0:00:00.521,0:00:02.082 Hi everyone, welcome back 0:00:02.162,0:00:05.092 So today we're going to try[br]something a little bit different. 0:00:05.142,0:00:08.126 We're gonna start a new video series 0:00:09.247,0:00:12.621 about all the different ways to[br]expose or access our homelab 0:00:12.621,0:00:14.059 from the internet. 0:00:14.779,0:00:18.289 The reason is mainly because[br]there's tons of options out there, 0:00:18.411,0:00:21.131 and I feel like it's not talked enough[br]about on YouTube. 0:00:21.393,0:00:24.735 Especially the security part[br]which is most important. 0:00:24.799,0:00:28.675 Almost everyone just assumes it's secure,[br]which isn't always the case, 0:00:28.885,0:00:31.748 so make sure to hit the Like button[br]Subscribe and Share 0:00:31.929,0:00:33.450 and let's get started. 0:00:33.738,0:00:35.256 Okay so how to do it, 0:00:35.527,0:00:38.719 to expose our homelab[br]there are five main ways 0:00:39.126,0:00:41.689 1. Secure Tunnels like Cloudflare 0:00:42.058,0:00:44.000 2. Reverse proxies like Nginx 0:00:44.289,0:00:48.129 3. Traditional VPNs like Wireguard[br]or OpenVPN protocols 0:00:48.493,0:00:51.204 4. Mesh VPNs like ZeroTier and Tailscale 0:00:51.531,0:00:55.349 and lastly 5. the old classic [br]port forwarding or NAT 0:00:55.349,0:00:59.146 So let's break down each one of them[br]quickly to understand the differences. 0:00:59.441,0:01:02.330 First secure tunnels like Cloudflare. 0:01:02.330,0:01:06.722 This is often defined as secure tunnels to[br]access your app without exposing your IP 0:01:06.722,0:01:08.856 making remote access easy. 0:01:08.856,0:01:10.949 It's also fairly easy to setup, 0:01:11.129,0:01:14.169 however, by default it's[br]not secured enough 0:01:14.240,0:01:16.916 and solely [relies] on your app security 0:01:16.916,0:01:18.520 but this can be improved. 0:01:18.520,0:01:21.599 We'll cover this later in another video. 0:01:21.599,0:01:24.154 Next, reverse proxies[br]like nginx. 0:01:24.226,0:01:28.198 It's a server that sits in the middle[br]and forward requests to your homelab 0:01:28.416,0:01:31.520 helping you manage multiple[br]services under one domain. 0:01:31.662,0:01:33.758 While adding another layer of protection, 0:01:33.758,0:01:38.660 you will have more control over [br]your services and how to 0:01:38.983,0:01:40.668 contr-[br]manage them. 0:01:41.032,0:01:46.288 However, it exposes your IP and you must[br]open a port on your router to access it. 0:01:47.000,0:01:51.006 Next, traditional VPNs like Wireguard[br]or OpenVPN. 0:01:51.006,0:01:54.938 It creates an encrypted tunnel between[br]your device and your homelab 0:01:55.076,0:01:57.854 making it feel like you are on[br]the same local network. 0:01:57.854,0:02:00.634 It's good for privacy and security 0:02:00.634,0:02:03.318 but only useful when you are[br]the only user because 0:02:03.318,0:02:07.198 it's impossible to share access[br]without sharing your private key 0:02:07.198,0:02:09.530 to other users. 0:02:09.530,0:02:14.306 Next, mesh VPNs[br]like ZeroTier or Tailscale. 0:02:14.306,0:02:18.984 This is similar to normal VPNs except it[br]connects devices between each other 0:02:18.984,0:02:21.702 instead of connecting them[br]to a central server. 0:02:21.702,0:02:25.476 It has more control over normal VPNs in [br]the way that you can choose which 0:02:25.476,0:02:29.067 devices to share[br]but you must manually join the network 0:02:29.067,0:02:31.606 each time for each devices[br]you want to give access to. 0:02:31.606,0:02:36.176 Finally NAT this is a classic way of[br]opening specific ports on your router 0:02:36.176,0:02:37.667 to expose your homelab. 0:02:37.667,0:02:42.200 It's simple but it also carries high[br]security risk if you rely on it alone. 0:02:42.200,0:02:46.623 Keep in mind NAT often gets used with[br]other methods like previously showed, 0:02:46.750,0:02:50.843 but going purely [on it's own] port[br]forwarding is a no-go for secure setups. 