1 00:00:00,521 --> 00:00:02,082 Hi everyone, welcome back 2 00:00:02,162 --> 00:00:05,092 So today we're going to try something a little bit different. 3 00:00:05,142 --> 00:00:08,126 We're gonna start a new video series 4 00:00:09,247 --> 00:00:12,621 about all the different ways to expose or access our homelab 5 00:00:12,621 --> 00:00:14,059 from the internet. 6 00:00:14,779 --> 00:00:18,289 The reason is mainly because there's tons of options out there, 7 00:00:18,411 --> 00:00:21,131 and I feel like it's not talked enough about on YouTube. 8 00:00:21,393 --> 00:00:24,735 Especially the security part which is most important. 9 00:00:24,799 --> 00:00:28,675 Almost everyone just assumes it's secure, which isn't always the case, 10 00:00:28,885 --> 00:00:31,748 so make sure to hit the Like button Subscribe and Share 11 00:00:31,929 --> 00:00:33,450 and let's get started. 12 00:00:33,738 --> 00:00:35,256 Okay so how to do it, 13 00:00:35,527 --> 00:00:38,719 to expose our homelab there are five main ways 14 00:00:39,126 --> 00:00:41,689 1. Secure Tunnels like Cloudflare 15 00:00:42,058 --> 00:00:44,000 2. Reverse proxies like Nginx 16 00:00:44,289 --> 00:00:48,129 3. Traditional VPNs like Wireguard or OpenVPN protocols 17 00:00:48,493 --> 00:00:51,204 4. Mesh VPNs like ZeroTier and Tailscale 18 00:00:51,531 --> 00:00:55,349 and lastly 5. the old classic port forwarding or NAT 19 00:00:55,349 --> 00:00:59,146 So let's break down each one of them quickly to understand the differences. 20 00:00:59,441 --> 00:01:02,330 First secure tunnels like Cloudflare. 21 00:01:02,330 --> 00:01:06,722 This is often defined as secure tunnels to access your app without exposing your IP 22 00:01:06,722 --> 00:01:08,856 making remote access easy. 23 00:01:08,856 --> 00:01:10,949 It's also fairly easy to setup, 24 00:01:11,129 --> 00:01:14,169 however, by default it's not secured enough 25 00:01:14,240 --> 00:01:16,916 and solely [relies] on your app security 26 00:01:16,916 --> 00:01:18,520 but this can be improved. 27 00:01:18,520 --> 00:01:21,599 We'll cover this later in another video. 28 00:01:21,599 --> 00:01:24,154 Next, reverse proxies like nginx. 29 00:01:24,226 --> 00:01:28,198 It's a server that sits in the middle and forward requests to your homelab 30 00:01:28,416 --> 00:01:31,520 helping you manage multiple services under one domain. 31 00:01:31,662 --> 00:01:33,758 While adding another layer of protection, 32 00:01:33,758 --> 00:01:38,660 you will have more control over your services and how to 33 00:01:38,983 --> 00:01:40,668 contr- manage them. 34 00:01:41,032 --> 00:01:46,288 However, it exposes your IP and you must open a port on your router to access it. 35 00:01:47,000 --> 00:01:51,006 Next, traditional VPNs like Wireguard or OpenVPN. 36 00:01:51,006 --> 00:01:54,938 It creates an encrypted tunnel between your device and your homelab 37 00:01:55,076 --> 00:01:57,854 making it feel like you are on the same local network. 38 00:01:57,854 --> 00:02:00,634 It's good for privacy and security 39 00:02:00,634 --> 00:02:03,318 but only useful when you are the only user because 40 00:02:03,318 --> 00:02:07,198 it's impossible to share access without sharing your private key 41 00:02:07,198 --> 00:02:09,530 to other users. 42 00:02:09,530 --> 00:02:14,306 Next, mesh VPNs like ZeroTier or Tailscale. 43 00:02:14,306 --> 00:02:18,984 This is similar to normal VPNs except it connects devices between each other 44 00:02:18,984 --> 00:02:21,702 instead of connecting them to a central server. 