Introduction
I’ve always been fascinated by technology, and the idea of building my own personal lab at home has been on my mind for a while. The thought of having a personal server to experiment with, learn new technology, and host my own projects was incredibly exciting. However, the initial investment for a dedicated server can be quite steep. So I did some research to choose a device with a very minimal budget, then i found an options: Mini PC, Raspberry Pi, or an old STB.
So I decided to reuse the old ZTE B860H V2 STB, then I bought it through the marketplace along with the equipment (AC Adapter, LAN cable), it also has armbian installed and configured ssh server.
My Initial Setup
I started by configuring the basic network settings, ensuring the STB connected to the router and has a stable internet connection. Next, I scanning my network using nmap to found IP address of the STB.
$ sudo nmap -p 22 -O 192.168.1.1/24
After i found the IP address of my STB, I connect to my STB using SSH and change the networking to used wireless connection by utilizing nmtui and restarting the network manager service to apply the configuration.
Connect my Homelab to Cloudflare
To enhance security and remote access to my homelab, I implemented Cloudflare Zero Trust. This service allows me to access my homelab securely over the internet while minimizing my exposure to potential threats. Here’s how I set it up:
Log in to Zero Trust ↗ and go to Networks > Tunnels.
Select Add a tunnel, or Create a tunnel if you already have a tunnel earlier.
Select Cloudflared as tunnel type.
Enter a tunnel name and click Save tunnel.
Install and run the connectors. I choose Debian with arm64-bit architecture because homelab is based on Armbian with arm64-bit architecture. All I have to do is just copying the installation and start cloudfared service command and paste it to my homelab terminal.
When it’s successfully connected. Page will shows the connectors status is connected. Click Next to configure the Route tunnel
Select Private Networks, enter the IP address of homelab server (or a range that includes the server IP). Typically this would be a private IP, but public IPs are also allowed.
Configuring the route traffic. I use public hostnames to access my access, select SSH service type and fill the url with localhost:22 (22 is default port of ssh). Click Save Tunnel to save the configuration.
Connect to my Homelab over the internet
Install WARP on client device
Configure Warp Client. In Zero Trust, go to Settings > WARP Client
Select Manage on device enrollment permissions.
Configure Device Enrollments rules.
Login to Cloudflare Zero Trust
Using GUI
Select the Cloudflare logo in the menu bar.
Click the gear icon (⚙).
Select Preferences
Go to Account. and Login with Cloudflare Zero Trust.
Enter team name.
Complete the authentication steps required by your organization.
Once authenticated, we’ll see a Success page and a dialog prompting you to open WARP.
Select Open Cloudflare WARP.app to complete the registration.
Using CLI
Enroll into Cloudflare Zero Trust using your organization's team name:
warp-cli registration new <your-team-name>It will open the browser windows, and we have to complete the authentication steps. Once authenticated, we will see a success page and a dialog prompting you to open a link.
Select Open Link
Verify the registration
warp-cli registration show
Enable the Gateway proxy for TCP.
In Zero Trust, go to Settings > Network
In Firewall section, turn on Proxy.
Route server IPs through WARP
First, check whether your Split Tunnels mode is set to Exclude or Include mode.
Select Include mode, add your SSH server's IP/CIDR range to the list.
Add a target
In Zero Trust go to Networks > Targets.
Select Add a target.
In Target hostname, enter a user-friendly name for the target resource.
In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address.
Select Add Target.
Configure SSH Server
Generate a Cloudflare SSH CA
Create an API Token. with the following permissions:
| Type | Item | Permission | | --- | --- | --- | | Account | Access: SSH Auditing | Edit |
If you have not yet generated a Cloudflare SSH CA, make a
POSTrequest to the Cloudflare API:curl --request POST \"https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \--header "Authorization: Bearer <API_TOKEN>"If you have already created a Cloudflare SSH CA or receive the error message
access.api.error.gateway_ca_already_exists, make aGETrequest instead:curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \--header "Authorization: Bearer <API_TOKEN>"Copy the
public_keyvalue returned in the response.
Save the public key on the homelab server. It located on
/etc/ssh/directory.Enable
PubkeyAuthenticationandTrustedUserCAKeyswith saved pubkeyPubkeyAuthentication Yes TrustedUserCAKeys /etc/ssh/<your_pub_key>.pubRestart SSH server
sudo systemctl restart ssh
Add an infrastructure application
In Zero Trust ↗, go to Access > Applications.
Select Add an application.
Select Infrastructure.
Configure application
In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future and enter the Protocol and Port that will be used to connect to the server.
Select Next.
Add Application policies, and configure rules.
Select Next
Test connection
ssh <username>@<homelab_private_ip>
Conclusion
Building a homelab with a minimum budget is entirely possible. Re-purposing an old STB like ZTE B860H V2 has proven to be rewarding experience. It’s fantastic platform for learning and experimenting. I encourage anyone intested int technology to consider building their own homelab, even if it starts with a modest setup like mine.