Hi everyone, welcome back
So today we're going to try
something a little bit different.
We're gonna start a new video series
about all the different ways to
expose or access our homelab
from the internet.
The reason is mainly because
there's tons of options out there,
and I feel like it's not talked enough
about on YouTube.
Especially the security part
which is most important.
Almost everyone just assumes it's secure,
which isn't always the case,
so make sure to hit the Like button
Subscribe and Share
and let's get started.
Okay so how to do it,
to expose our homelab
there are five main ways
1. Secure Tunnels like Cloudflare
2. Reverse proxies like Nginx
3. Traditional VPNs like Wireguard
or OpenVPN protocols
4. Mesh VPNs like ZeroTier and Tailscale
and lastly 5. the old classic
port forwarding or NAT
So let's break down each one of them
quickly to understand the differences.
First secure tunnels like Cloudflare.
This is often defined as secure tunnels to
access your app without exposing your IP
making remote access easy.
It's also fairly easy to setup,
however, by default it's
not secured enough
and solely [relies] on your app security
but this can be improved.
We'll cover this later in another video.
Next, reverse proxies
like nginx.
It's a server that sits in the middle
and forward requests to your homelab
helping you manage multiple
services under one domain.
While adding another layer of protection,
you will have more control over
your services and how to
contr-
manage them.
However, it exposes your IP and you must
open a port on your router to access it.
Next, traditional VPNs like Wireguard
or OpenVPN.
It creates an encrypted tunnel between
your device and your homelab
making it feel like you are on
the same local network.
It's good for privacy and security
but only useful when you are
the only user because
it's impossible to share access
without sharing your private key
to other users.
Next, mesh VPNs
like ZeroTier or Tailscale.
This is similar to normal VPNs except it
connects devices between each other
instead of connecting them
to a central server.
It has more control over normal VPNs in
the way that you can choose which
devices to share
but you must manually join the network
each time for each devices
you want to give access to.
Finally NAT this is a classic way of
opening specific ports on your router
to expose your homelab.
It's simple but it also carries high
security risk if you rely on it alone.
Keep in mind NAT often gets used with
other methods like previously showed,
but going purely [on it's own] port
forwarding is a no-go for secure setups.
Now, you may be wondering,
what's the most secure setup
to expose your home lab?
Actually, [it] depends on your apps
and what you want to do?
In my opinion, it's not about
which method you use
but more about how you combine
between them.
The best setup is to mix them
and make them work all together
to have the perfect setup.
Okay so first let's go to cloudflare.com
Go to "Sign Up"
and free at the website.
And let's create a new account now.
After that if you already have [a]
domain [previously purchased]
enter it here or for me I'm just
going to create a new domain.
For some reason I got an error
when trying to pay
So I'm just going to import an existing
domain. Just going to type it here.
Okay, so then go down
and choose the free package.
Next click on continue to activation.
Confirm. Next we need to
do some modifications
We need to modify,
the current name servers
with Cloudflare nameservers
to allow Cloudflare to control the domain.
To do that,
we go to the domain provider
in my case it's NameCheap.
So in my case I'm gonna do
custom DNS and then I copy....
the nameservers
and then I save.
It tells you that it can take
up to 48 hours
But it's not true it [can take] just a
few seconds or a few minutes max
But, just in case
If it take a long time to update
Uh, this is normal so
just wait
There is no other choice
Okay, so after a while,
We get this page this means
everything is good
Now we go to access page
and then Launch Zero Trust.
We choose our account
Next you go to access
Next we choose teamname
Just anything
Then we choose the free package of course
There is zero payment
Next we go to Networks
Tunnels
And we add a tunnel
We choose this one Cloudflared
We name our Tunnel
Homelab uh test
Next it will ask you to choose
your environment
In this case you just uh
You just choose docker
and then we just copy the comment
because we just need the token.
We don't need to run anything docker
Then we go back to TrueNAS
and we install
the Cloudflared app.
This one
And here we['ve] got [to just]
paste what we had
and we just keep.
Remove everything, we just keep the token.
So anything before this goes.
That's it.
We don't need to setup anything else.