0:02:51.402,0:02:52.773 Now, you may be wondering, 0:02:53.137,0:02:56.117 what's the most secure setup[br]to expose your home lab? 0:02:56.236,0:02:59.759 Actually, [it] depends on your apps[br]and what you want to do? 0:02:59.759,0:03:02.555 In my opinion, it's not about[br]which method you use 0:03:02.555,0:03:05.529 but more about how you combine[br]between them. 0:03:05.529,0:03:09.779 The best setup is to mix them[br]and make them work all together 0:03:09.779,0:03:11.731 to have the perfect setup. 0:03:13.593,0:03:16.780 Okay so first let's go to cloudflare.com 0:03:16.780,0:03:18.320 Go to "Sign Up" 0:03:18.767,0:03:21.625 and free at the website. 0:03:23.020,0:03:25.981 And let's create a new account now. 0:03:29.304,0:03:32.378 After that if you already have [a][br]domain [previously purchased] 0:03:32.379,0:03:36.447 enter it here or for me I'm just[br]going to create a new domain. 0:03:39.574,0:03:42.307 For some reason I got an error[br]when trying to pay 0:03:42.506,0:03:47.308 So I'm just going to import an existing[br]domain. Just going to type it here. 0:03:51.347,0:03:53.683 Okay, so then go down 0:03:54.517,0:03:56.227 and choose the free package. 0:03:59.963,0:04:02.678 Next click on continue to activation. 0:04:03.224,0:04:07.187 Confirm. Next we need to [br]do some modifications 0:04:07.467,0:04:10.949 We need to modify,[br]the current name servers 0:04:11.124,0:04:12.859 with Cloudflare nameservers 0:04:13.243,0:04:16.360 to allow Cloudflare to control the domain. 0:04:16.750,0:04:17.631 To do that, 0:04:17.957,0:04:22.157 we go to the domain provider[br]in my case it's NameCheap. 0:04:25.978,0:04:30.843 So in my case I'm gonna do[br]custom DNS and then I copy.... 0:04:35.710,0:04:37.504 the nameservers 0:04:38.754,0:04:39.796 and then I save. 0:04:42.779,0:04:46.192 It tells you that it can take [br]up to 48 hours 0:04:46.192,0:04:49.761 But it's not true it [can take] just a[br]few seconds or a few minutes max 0:04:50.361,0:04:52.118 But, just in case 0:04:53.139,0:04:55.176 If it take a long time to update 0:04:55.426,0:04:58.024 Uh, this is normal so[br]just wait 0:04:58.254,0:05:00.183 There is no other choice 0:05:00.725,0:05:02.085 Okay, so after a while, 0:05:02.085,0:05:04.453 We get this page this means[br]everything is good 0:05:04.603,0:05:07.324 Now we go to access page 0:05:07.524,0:05:09.709 and then Launch Zero Trust. 0:05:10.446,0:05:11.865 We choose our account 0:05:12.218,0:05:14.409 Next you go to access 0:05:15.202,0:05:17.558 Next we choose teamname 0:05:17.599,0:05:18.783 Just anything 0:05:23.051,0:05:26.135 Then we choose the free package of course 0:05:27.473,0:05:29.562 There is zero payment 0:05:33.126,0:05:34.940 Next we go to Networks 0:05:35.299,0:05:36.254 Tunnels 0:05:37.337,0:05:39.403 And we add a tunnel 0:05:39.595,0:05:41.237 We choose this one Cloudflared 0:05:41.581,0:05:45.112 We name our Tunnel[br]Homelab uh test 0:05:47.279,0:05:50.189 Next it will ask you to choose[br]your environment 0:05:50.339,0:05:53.319 In this case you just uh[br]You just choose docker 0:05:53.404,0:05:55.267 and then we just copy the comment 0:05:55.267,0:06:00.015 because we just need the token.[br]We don't need to run anything docker 0:06:00.104,0:06:01.747 Then we go back to TrueNAS 0:06:02.278,0:06:03.742 and we install 0:06:03.942,0:06:05.846 the Cloudflared app. 0:06:07.320,0:06:08.621 This one 0:06:10.581,0:06:13.442 And here we['ve] got [to just][br]paste what we had 0:06:13.442,0:06:14.577 and we just keep. 0:06:15.957,0:06:19.195 Remove everything, we just keep the token. 0:06:24.636,0:06:27.117 So anything before this goes. 0:06:29.145,0:06:30.366 That's it. 0:06:31.599,0:06:34.373 We don't need to setup anything else. 0:06:35.159,0:06:37.754 Even storage, it's not necessary. 0:06:39.630,0:06:40.859 And we install. 0:06:43.528,0:06:45.364 Okay now it's up and running. 0:06:45.791,0:06:47.918 Let's go back to Cloudflared profile. 0:06:48.858,0:06:52.825 Now we need to wait until we get uh[br]something here in connectors. 