Introduction #
Have you ever wanted your own server at home to run applications, host files, or experiment with new technologies? A homelab is the perfect way to do just that. But what about accessing your homelab securely from anywhere in the world? That’s where things can get complicated.
In this guide, I’ll walk you through setting up a powerful and secure homelab using a combination of Fedora Server, Teleport, and Cloudflare Tunnels. We’ll cover everything from the initial OS installation to configuring secure remote access and even integrating your favorite web applications. By the end of this tutorial, you’ll have a fully functional homelab that you can securely access from anywhere, without the need for a VPN.
We can use this homelab later to host our kubernetes or openshift experiments.
Prerequisites #
Before we begin, make sure you have the following:
- A dedicated machine: This can be an old laptop, a desktop, or even a raspberry pi. This guide uses an x86-64 setup.
- A domain name: You can purchase one from a registrar like Namecheap or directly from Cloudflare. You can get a domain for as low as $2
- A Cloudflare account: We’ll use it to manage our domain and create a secure tunnel.
- A GitHub account: This will be used for setting up SSO (Single Sign-On).
- Basic Linux command-line knowledge: You should be comfortable with navigating the terminal and editing files.
Architecture Overview #
Here is a high-level look at how all the pieces fit together. The user connects to your domain, which is managed by Cloudflare. Cloudflare Tunnel securely forwards the traffic to the Teleport Proxy service running in your homelab, which then authenticates the user and grants access to internal applications like Cockpit.
Part 1: Fedora Server & Teleport Installation #
First, we need to set up the base operating system and install Teleport.
-
Install Fedora Server: Start by installing a fresh copy of Fedora Server (this guide used version 42) on your dedicated machine. I used this guide, I would suggest using Fedora Media Writer to flash the ISO to your USB for a smooth experience. Ventoy is also a solid choice.
-
Install Teleport: Once Fedora is running, install the Teleport OSS package using the official install script.
curl https://cdn.teleport.dev/install.sh | sudo bash -s v18.1.7 oss
-
Create Teleport Configuration: Generate the base configuration file for Teleport.
teleport configure > /etc/teleport.yaml
-
Create and Enable Systemd Service: Set up Teleport to run as a systemd service so it starts automatically on boot.
sudo teleport install systemd -o /etc/systemd/system/teleport.service sudo systemctl enable --now teleport
Part 2: Exposing Teleport with Cloudflare Tunnels #
Next, we’ll use Cloudflare Tunnels to securely expose your Teleport instance to the internet.
-
Set up Your Domain: Purchase a domain through Cloudflare or a third-party registrar like Namecheap. If you use a third party, add your domain to your Cloudflare account and follow the steps to manage its DNS there.
-
Create a Cloudflare Tunnel: Navigate to the Zero Trust dashboard in Cloudflare. Go to
Access -> Tunnels
and create a new tunnel. -
Install
cloudflared
: Follow the instructions to install thecloudflared
service on your Fedora server. This service creates a secure, outbound-only connection to Cloudflare’s network. -
Route Traffic to Teleport: We need to configure the tunnel to route traffic to your Teleport web console, which runs on
https://localhost:3080
by default. Create a public hostname for your tunnel that points to this local service. -
Update Teleport’s Public Address: Edit
/etc/teleport.yaml
and set thepublic_addr
to your domain. This tells Teleport what its public-facing address is.proxy_service: enabled: "yes" public_addr: your-domain.xyz:443 https_keypairs: [] https_keypairs_reload_interval: 0s acme: {}
-
Restart Teleport: Apply the changes by restarting the Teleport service.
sudo systemctl restart teleport
At this point, your Teleport instance should be accessible at the domain you configured.
Part 3: Securing Access with GitHub SSO #
Now, let’s configure Single Sign-On (SSO) with GitHub to secure access to Teleport.
-
Create a GitHub OAuth App: Go to your GitHub developer settings (https://github.com/settings/developers) and create a new OAuth application.
-
Create GitHub Connector Configuration: Create a new file named
github-auth.yaml
with the following content. Replace theclient_id
,client_secret
, and other values with your own.kind: github metadata: name: github spec: client_id: <YOUR_GITHUB_CLIENT_ID> client_secret: <YOUR_GITHUB_CLIENT_SECRET> display: GitHub redirect_url: https://<YOUR_TELEPORT_DOMAIN>/v1/webapi/github/callback teams_to_roles: - organization: Aditya-Homelab team: admin roles: - access - editor version: v3
-
Apply the Connector: Use
tctl
to create the new authentication connector.sudo tctl create -f github-auth.yaml
-
Add User to Teleport Role: Add your Linux user (e.g.,
fedora
) to theaccess
role in Teleport. This allows the user to log in to the server via Teleport.
Part 4: Accessing Internal Web Apps via Teleport #
One of the biggest advantages of Teleport is its ability to provide secure access to internal web applications. This creates a single, authenticated entry point for all your services without needing a VPN.
As an example, we’ll add Cockpit, a web-based server management interface that is installed by default on Fedora Server and accessible at http://localhost:9090
.
