Skip to main content

Setting Up a Secure Fedora Homelab with Teleport & Cloudflare

·1570 words·8 mins· loading · loading ·
Aditya Hebballe
Author
Aditya Hebballe
OSCP Certified Penetration Tester
Table of Contents
Fedora Homelab - This article is part of a series.

Introduction
#

Have you ever wanted your own server at home to run applications, host files, or experiment with new technologies? A homelab is the perfect way to do just that. But what about accessing your homelab securely from anywhere in the world? That’s where things can get complicated.

In this guide, I’ll walk you through setting up a powerful and secure homelab using a combination of Fedora Server, Teleport, and Cloudflare Tunnels. We’ll cover everything from the initial OS installation to configuring secure remote access and even integrating your favorite web applications. By the end of this tutorial, you’ll have a fully functional homelab that you can securely access from anywhere, without the need for a VPN.

We can use this homelab later to host our kubernetes or openshift experiments.

Prerequisites
#

Before we begin, make sure you have the following:

  • A dedicated machine: This can be an old laptop, a desktop, or even a raspberry pi. This guide uses an x86-64 setup.
  • A domain name: You can purchase one from a registrar like Namecheap or directly from Cloudflare. You can get a domain for as low as $2
  • A Cloudflare account: We’ll use it to manage our domain and create a secure tunnel.
  • A GitHub account: This will be used for setting up SSO (Single Sign-On).
  • Basic Linux command-line knowledge: You should be comfortable with navigating the terminal and editing files.

Architecture Overview
#

Here is a high-level look at how all the pieces fit together. The user connects to your domain, which is managed by Cloudflare. Cloudflare Tunnel securely forwards the traffic to the Teleport Proxy service running in your homelab, which then authenticates the user and grants access to internal applications like Cockpit.

Flowchart

Part 1: Fedora Server & Teleport Installation
#

First, we need to set up the base operating system and install Teleport.

  1. Install Fedora Server: Start by installing a fresh copy of Fedora Server (this guide used version 42) on your dedicated machine. I used this guide, I would suggest using Fedora Media Writer to flash the ISO to your USB for a smooth experience. Ventoy is also a solid choice.

  2. Install Teleport: Once Fedora is running, install the Teleport OSS package using the official install script.

    curl https://cdn.teleport.dev/install.sh | sudo bash -s v18.1.7 oss
    
  3. Create Teleport Configuration: Generate the base configuration file for Teleport.

    teleport configure > /etc/teleport.yaml
    
  4. Create and Enable Systemd Service: Set up Teleport to run as a systemd service so it starts automatically on boot.

    sudo teleport install systemd -o /etc/systemd/system/teleport.service
    sudo systemctl enable --now teleport
    

Part 2: Exposing Teleport with Cloudflare Tunnels
#

Next, we’ll use Cloudflare Tunnels to securely expose your Teleport instance to the internet.

  1. Set up Your Domain: Purchase a domain through Cloudflare or a third-party registrar like Namecheap. If you use a third party, add your domain to your Cloudflare account and follow the steps to manage its DNS there.

  2. Create a Cloudflare Tunnel: Navigate to the Zero Trust dashboard in Cloudflare. Go to Access -> Tunnels and create a new tunnel.

    Cloudflare Tunnel Creation

  3. Install cloudflared: Follow the instructions to install the cloudflared service on your Fedora server. This service creates a secure, outbound-only connection to Cloudflare’s network.

  4. Route Traffic to Teleport: We need to configure the tunnel to route traffic to your Teleport web console, which runs on https://localhost:3080 by default. Create a public hostname for your tunnel that points to this local service.

    Cloudflare Public Hostname

  5. Update Teleport’s Public Address: Edit /etc/teleport.yaml and set the public_addr to your domain. This tells Teleport what its public-facing address is.

    proxy_service:
      enabled: "yes"
      public_addr: your-domain.xyz:443
      https_keypairs: []
      https_keypairs_reload_interval: 0s
      acme: {}
    
  6. Restart Teleport: Apply the changes by restarting the Teleport service.

    sudo systemctl restart teleport
    

At this point, your Teleport instance should be accessible at the domain you configured.