45 00:02:21,702 --> 00:02:25,476 It has more control over normal VPNs in the way that you can choose which 46 00:02:25,476 --> 00:02:29,067 devices to share but you must manually join the network 47 00:02:29,067 --> 00:02:31,606 each time for each devices you want to give access to. 48 00:02:31,606 --> 00:02:36,176 Finally NAT this is a classic way of opening specific ports on your router 49 00:02:36,176 --> 00:02:37,667 to expose your homelab. 50 00:02:37,667 --> 00:02:42,200 It's simple but it also carries high security risk if you rely on it alone. 51 00:02:42,200 --> 00:02:46,623 Keep in mind NAT often gets used with other methods like previously showed, 52 00:02:46,750 --> 00:02:50,843 but going purely [on it's own] port forwarding is a no-go for secure setups. 53 00:02:51,402 --> 00:02:52,773 Now, you may be wondering, 54 00:02:53,137 --> 00:02:56,117 what's the most secure setup to expose your home lab? 55 00:02:56,236 --> 00:02:59,759 Actually, [it] depends on your apps and what you want to do? 56 00:02:59,759 --> 00:03:02,555 In my opinion, it's not about which method you use 57 00:03:02,555 --> 00:03:05,529 but more about how you combine between them. 58 00:03:05,529 --> 00:03:09,779 The best setup is to mix them and make them work all together 59 00:03:09,779 --> 00:03:11,731 to have the perfect setup. 60 00:03:13,593 --> 00:03:16,780 Okay so first let's go to cloudflare.com 61 00:03:16,780 --> 00:03:18,320 Go to "Sign Up" 62 00:03:18,767 --> 00:03:21,625 and free at the website. 63 00:03:23,020 --> 00:03:25,981 And let's create a new account now. 64 00:03:29,304 --> 00:03:32,378 After that if you already have [a] domain [previously purchased] 65 00:03:32,379 --> 00:03:36,447 enter it here or for me I'm just going to create a new domain. 66 00:03:39,574 --> 00:03:42,307 For some reason I got an error when trying to pay 67 00:03:42,506 --> 00:03:47,308 So I'm just going to import an existing domain. Just going to type it here. 68 00:03:51,347 --> 00:03:53,683 Okay, so then go down 69 00:03:54,517 --> 00:03:56,227 and choose the free package. 70 00:03:59,963 --> 00:04:02,678 Next click on continue to activation. 71 00:04:03,224 --> 00:04:07,187 Confirm. Next we need to do some modifications 72 00:04:07,467 --> 00:04:10,949 We need to modify, the current name servers 73 00:04:11,124 --> 00:04:12,859 with Cloudflare nameservers 74 00:04:13,243 --> 00:04:16,360 to allow Cloudflare to control the domain. 75 00:04:16,750 --> 00:04:17,631 To do that, 76 00:04:17,957 --> 00:04:22,157 we go to the domain provider in my case it's NameCheap. 77 00:04:25,978 --> 00:04:30,843 So in my case I'm gonna do custom DNS and then I copy.... 78 00:04:35,710 --> 00:04:37,504 the nameservers 79 00:04:38,754 --> 00:04:39,796 and then I save. 80 00:04:42,779 --> 00:04:46,192 It tells you that it can take up to 48 hours 81 00:04:46,192 --> 00:04:49,761 But it's not true it [can take] just a few seconds or a few minutes max 82 00:04:50,361 --> 00:04:52,118 But, just in case 83 00:04:53,139 --> 00:04:55,176 If it take a long time to update 84 00:04:55,426 --> 00:04:58,024 Uh, this is normal so just wait 85 00:04:58,254 --> 00:05:00,183 There is no other choice 86 00:05:00,725 --> 00:05:02,085 Okay, so after a while, 87 00:05:02,085 --> 00:05:04,453 We get this page this means everything is good 88 00:05:04,603 --> 00:05:07,324 Now we go to access page 89 00:05:07,524 --> 00:05:09,709 and then Launch Zero Trust. 