0:06:53.067,0:06:54.585 It will automatically search. 0:06:54.585,0:06:56.029 Alright here we go 0:06:56.029,0:06:58.749 It's connected.[br]So now we can continue. 0:06:58.922,0:07:00.107 Next 0:07:01.852,0:07:05.704 Now we're ready to add our first service. 0:07:06.627,0:07:09.269 Let's start by adding TrueNAS itself. 0:07:09.529,0:07:11.873 So let's just copy the IP 0:07:15.334,0:07:17.046 Then we choose the subdomain 0:07:17.280,0:07:18.047 TrueNAS 0:07:18.485,0:07:19.548 and choose the domain 0:07:20.894,0:07:22.920 then we choose HTTP 0:07:24.338,0:07:25.860 and then the IP 0:07:26.715,0:07:30.052 There is nothing specific to add there. 0:07:30.228,0:07:31.116 That's save. 0:07:33.201,0:07:35.850 To test this I'm going to disconnect[br]from the VPN 0:07:36.267,0:07:40.501 Because i'm not at home I'm[br]connected to my home VPN. 0:07:40.811,0:07:43.639 So I'm just going to deactivate it[br]and try this. 0:07:44.952,0:07:50.706 To show that likely if I try to go[br]to the same IP 0:07:52.710,0:07:56.366 It's not going to work,[br]because I disconnected from the VPN. 0:07:56.870,0:07:58.017 And if I try 0:07:58.642,0:07:59.685 a domain, 0:08:00.206,0:08:01.164 new domain. 0:08:04.502,0:08:05.315 It works. 0:08:05.608,0:08:06.356 So now 0:08:09.027,0:08:10.915 TrueNAS is accessible 0:08:11.201,0:08:12.140 from the outside. 0:08:12.518,0:08:15.155 But this is not recommended of course. 0:08:15.155,0:08:18.913 If you want to expose something[br]just expose the apps individually 0:08:19.238,0:08:21.253 don't expose the whole thing. 0:08:21.709,0:08:22.773 so 0:08:23.500,0:08:25.358 So now I'm just going to delete it 0:08:25.714,0:08:28.507 and then I'm gonna add something else. 0:08:33.865,0:08:36.145 Okay now I want to add another service. 0:08:36.285,0:08:37.975 Maybe, Proxmox 0:08:40.194,0:08:42.314 Let's go to add the public hostname 0:08:42.945,0:08:43.866 Proxmox 0:08:44.482,0:08:45.442 same thing 0:08:47.818,0:08:50.174 here's we're going to choose HTTPS[br]instead of HTTP 0:08:50.821,0:08:52.843 and then the IP 0:08:54.429,0:08:58.099 as well as the port which is 8... 0:08:58.515,0:09:00.068 8006 0:09:03.950,0:09:07.454 and then we go to [br]Additional Settings > TLS 0:09:08.017,0:09:10.750 and we enable No TLS verify. 0:09:10.873,0:09:12.354 It will not check certificates. 0:09:12.823,0:09:13.899 Okay, now let's save. 0:09:15.920,0:09:18.130 Let's try again now. 0:09:25.117,0:09:26.389 NIce! Now it works. 0:09:32.916,0:09:34.980 And we'll disconnect the VPN 0:09:35.607,0:09:36.399 and refresh 0:09:36.921,0:09:38.129 and it still works. 0:09:39.255,0:09:41.490 Okay now before we're finishing the video 0:09:41.816,0:09:45.990 let's do one last service[br]which is Paperless. 0:09:46.365,0:09:49.885 Since we already covered this[br]in a previous video, 0:09:50.260,0:09:52.158 we're going to see how to expose this 0:09:52.469,0:09:56.158 Why did I choose Paperless because[br]it's a bit tricky to setup 0:09:56.620,0:09:58.458 it's not as simple as 0:09:58.785,0:10:00.415 adding the hostname. 0:10:01.103,0:10:04.293 So, let's see first we just add the[br]hostname of course 0:10:06.756,0:10:08.402 same thing as always, 0:10:09.528,0:10:13.338 HTTPS, and then we take the URL 0:10:16.860,0:10:19.056 which is IP and Port 0:10:24.856,0:10:27.568 It chooses HTTP not HTTPS 0:10:29.048,0:10:30.175 Service name 0:10:31.196,0:10:34.324 So first it's gonna work normally 0:10:34.930,0:10:36.578 If I try to access. 0:10:39.852,0:10:40.893 Alright 0:10:41.580,0:10:45.423 Uh, but the problem is when you [br]try to login 0:10:49.212,0:10:52.591 You get this error.[br]CSRF verification failed. 0:10:52.949,0:10:53.775 Why? 0:10:54.058,0:10:57.801 We need to change some settings[br]to make it accessible. 0:10:58.332,0:11:01.545 According to the documentation, 0:11:02.192,0:11:05.923 we need to set this environment[br]variable (PAPERLESS_URL) 0:11:06.488,0:11:10.574 uh and uh, set it to the domain name 0:11:10.907,0:11:12.410 we used in Cloudflare. 