Even storage, it's not necessary.
And we install.
Okay now it's up and running.
Let's go back to Cloudflared profile.
Now we need to wait until we get uh
something here in connectors.
It will automatically search.
Alright here we go
It's connected.
So now we can continue.
Next
Now we're ready to add our first service.
Let's start by adding TrueNAS itself.
So let's just copy the IP
Then we choose the subdomain
TrueNAS
and choose the domain
then we choose HTTP
and then the IP
There is nothing specific to add there.
That's save.
To test this I'm going to disconnect
from the VPN
Because i'm not at home I'm
connected to my home VPN.
So I'm just going to deactivate it
and try this.
To show that likely if I try to go
to the same IP
It's not going to work,
because I disconnected from the VPN.
And if I try
a domain,
new domain.
It works.
So now
TrueNAS is accessible
from the outside.
But this is not recommended of course.
If you want to expose something
just expose the apps individually
don't expose the whole thing.
so
So now I'm just going to delete it
and then I'm gonna add something else.
Okay now I want to add another service.
Maybe, Proxmox
Let's go to add the public hostname
Proxmox
same thing
here's we're going to choose HTTPS
instead of HTTP
and then the IP
as well as the port which is 8...
8006
and then we go to
Additional Settings > TLS
and we enable No TLS verify.
It will not check certificates.
Okay, now let's save.
Let's try again now.
NIce! Now it works.
And we'll disconnect the VPN
and refresh
and it still works.
Okay now before we're finishing the video
let's do one last service
which is Paperless.
Since we already covered this
in a previous video,
we're going to see how to expose this
Why did I choose Paperless because
it's a bit tricky to setup
it's not as simple as
adding the hostname.
So, let's see first we just add the
hostname of course
same thing as always,
HTTPS, and then we take the URL
which is IP and Port
It chooses HTTP not HTTPS
Service name
So first it's gonna work normally
If I try to access.
Alright
Uh, but the problem is when you
try to login
You get this error.
CSRF verification failed.
Why?
We need to change some settings
to make it accessible.
According to the documentation,
we need to set this environment
variable (PAPERLESS_URL)
uh and uh, set it to the domain name
we used in Cloudflare.
So let's do that
go to Paperless > Edit
and let's just add it as an
environment variable here
PAPERLESS_URL
set it to paperless.yourdomain
make sure to add HTTPS to the beginning
and that's it.
Update.
In case you got stuck in deploying
which was the case for me
I'm not sure why but the
container Paperless
just stuck like this for a long time
So what I did is stop this instance
and create another instance
using the already created datasets.
So you're not going to lose anything
of your files.
So let's start another instance
Let's call it paperless-cloudflare.
We can change password if you want.
By the way you can choose any secret
key you want. Just want some random stuff
You don't need to remember it.
Okay, add an email
just a fake email.
Password.
Now we add again environment variable
PAPERLESS_URL
HTTPS
paperless…
dot
your domain
and then we add the other host path
Paperless this is the data.
let's copy this
And now Media
and then Consume
and Trash
this is PostScript
Make sure to check
"Automatic Permissions".
Then we hit install.
Let's wait [a] little bit.
It works but it takes some time.
Okay now it's running.
Let's start it.
First let's get the IP
I mean let's get the port--
IP is the same.
Go back to cloudflare
Hit it
Going to put the new port
Save
Let's try now
Okay, now new password
And now it works. We don't got
the error, the previous error.
And as you can see we still have the [same] documents as
before we didn't lost anything.
We still got all our documents.
Open them
And uh, everything works fine
That's it
Basically this is how to
expose your services on the cloud
To recap:
When you want to expose your app,
this is how it works.
We don't access the app directly
but rather you access the cloud server
cloudflare server. Cloudflare will
make exchanges
with your LAN network through Cloudflare
and then
It will give access to your app.
This way you don't access your app
directly which means you don't expose your
IP and you don't go through the NAT
you don't need to open a port
but be careful if your app is insecure
and you get hacked.
You directly expose all of your homelab
It doesn't matter if you use
Cloudflare or not
Like and Share if you made it this far.
See you in the next video