90 00:05:10,446 --> 00:05:11,865 We choose our account 91 00:05:12,218 --> 00:05:14,409 Next you go to access 92 00:05:15,202 --> 00:05:17,558 Next we choose teamname 93 00:05:17,599 --> 00:05:18,783 Just anything 94 00:05:23,051 --> 00:05:26,135 Then we choose the free package of course 95 00:05:27,473 --> 00:05:29,562 There is zero payment 96 00:05:33,126 --> 00:05:34,940 Next we go to Networks 97 00:05:35,299 --> 00:05:36,254 Tunnels 98 00:05:37,337 --> 00:05:39,403 And we add a tunnel 99 00:05:39,595 --> 00:05:41,237 We choose this one Cloudflared 100 00:05:41,581 --> 00:05:45,112 We name our Tunnel Homelab uh test 101 00:05:47,279 --> 00:05:50,189 Next it will ask you to choose your environment 102 00:05:50,339 --> 00:05:53,319 In this case you just uh You just choose docker 103 00:05:53,404 --> 00:05:55,267 and then we just copy the comment 104 00:05:55,267 --> 00:06:00,015 because we just need the token. We don't need to run anything docker 105 00:06:00,104 --> 00:06:01,747 Then we go back to TrueNAS 106 00:06:02,278 --> 00:06:03,742 and we install 107 00:06:03,942 --> 00:06:05,846 the Cloudflared app. 108 00:06:07,320 --> 00:06:08,621 This one 109 00:06:10,581 --> 00:06:13,442 And here we['ve] got [to just] paste what we had 110 00:06:13,442 --> 00:06:14,577 and we just keep. 111 00:06:15,957 --> 00:06:19,195 Remove everything, we just keep the token. 112 00:06:24,636 --> 00:06:27,117 So anything before this goes. 113 00:06:29,145 --> 00:06:30,366 That's it. 114 00:06:31,599 --> 00:06:34,373 We don't need to setup anything else. 115 00:06:35,159 --> 00:06:37,754 Even storage, it's not necessary. 116 00:06:39,630 --> 00:06:40,859 And we install. 117 00:06:43,528 --> 00:06:45,364 Okay now it's up and running. 118 00:06:45,791 --> 00:06:47,918 Let's go back to Cloudflared profile. 119 00:06:48,858 --> 00:06:52,825 Now we need to wait until we get uh something here in connectors. 120 00:06:53,067 --> 00:06:54,585 It will automatically search. 121 00:06:54,585 --> 00:06:56,029 Alright here we go 122 00:06:56,029 --> 00:06:58,749 It's connected. So now we can continue. 123 00:06:58,922 --> 00:07:00,107 Next 124 00:07:01,852 --> 00:07:05,704 Now we're ready to add our first service. 125 00:07:06,627 --> 00:07:09,269 Let's start by adding TrueNAS itself. 126 00:07:09,529 --> 00:07:11,873 So let's just copy the IP 127 00:07:15,334 --> 00:07:17,046 Then we choose the subdomain 128 00:07:17,280 --> 00:07:18,047 TrueNAS 129 00:07:18,485 --> 00:07:19,548 and choose the domain 130 00:07:20,894 --> 00:07:22,920 then we choose HTTP 131 00:07:24,338 --> 00:07:25,860 and then the IP 132 00:07:26,715 --> 00:07:30,052 There is nothing specific to add there. 133 00:07:30,228 --> 00:07:31,116 That's save. 134 00:07:33,201 --> 00:07:35,850 To test this I'm going to disconnect from the VPN 135 00:07:36,267 --> 00:07:40,501 Because i'm not at home I'm connected to my home VPN. 136 00:07:40,811 --> 00:07:43,639 So I'm just going to deactivate it and try this. 137 00:07:44,952 --> 00:07:50,706 To show that likely if I try to go to the same IP 138 00:07:52,710 --> 00:07:56,366 It's not going to work, because I disconnected from the VPN. 139 00:07:56,870 --> 00:07:58,017 And if I try 140 00:07:58,642 --> 00:07:59,685 a domain, 141 00:08:00,206 --> 00:08:01,164 new domain. 142 00:08:04,502 --> 00:08:05,315 It works. 143 00:08:05,608 --> 00:08:06,356 So now 144 00:08:09,027 --> 00:08:10,915 TrueNAS is accessible 145 00:08:11,201 --> 00:08:12,140 from the outside. 146 00:08:12,518 --> 00:08:15,155 But this is not recommended of course. 147 00:08:15,155 --> 00:08:18,913 If you want to expose something just expose the apps individually 148 00:08:19,238 --> 00:08:21,253 don't expose the whole thing. 149 00:08:21,709 --> 00:08:22,773 so 150 00:08:23,500 --> 00:08:25,358 So now I'm just going to delete it 151 00:08:25,714 --> 00:08:28,507 and then I'm gonna add something else. 152 00:08:33,865 --> 00:08:36,145 Okay now I want to add another service. 