-
Add the Application to Teleport: Edit
/etc/teleport.yaml
and add the application to theapp_service
section.app_service: enabled: "yes" apps: - name: "cockpit" uri: "http://127.0.0.1:9090"
-
Configure Wildcard DNS: Teleport makes apps available at subdomains (e.g.,
cockpit.your-domain.xyz
). For this to work, we need a wildcard DNS record.- In your Cloudflare Tunnel, add another public hostname with a wildcard subdomain (
*.your-domain.xyz
) pointing to your Teleport service (https://localhost:3080
). - This does not automatically create the DNS record. Go to your domain’s DNS settings in Cloudflare and create a CNAME record with
*
as the name, pointing to your tunnel’s domain (your-domain.xyz
).
- In your Cloudflare Tunnel, add another public hostname with a wildcard subdomain (
-
Update Cockpit’s Configuration: By default, Cockpit only allows access from the local machine. We need to allow access from our domain. Edit
/etc/cockpit/cockpit.conf
and add the following:
[WebService]
Origins = https://*.your-domain.xyz
- Restart Cockpit:
sudo systemctl restart cockpit.service
You should now be able to access Cockpit through the Teleport dashboard.
Part 5: Authenticating to Web Apps #
Teleport can even handle authentication for the web apps it protects. Here’s a simple example of how to automatically log in to Cockpit as the fedora
user.
-
Generate Basic Auth Header: We’ll use basic authentication. First, create a base64-encoded string of
username:password
.echo -n "fedora:yourpassword" | base64
-
Update Teleport App Configuration: Modify the app configuration in
/etc/teleport.yaml
to add theAuthorization
header to every request.app_service: enabled: "yes" apps: - name: "cockpit" uri: "http://127.0.0.1:9090" rewrite: headers: - "Authorization: Basic <YOUR_BASE64_STRING>"
-
Restart Teleport:
sudo systemctl restart teleport
Now, Teleport will automatically authenticate you as the fedora
user when you access Cockpit. This was a simple example, but Teleport also supports passing JWT tokens for more advanced OIDC-based authentication.
Part 6: Optional Configurations & Tips #
Here are a few extra tips to improve your homelab experience, especially if you are using a laptop or need more control over your setup.
1. Control Service Startup Order #
If you find that Teleport starts before Cockpit or the Cloudflare Tunnel is ready, you can force it to wait. This ensures that your web apps are accessible immediately after a reboot.
-
Open the systemd override file for the Teleport service.
sudo systemctl edit teleport.service
-
Add the following lines to make Teleport start after the other required services.
[Unit]
After=cockpit.service cloudflared.service network-online.target
Wants=cockpit.service cloudflared.service network-online.target
After=
ensures Teleport waits for the listed services to start first.
Wants=
will attempt to start these services if they aren’t already running.
2. Prevent Laptop from Sleeping #
If you’re using a laptop as your server, you’ll likely want it to stay on even when the lid is closed.
- Run the following command to create a systemd configuration file that tells the system to ignore the lid switch.
sudo tee /etc/systemd/logind.conf << EOF > /dev/null
[Login]
HandleLidSwitch=ignore
EOF
- Then, apply the new configuration.
sudo restorecon -F -R /etc/systemd sudo systemctl restart systemd-logind.service
3. Enable Automatic Login #
To ensure your services start immediately on boot without requiring you to log in first, you can enable autologin for your user.
-
Edit the
getty
service configuration.sudo systemctl edit getty@tty1
-
Add the following lines, replacing
your_user
with your actual username.
[Service]
ExecStart=
ExecStart=-/usr/sbin/agetty --autologin your_user --noclear %I $TERM
- Reload the systemd daemon and restart the service.
sudo systemctl daemon-reexec sudo systemctl restart getty@tty1
4. Install a Desktop Environment (Optional) #
While not typical for a server, you might want a desktop environment if your homelab machine doubles as a workstation.
-
Install the GNOME desktop environment.
sudo dnf group install gnome-desktop
-
Set the default boot target.
- To boot into the command line (headless) by default:
sudo systemctl set-default multi-user.target
- To boot into the graphical desktop by default:
sudo systemctl set-default graphical.target
- To boot into the command line (headless) by default:
-
To make switching easy, you can add aliases to your
~/.bashrc
file.echo "alias gnome='sudo systemctl isolate graphical.target'" >> ~/.bashrc echo "alias headless='sudo systemctl isolate multi-user.target'" >> ~/.bashrc source ~/.bashrc
Now you can simply type
gnome
to start the desktop orheadless
to return to the command line.
Conclusion #
Congratulations! You’ve successfully set up a secure and remotely accessible homelab with Fedora, Teleport, and Cloudflare. You now have a single, secure entry point to all your self-hosted applications, complete with SSO authentication.
From here, the possibilities are endless. You can add more applications to Teleport, explore its other features like SSH access and Kubernetes integration, or set up monitoring for your new homelab. Happy labbing!