0:11:12.680,0:11:14.308 So let's do that 0:11:15.322,0:11:18.329 go to Paperless > Edit 0:11:20.053,0:11:24.999 and let's just add it as an[br]environment variable here 0:11:25.912,0:11:28.350 PAPERLESS_URL 0:11:28.682,0:11:32.021 set it to paperless.yourdomain 0:11:36.024,0:11:40.028 make sure to add HTTPS to the beginning 0:11:42.450,0:11:44.294 and that's it.[br]Update. 0:11:48.088,0:11:51.235 In case you got stuck in deploying 0:11:51.485,0:11:53.301 which was the case for me 0:11:53.717,0:11:56.262 I'm not sure why but the[br]container Paperless 0:11:56.824,0:11:59.640 just stuck like this for a long time 0:12:00.035,0:12:03.664 So what I did is stop this instance 0:12:04.103,0:12:05.936 and create another instance 0:12:06.480,0:12:10.631 using the already created datasets. 0:12:11.171,0:12:14.329 So you're not going to lose anything[br]of your files. 0:12:16.831,0:12:18.917 So let's start another instance 0:12:20.502,0:12:23.046 Let's call it paperless-cloudflare. 0:12:26.132,0:12:29.177 We can change password if you want. 0:12:32.283,0:12:36.075 By the way you can choose any secret[br]key you want. Just want some random stuff 0:12:36.245,0:12:38.172 You don't need to remember it. 0:12:42.545,0:12:44.903 Okay, add an email 0:12:45.422,0:12:47.278 just a fake email. 0:12:50.804,0:12:51.806 Password. 0:13:02.233,0:13:05.715 Now we add again environment variable 0:13:06.340,0:13:08.196 PAPERLESS_URL 0:13:09.049,0:13:10.343 HTTPS 0:13:10.844,0:13:11.637 paperless… 0:13:12.410,0:13:13.355 dot 0:13:14.681,0:13:16.079 your domain 0:13:20.937,0:13:24.024 and then we add the other host path 0:13:27.737,0:13:30.052 Paperless this is the data. 0:13:30.740,0:13:31.678 let's copy this 0:13:33.452,0:13:35.307 And now Media 0:13:39.687,0:13:41.584 and then Consume 0:13:50.411,0:13:51.516 and Trash 0:13:57.752,0:13:59.400 this is PostScript 0:14:06.113,0:14:09.076 Make sure to check [br]"Automatic Permissions". 0:14:12.954,0:14:14.309 Then we hit install. 0:14:18.405,0:14:22.606 Let's wait [a] little bit. [br]It works but it takes some time. 0:14:24.816,0:14:26.359 Okay now it's running. 0:14:27.339,0:14:28.362 Let's start it. 0:14:31.179,0:14:32.970 First let's get the IP 0:14:33.409,0:14:36.037 I mean let's get the port-- [br]IP is the same. 0:14:36.952,0:14:38.204 Go back to cloudflare 0:14:38.977,0:14:39.810 Hit it 0:14:41.499,0:14:44.189 Going to put the new port 0:14:45.338,0:14:46.317 Save 0:14:49.821,0:14:51.177 Let's try now 0:14:55.431,0:14:57.703 Okay, now new password 0:15:03.418,0:15:06.757 And now it works. We don't got[br]the error, the previous error. 0:15:07.837,0:15:11.706 And as you can see we still have the [same] documents as 0:15:11.706,0:15:14.435 before we didn't lost anything. 0:15:15.291,0:15:17.458 We still got all our documents. 0:15:22.402,0:15:23.645 Open them 0:15:26.510,0:15:28.448 And uh, everything works fine 0:15:32.620,0:15:33.411 That's it 0:15:33.580,0:15:35.331 Basically this is how to 0:15:35.600,0:15:39.064 expose your services on the cloud 0:15:42.796,0:15:43.570 To recap: 0:15:43.825,0:15:47.446 When you want to expose your app, [br]this is how it works. 0:15:47.446,0:15:53.217 We don't access the app directly [br]but rather you access the cloud server 0:15:53.564,0:15:56.666 cloudflare server. Cloudflare will[br]make exchanges 0:15:56.862,0:16:00.140 with your LAN network through Cloudflare 0:16:00.424,0:16:01.231 and then 0:16:01.541,0:16:04.168 It will give access to your app. 0:16:04.529,0:16:08.764 This way you don't access your app[br]directly which means you don't expose your 0:16:08.851,0:16:11.230 IP and you don't go through the NAT 0:16:11.391,0:16:12.875 you don't need to open a port 0:16:13.225,0:16:16.787 but be careful if your app is insecure[br]and you get hacked. 0:16:16.927,0:16:19.752 You directly expose all of your homelab 0:16:19.752,0:16:22.692 It doesn't matter if you use[br]Cloudflare or not 0:16:22.854,0:16:26.393 Like and Share if you made it this far.[br]See you in the next video