Part 3: Securing Access with GitHub SSO
#

Now, let’s configure Single Sign-On (SSO) with GitHub to secure access to Teleport.

  1. Create a GitHub OAuth App: Go to your GitHub developer settings (https://github.com/settings/developers) and create a new OAuth application.

    GitHub OAuth App
    Optionally, create a GitHub organization and a team within it for managing access. This guide uses an organization called “Aditya-Homelab” and a team called “admin”.

  2. Create GitHub Connector Configuration: Create a new file named github-auth.yaml with the following content. Replace the client_id, client_secret, and other values with your own.

    kind: github
    metadata:
      name: github
    spec:
      client_id: <YOUR_GITHUB_CLIENT_ID>
      client_secret: <YOUR_GITHUB_CLIENT_SECRET>
      display: GitHub
      redirect_url: https://<YOUR_TELEPORT_DOMAIN>/v1/webapi/github/callback
      teams_to_roles:
        - organization: Aditya-Homelab
          team: admin
          roles:
            - access
            - editor
    version: v3
    
  3. Apply the Connector: Use tctl to create the new authentication connector.

    sudo tctl create -f github-auth.yaml
    
  4. Add User to Teleport Role: Add your Linux user (e.g., fedora) to the access role in Teleport. This allows the user to log in to the server via Teleport.

    Teleport Access Role

Part 4: Accessing Internal Web Apps via Teleport
#

One of the biggest advantages of Teleport is its ability to provide secure access to internal web applications. This creates a single, authenticated entry point for all your services without needing a VPN.

As an example, we’ll add Cockpit, a web-based server management interface that is installed by default on Fedora Server and accessible at http://localhost:9090.

  1. Add the Application to Teleport: Edit /etc/teleport.yaml and add the application to the app_service section.

    app_service:
      enabled: "yes"
      apps:
      - name: "cockpit"
        uri: "http://127.0.0.1:9090"
    
  2. Configure Wildcard DNS: Teleport makes apps available at subdomains (e.g., cockpit.your-domain.xyz). For this to work, we need a wildcard DNS record.

    • In your Cloudflare Tunnel, add another public hostname with a wildcard subdomain (*.your-domain.xyz) pointing to your Teleport service (https://localhost:3080).
      Cloudflare Wildcard Hostname
    • This does not automatically create the DNS record. Go to your domain’s DNS settings in Cloudflare and create a CNAME record with * as the name, pointing to your tunnel’s domain (your-domain.xyz).
      Cloudflare CNAME Record
  3. Update Cockpit’s Configuration: By default, Cockpit only allows access from the local machine. We need to allow access from our domain. Edit /etc/cockpit/cockpit.conf and add the following:

    [WebService]
    Origins = https://*.your-domain.xyz
  1. Restart Cockpit:
    sudo systemctl restart cockpit.service
    

You should now be able to access Cockpit through the Teleport dashboard.

Part 5: Authenticating to Web Apps
#

Teleport can even handle authentication for the web apps it protects. Here’s a simple example of how to automatically log in to Cockpit as the fedora user.

  1. Generate Basic Auth Header: We’ll use basic authentication. First, create a base64-encoded string of username:password.

    echo -n "fedora:yourpassword" | base64
    
  2. Update Teleport App Configuration: Modify the app configuration in /etc/teleport.yaml to add the Authorization header to every request.

    app_service:
      enabled: "yes"
      apps:
      - name: "cockpit"
        uri: "http://127.0.0.1:9090"
        rewrite:
          headers:
          - "Authorization: Basic <YOUR_BASE64_STRING>"
    
  3. Restart Teleport:

    sudo systemctl restart teleport
    

Now, Teleport will automatically authenticate you as the fedora user when you access Cockpit. This was a simple example, but Teleport also supports passing JWT tokens for more advanced OIDC-based authentication.

