated. Access is controlled through Cloudflare’s Zero Trust policies, which can enforce rules based on identity or device status.
  • Scalability: Adding more devices or resources is seamless, making it an excellent choice for growing setups.

That said, no solution is perfect, and Cloudflare Zero Trust has its own drawbacks. Perhaps the most significant is the reliance on a third party. By using Cloudflare, you are essentially trusting them to handle the security and connectivity of your system. While Cloudflare is a reputable company, this dependency may not sit well with users who prefer full control over their infrastructure.

In the end, the right solution depends on your specific needs and trade-offs. Cloudflare Zero Trust strikes a balance between ease of use, security, and performance, but it’s essential to weigh these benefits against the reliance on an external service. If you’re comfortable trusting Cloudflare, it can be a powerful tool for securely connecting to your homelab.