PiKVM with Cloudflare Tunnel and Access

Have multiple PiKVM in your environment? What about if your network is behind a carrier grade NAT? Don’t want to open a port on your firewall? You can use Cloudflare’s Tunnel to access your PiKVM from anywhere and get around any limitiations that your network may have.

Setup

1. Log into PiKvm shell
2. Switch to root su -
3. Enable read-write rw
4. Update pacman pacman -Syy

5. Install Go pacman -S go

   

6. Create a new certificate signed by Cloudflare OpenSSL#Generate_an_RSA_private_key

    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.key
    openssl req -new -sha256 -key private.key -out crt.req
   

   

7. In SSL/TLS go to Origin server and click create certificate
8. Choose Use my private key and csr and paste everything in crt.req

9. Click create and save the certificate on the server as public.crt

10. Update the PiKVM certificates (Lets Encrypt and PiKVM)
    • Copy certs created to /etc/kvmd/nginx/ssl/ (either rename old certs or use new names)
    • Update file permissions

        cd /etc/kvmd/nginx/ssl/
        chown root:kvmd-nginx *
        chmod 440 private.key
        chmod 444 public.crt
      

      

    • If you are using a custom certficate, update the /etc/kvmd/nginx/ssl.conf file

        sed -i 's/server.crt/public.crt/' /etc/kvmd/nginx/ssl.conf
        sed -i 's/server.key/private.key/' /etc/kvmd/nginx/ssl.conf
        sed -i 's/TLSv1.1 TLSv1//' /etc/kvmd/nginx/ssl.conf
      

      

    • restart kvmd-nginx

      systemctl restart kvmd-nginx
      

    • Reload the PiKVM web page, certificate should now be signed by Cloudflare

      

11. Switch back to standard user exit
12. Build cloudflared, it’s going to take a few minutes

    git clone https://aur.archlinux.org/cloudflared.git
    cd cloudflared/
    makepkg
    

    

13. Switch to root and install cloudflared

    pacman -U <date>-armv7h.pkg.tar.xz
    

    

14. Setup tunnel Cloudflare Tunnel Guide

    cloudflared tunnel login
    cloudflared tunnel create <name of tunnel to create>
    cloudflared tunnel route dns <tunnel id> <hostname>
    

    • You can see that the record is updated in the DNS settings

    

15. Create config file at /root/.cloudflared/config.yml

    url: https://localhost:443  
    tunnel: <tunnel id>  
    credentials-file: /root/.cloudflared/<tunnel id>.json  
    origin-server-name: <hostname>
    

    

16. Test tunnel

    cloudflared tunnel run <tunnel id>
    

    • In any browser, go to hostname that was setup, PiKVM login page should now be accessible

    • ctrl - c to stop test

      

17. Once test is successful, update the service config file

    mv /etc/cloudflared/config.yml /etc/cloudflared/config.yml.original
    mv /root/.cloudflared/config.yml /etc/cloudflared/config.yml
    

    

18. Enable tunnel auto start

    cloudflared service install
    systemctl enable cloudflared
    

19. Set PiKvm back to readonly ro

To secure the setup even further, setup Cloudflare Access

1. Sign in or create an account for Cloudflare for Teams and create a new team. Cloudflare provides 50 users free per team.
2. Select Access -> Application and click Add an application
   1. Select Self-hosted
   2. Enter an application name
   3. In application domain select the base domain and input the chosen subdomain in the first field
   4. Select configured identity providers, One-time pin is easiest to setup, but any option can be used if configured. Enable instant auth if only one provider is used
   5. On next page, create the access policy
      
      • If you do not have a group, create one in the My Team section and add yourself as a member by email address.
   6. On the last setup page click Add application
   7. Access the hostname and you should now have a Cloudflare Access prompt