Part 6: Optional Configurations & Tips
#

Here are a few extra tips to improve your homelab experience, especially if you are using a laptop or need more control over your setup.

1. Control Service Startup Order
#

If you find that Teleport starts before Cockpit or the Cloudflare Tunnel is ready, you can force it to wait. This ensures that your web apps are accessible immediately after a reboot.

  1. Open the systemd override file for the Teleport service.

    sudo systemctl edit teleport.service
    
  2. Add the following lines to make Teleport start after the other required services.

    [Unit]
    After=cockpit.service cloudflared.service network-online.target
    Wants=cockpit.service cloudflared.service network-online.target
  • After= ensures Teleport waits for the listed services to start first.
  • Wants= will attempt to start these services if they aren’t already running.

2. Prevent Laptop from Sleeping
#

If you’re using a laptop as your server, you’ll likely want it to stay on even when the lid is closed.

  1. Run the following command to create a systemd configuration file that tells the system to ignore the lid switch.
    sudo tee /etc/systemd/logind.conf << EOF > /dev/null
    [Login]
    HandleLidSwitch=ignore
    EOF
  1. Then, apply the new configuration.
    sudo restorecon -F -R /etc/systemd
    sudo systemctl restart systemd-logind.service
    

3. Enable Automatic Login
#

To ensure your services start immediately on boot without requiring you to log in first, you can enable autologin for your user.

  1. Edit the getty service configuration.

    sudo systemctl edit getty@tty1
    
  2. Add the following lines, replacing your_user with your actual username.

    [Service]
    ExecStart=
    ExecStart=-/usr/sbin/agetty --autologin your_user --noclear %I $TERM
  1. Reload the systemd daemon and restart the service.
    sudo systemctl daemon-reexec
    sudo systemctl restart getty@tty1
    

4. Install a Desktop Environment (Optional)
#

While not typical for a server, you might want a desktop environment if your homelab machine doubles as a workstation.

  1. Install the GNOME desktop environment.

    sudo dnf group install gnome-desktop
    
  2. Set the default boot target.

    • To boot into the command line (headless) by default:
      sudo systemctl set-default multi-user.target
      
    • To boot into the graphical desktop by default:
      sudo systemctl set-default graphical.target
      
  3. To make switching easy, you can add aliases to your ~/.bashrc file.

    echo "alias gnome='sudo systemctl isolate graphical.target'" >> ~/.bashrc
    echo "alias headless='sudo systemctl isolate multi-user.target'" >> ~/.bashrc
    source ~/.bashrc
    

    Now you can simply type gnome to start the desktop or headless to return to the command line.

Conclusion
#

Congratulations! You’ve successfully set up a secure and remotely accessible homelab with Fedora, Teleport, and Cloudflare. You now have a single, secure entry point to all your self-hosted applications, complete with SSO authentication.

From here, the possibilities are endless. You can add more applications to Teleport, explore its other features like SSH access and Kubernetes integration, or set up monitoring for your new homelab. Happy labbing!

Fedora Homelab - This article is part of a series.

Related

Homelab: Attacking Splunk+Active Directory Part-2
·1079 words·6 mins· loading · loading
Introduction # In this part, we will attack the Windows 11 machine (target-pc) from our Kali machine and also use Atomic Red Team on the target-pc to simulate various attacks.
Homelab: Splunk+Active Directory
·2389 words·12 mins· loading · loading
Introduction # In the world of cyber-security, having hands-on experience is invaluable. A home lab setup offers a powerful sandbox to simulate real-world network environments and security incidents.
Project: File Integrity Monitor
·1040 words·5 mins· loading · loading
CIA Triad # Before we jump into the project let’s understand why something like a File Integrity Monitor is required, for this we will need to understand the CIA triad.