153 00:08:36,285 --> 00:08:37,975 Maybe, Proxmox 154 00:08:40,194 --> 00:08:42,314 Let's go to add the public hostname 155 00:08:42,945 --> 00:08:43,866 Proxmox 156 00:08:44,482 --> 00:08:45,442 same thing 157 00:08:47,818 --> 00:08:50,174 here's we're going to choose HTTPS instead of HTTP 158 00:08:50,821 --> 00:08:52,843 and then the IP 159 00:08:54,429 --> 00:08:58,099 as well as the port which is 8... 160 00:08:58,515 --> 00:09:00,068 8006 161 00:09:03,950 --> 00:09:07,454 and then we go to Additional Settings > TLS 162 00:09:08,017 --> 00:09:10,750 and we enable No TLS verify. 163 00:09:10,873 --> 00:09:12,354 It will not check certificates. 164 00:09:12,823 --> 00:09:13,899 Okay, now let's save. 165 00:09:15,920 --> 00:09:18,130 Let's try again now. 166 00:09:25,117 --> 00:09:26,389 NIce! Now it works. 167 00:09:32,916 --> 00:09:34,980 And we'll disconnect the VPN 168 00:09:35,607 --> 00:09:36,399 and refresh 169 00:09:36,921 --> 00:09:38,129 and it still works. 170 00:09:39,255 --> 00:09:41,490 Okay now before we're finishing the video 171 00:09:41,816 --> 00:09:45,990 let's do one last service which is Paperless. 172 00:09:46,365 --> 00:09:49,885 Since we already covered this in a previous video, 173 00:09:50,260 --> 00:09:52,158 we're going to see how to expose this 174 00:09:52,469 --> 00:09:56,158 Why did I choose Paperless because it's a bit tricky to setup 175 00:09:56,620 --> 00:09:58,458 it's not as simple as 176 00:09:58,785 --> 00:10:00,415 adding the hostname. 177 00:10:01,103 --> 00:10:04,293 So, let's see first we just add the hostname of course 178 00:10:06,756 --> 00:10:08,402 same thing as always, 179 00:10:09,528 --> 00:10:13,338 HTTPS, and then we take the URL 180 00:10:16,860 --> 00:10:19,056 which is IP and Port 181 00:10:24,856 --> 00:10:27,568 It chooses HTTP not HTTPS 182 00:10:29,048 --> 00:10:30,175 Service name 183 00:10:31,196 --> 00:10:34,324 So first it's gonna work normally 184 00:10:34,930 --> 00:10:36,578 If I try to access. 185 00:10:39,852 --> 00:10:40,893 Alright 186 00:10:41,580 --> 00:10:45,423 Uh, but the problem is when you try to login 187 00:10:49,212 --> 00:10:52,591 You get this error. CSRF verification failed. 188 00:10:52,949 --> 00:10:53,775 Why? 189 00:10:54,058 --> 00:10:57,801 We need to change some settings to make it accessible. 190 00:10:58,332 --> 00:11:01,545 According to the documentation, 191 00:11:02,192 --> 00:11:05,923 we need to set this environment variable (PAPERLESS_URL) 192 00:11:06,488 --> 00:11:10,574 uh and uh, set it to the domain name 193 00:11:10,907 --> 00:11:12,410 we used in Cloudflare. 194 00:11:12,680 --> 00:11:14,308 So let's do that 195 00:11:15,322 --> 00:11:18,329 go to Paperless > Edit 196 00:11:20,053 --> 00:11:24,999 and let's just add it as an environment variable here 197 00:11:25,912 --> 00:11:28,350 PAPERLESS_URL 198 00:11:28,682 --> 00:11:32,021 set it to paperless.yourdomain 199 00:11:36,024 --> 00:11:40,028 make sure to add HTTPS to the beginning 200 00:11:42,450 --> 00:11:44,294 and that's it. Update. 201 00:11:48,088 --> 00:11:51,235 In case you got stuck in deploying 202 00:11:51,485 --> 00:11:53,301 which was the case for me 203 00:11:53,717 --> 00:11:56,262 I'm not sure why but the container Paperless 204 00:11:56,824 --> 00:11:59,640 just stuck like this for a long time 205 00:12:00,035 --> 00:12:03,664 So what I did is stop this instance 206 00:12:04,103 --> 00:12:05,936 and create another instance 207 00:12:06,480 --> 00:12:10,631 using the already created datasets. 208 00:12:11,171 --> 00:12:14,329 So you're not going to lose anything of your files. 