This article will attempt to explain my initial attempt at secure remote access into my home network. It will be something less than a step-by-step procedure of how to set up the remote access, so feel free to hit me up on Discord (@dorian5) if you would like to discuss any of this in greater detail.
Shout out to Network Chuck for the idea and the tutorial on how to set up the Cloudflare tunnel. I suggest you watch his video if you are looking at a similar solution: https://www.youtube.com/watch?v=ey4u7OUAF3c
What I have attempted to do is to take Chuck’s solution one step further. Instead of building a tunnel directly from my inside web server to Cloudflare, I am using a proxy server on my DMZ as an intermediate jump between the inside server and the Cloudflare tunnel service. I’ve tried to capture the high-level concept in this drawing. Please don’t hate on my Visio skills.
Firewall
Obviously, you’ll need a firewall behind your ISP router to do this solution. I won’t go into details on the firewall configuration since there are many different brands on the market, but suffice to say you’ll need to configure the three legs of the firewall (inside, outside, dmz), permit ssh from your http server to the Proxy server on the dmz, and give the DMZ server access to the Internet.
Proxy Server
My proxy server (is there a better name for it?) in this case is an inexpensive computer running Ubuntu 22.04. I preferred a Linux computer for this role due to the ease of setting up and configuring openssh server. You will want to configure openssh to run automatically on boot:
sudo systemctl enable ssh.service
I also had to edit /etc/ssh/sshd_config and set the parameter “GatewayPorts” to “Yes” to permit connections from outside.
HTTP Server
For this proof-of-concept, I am using Python’s simple_http_server on a Windows computer.
Cloudflare tunnel
My tunnel is set up very similar to Chuck’s. The public hostname is the domain I have registered through Google domains. 10.10.10.2 is the IP address of my DMZ proxy server, which is listening for connections on port 9090.
SSH tunnel
We will do a remote port forward from our HTTP server to our DMZ proxy so that the proxy forwards incoming request on port 9090 to port 8080, which is the port the HTTP server listens on. On Windows hosts, I like to use plink.exe for ssh tunneling. Plink is a free command line host from the creator of the Putty ssh client. The command for the remote port forward is:
plink -R 9090:localhost:8080 -N 10.10.10.2
With all these components in place, we can access our internal webserver from an Internet-connected host at our url: http://www.********.network.
Please leave a comment or question if you found this helpful. I’ll continue to expand on this solution in the future.
