In Parts 1 through 4, we built a complete intelligence gathering system. We have Ziggy nodes sniffing Bluetooth traffic, a Raspberry Pi 5 crunching the data, and a beautiful Grafana dashboard visualizing the “Pattern of Life” on my street.
But there was one problem: It was trapped.
The dashboard lived at http://192.168.1.50:3000. To see it, I had to be home. But the whole point of a surveillance node is to check it when you aren’t home. I wanted to check the “Traffic Density” from my desk at work or pull up the “Who is Here” list on my phone while parked down the street.
I needed to expose my local Pi to the public internet.
The Old Way: Port Forwarding (The Trap)
In the old days, you would log into your router and forward Port 3000 to your Raspberry Pi. Do not do this.
Opening a port on your home router is like drilling a hole in your front door and hoping only your friends walk through it. Within minutes, bots from Shodan and script kiddies will be hammering that port, looking for vulnerabilities. If my Pi gets compromised, they are inside my home network.
The New Way: The Invisible Tunnel
The solution is Cloudflare Tunnel (formerly Argo Tunnel).
Instead of poking holes in my firewall to let traffic in, I run a small daemon (cloudflared) on the Raspberry Pi. This daemon creates an encrypted, outbound-only connection to Cloudflare’s global network.
Think of it like a secure pipe.
- The World: Connects to
ble.technoshed.co.uk(hosted by Cloudflare). - Cloudflare: Authenticates the request and shoots it down the pipe.
- My Pi: Receives the request through the existing pipe, asks Grafana for the data, and sends it back up.
My router sees nothing but standard outbound web traffic. No ports open. No public IP revealed. To the internet, my house is a fortress with the drawbridge up.
The Setup: Zero Trust Security
Setting this up was surprisingly easy because Cloudflare offers a Docker container for the tunnel agent. I added it to my existing docker-compose.yml stack:
YAML
cloudflared:
image: cloudflare/cloudflared:latest
command: tunnel run --token ${TUNNEL_TOKEN}
restart: always
network_mode: host
Once the tunnel was running, I routed the public domain ble.technoshed.co.uk directly to http://localhost:3000.
But I didn’t stop there. Just because the connection is secure doesn’t mean I want the public seeing my data. I added a layer of Cloudflare Access (Zero Trust).
Now, when you visit the URL, you don’t see Grafana. You see a Cloudflare login screen.
- It asks for an email address.
- If you aren’t me (specifically
karl@...), you get a 403 Forbidden. - If you are me, it sends a magic link to my email.
I now have a military-grade authentication layer sitting in front of my DIY Raspberry Pi project, and it cost me absolutely nothing.
The Conclusion: The Technoshed SIGINT Stack
We started this journey with a soldering iron and a £5 microcontroller. We ended it with a distributed, self-healing, cloud-secured Intelligence Platform.
The Technoshed BLE Scanner now runs 24/7/365.
- Ziggy (Pico W) sniffs the airwaves and survives network outages.
- The Backend (Pi 5) scrubs the data and fixes time-travel bugs.
- Grafana turns the noise into patterns.
- Cloudflare delivers those patterns to my pocket, anywhere in the world.
This project proved that you don’t need enterprise hardware to build enterprise capabilities. You just need a bit of curiosity, a willingness to debug “Loops of Death,” and a desire to see the invisible world moving past your window.