209 00:12:16,831 --> 00:12:18,917 So let's start another instance 210 00:12:20,502 --> 00:12:23,046 Let's call it paperless-cloudflare. 211 00:12:26,132 --> 00:12:29,177 We can change password if you want. 212 00:12:32,283 --> 00:12:36,075 By the way you can choose any secret key you want. Just want some random stuff 213 00:12:36,245 --> 00:12:38,172 You don't need to remember it. 214 00:12:42,545 --> 00:12:44,903 Okay, add an email 215 00:12:45,422 --> 00:12:47,278 just a fake email. 216 00:12:50,804 --> 00:12:51,806 Password. 217 00:13:02,233 --> 00:13:05,715 Now we add again environment variable 218 00:13:06,340 --> 00:13:08,196 PAPERLESS_URL 219 00:13:09,049 --> 00:13:10,343 HTTPS 220 00:13:10,844 --> 00:13:11,637 paperless… 221 00:13:12,410 --> 00:13:13,355 dot 222 00:13:14,681 --> 00:13:16,079 your domain 223 00:13:20,937 --> 00:13:24,024 and then we add the other host path 224 00:13:27,737 --> 00:13:30,052 Paperless this is the data. 225 00:13:30,740 --> 00:13:31,678 let's copy this 226 00:13:33,452 --> 00:13:35,307 And now Media 227 00:13:39,687 --> 00:13:41,584 and then Consume 228 00:13:50,411 --> 00:13:51,516 and Trash 229 00:13:57,752 --> 00:13:59,400 this is PostScript 230 00:14:06,113 --> 00:14:09,076 Make sure to check "Automatic Permissions". 231 00:14:12,954 --> 00:14:14,309 Then we hit install. 232 00:14:18,405 --> 00:14:22,606 Let's wait [a] little bit. It works but it takes some time. 233 00:14:24,816 --> 00:14:26,359 Okay now it's running. 234 00:14:27,339 --> 00:14:28,362 Let's start it. 235 00:14:31,179 --> 00:14:32,970 First let's get the IP 236 00:14:33,409 --> 00:14:36,037 I mean let's get the port-- IP is the same. 237 00:14:36,952 --> 00:14:38,204 Go back to cloudflare 238 00:14:38,977 --> 00:14:39,810 Hit it 239 00:14:41,499 --> 00:14:44,189 Going to put the new port 240 00:14:45,338 --> 00:14:46,317 Save 241 00:14:49,821 --> 00:14:51,177 Let's try now 242 00:14:55,431 --> 00:14:57,703 Okay, now new password 243 00:15:03,418 --> 00:15:06,757 And now it works. We don't got the error, the previous error. 244 00:15:07,837 --> 00:15:11,706 And as you can see we still have the [same] documents as 245 00:15:11,706 --> 00:15:14,435 before we didn't lost anything. 246 00:15:15,291 --> 00:15:17,458 We still got all our documents. 247 00:15:22,402 --> 00:15:23,645 Open them 248 00:15:26,510 --> 00:15:28,448 And uh, everything works fine 249 00:15:32,620 --> 00:15:33,411 That's it 250 00:15:33,580 --> 00:15:35,331 Basically this is how to 251 00:15:35,600 --> 00:15:39,064 expose your services on the cloud 252 00:15:42,796 --> 00:15:43,570 To recap: 253 00:15:43,825 --> 00:15:47,446 When you want to expose your app, this is how it works. 254 00:15:47,446 --> 00:15:53,217 We don't access the app directly but rather you access the cloud server 255 00:15:53,564 --> 00:15:56,666 cloudflare server. Cloudflare will make exchanges 256 00:15:56,862 --> 00:16:00,140 with your LAN network through Cloudflare 257 00:16:00,424 --> 00:16:01,231 and then 258 00:16:01,541 --> 00:16:04,168 It will give access to your app. 259 00:16:04,529 --> 00:16:08,764 This way you don't access your app directly which means you don't expose your 260 00:16:08,851 --> 00:16:11,230 IP and you don't go through the NAT 261 00:16:11,391 --> 00:16:12,875 you don't need to open a port 262 00:16:13,225 --> 00:16:16,787 but be careful if your app is insecure and you get hacked. 263 00:16:16,927 --> 00:16:19,752 You directly expose all of your homelab 264 00:16:19,752 --> 00:16:22,692 It doesn't matter if you use Cloudflare or not 265 00:16:22,854 --> 00:16:26,393 Like and Share if you made it this far. See you in the next video