Hi everyone, welcome back So today we're going to try something a little bit different. We're gonna start a new video series about all the different ways to expose or access our homelab from the internet. The reason is mainly because there's tons of options out there, and I feel like it's not talked enough about on YouTube. Especially the security part which is most important. Almost everyone just assumes it's secure, which isn't always the case, so make sure to hit the Like button Subscribe and Share and let's get started. Okay so how to do it, to expose our homelab there are five main ways 1. Secure Tunnels like Cloudflare 2. Reverse proxies like Nginx 3. Traditional VPNs like Wireguard or OpenVPN protocols 4. Mesh VPNs like ZeroTier and Tailscale and lastly 5. the old classic port forwarding or NAT So let's break down each one of them quickly to understand the differences. First secure tunnels like Cloudflare. This is often defined as secure tunnels to access your app without exposing your IP making remote access easy. It's also fairly easy to setup, however, by default it's not secured enough and solely [relies] on your app security but this can be improved. We'll cover this later in another video. Next, reverse proxies like nginx. It's a server that sits in the middle and forward requests to your homelab helping you manage multiple services under one domain. While adding another layer of protection, you will have more control over your services and how to contr- manage them. However, it exposes your IP and you must open a port on your router to access it. Next, traditional VPNs like Wireguard or OpenVPN. It creates an encrypted tunnel between your device and your homelab making it feel like you are on the same local network. It's good for privacy and security but only useful when you are the only user because it's impossible to share access without sharing your private key to other users. Next, mesh VPNs like ZeroTier or Tailscale. This is similar to normal VPNs except it connects devices between each other instead of connecting them to a central server. It has more control over normal VPNs in the way that you can choose which devices to share but you must manually join the network each time for each devices you want to give access to. Finally NAT this is a classic way of opening specific ports on your router to expose your homelab. It's simple but it also carries high security risk if you rely on it alone. Keep in mind NAT often gets used with other methods like previously showed, but going purely [on it's own] port forwarding is a no-go for secure setups. Now, you may be wondering, what's the most secure setup to expose your home lab? Actually, [it] depends on your apps and what you want to do? In my opinion, it's not about which method you use but more about how you combine between them. The best setup is to mix them and make them work all together to have the perfect setup. Okay so first let's go to cloudflare.com Go to "Sign Up" and free at the website. And let's create a new account now. After that if you already have [a] domain [previously purchased] enter it here or for me I'm just going to create a new domain. For some reason I got an error when trying to pay So I'm just going to import an existing domain. Just going to type it here. Okay, so then go down and choose the free package. Next click on continue to activation. Confirm. Next we need to do some modifications We need to modify, the current name servers with Cloudflare nameservers to allow Cloudflare to control the domain. To do that, we go to the domain provider in my case it's NameCheap. So in my case I'm gonna do custom DNS and then I copy.... the nameservers and then I save. It tells you that it can take up to 48 hours But it's not true it [can take] just a few seconds or a few minutes max But, just in case If it take a long time to update Uh, this is normal so just wait There is no other choice Okay, so after a while, We get this page this means everything is good Now we go to access page and then Launch Zero Trust. We choose our account Next you go to access Next we choose teamname Just anything Then we choose the free package of course There is zero payment Next we go to Networks Tunnels And we add a tunnel We choose this one Cloudflared We name our Tunnel Homelab uh test Next it will ask you to choose your environment In this case you just uh You just choose docker and then we just copy the comment because we just need the token. We don't need to run anything docker Then we go back to TrueNAS and we install the Cloudflared app. This one And here we['ve] got [to just] paste what we had and we just keep. Remove everything, we just keep the token. So anything before this goes. That's it. We don't need to setup anything else. Even storage, it's not necessary. And we install. Okay now it's up and running. Let's go back to Cloudflared profile. Now we need to wait until we get uh something here in connectors. It will automatically search. Alright here we go It's connected. So now we can continue. Next Now we're ready to add our first service. Let's start by adding TrueNAS itself. So let's just copy the IP Then we choose the subdomain TrueNAS and choose the domain then we choose HTTP and then the IP There is nothing specific to add there. That's save. To test this I'm going to disconnect from the VPN Because i'm not at home I'm connected to my home VPN. So I'm just going to deactivate it and try this. To show that likely if I try to go to the same IP It's not going to work, because I disconnected from the VPN. And if I try a domain, new domain. It works. So now TrueNAS is accessible from the outside. But this is not recommended of course. If you want to expose something just expose the apps individually don't expose the whole thing. so So now I'm just going to delete it and then I'm gonna add something else. Okay now I want to add another service. Maybe, Proxmox Let's go to add the public hostname Proxmox same thing here's we're going to choose HTTPS instead of HTTP and then the IP as well as the port which is 8... 8006 and then we go to Additional Settings > TLS and we enable No TLS verify. It will not check certificates. Okay, now let's save. Let's try again now. NIce! Now it works. And we'll disconnect the VPN and refresh and it still works. Okay now before we're finishing the video let's do one last service which is Paperless. Since we already covered this in a previous video, we're going to see how to expose this Why did I choose Paperless because it's a bit tricky to setup it's not as simple as adding the hostname. So, let's see first we just add the hostname of course same thing as always, HTTPS, and then we take the URL which is IP and Port It chooses HTTP not HTTPS Service name So first it's gonna work normally If I try to access. Alright Uh, but the problem is when you try to login You get this error. CSRF verification failed. Why? We need to change some settings to make it accessible. According to the documentation, we need to set this environment variable (PAPERLESS_URL) uh and uh, set it to the domain name we used in Cloudflare. So let's do that go to Paperless > Edit and let's just add it as an environment variable here PAPERLESS_URL set it to paperless.yourdomain make sure to add HTTPS to the beginning and that's it. Update. In case you got stuck in deploying which was the case for me I'm not sure why but the container Paperless just stuck like this for a long time So what I did is stop this instance and create another instance using the already created datasets. So you're not going to lose anything of your files. So let's start another instance Let's call it paperless-cloudflare. We can change password if you want. By the way you can choose any secret key you want. Just want some random stuff You don't need to remember it. Okay, add an email just a fake email. Password. Now we add again environment variable PAPERLESS_URL HTTPS paperless… dot your domain and then we add the other host path Paperless this is the data. let's copy this And now Media and then Consume and Trash this is PostScript Make sure to check "Automatic Permissions". Then we hit install. Let's wait [a] little bit. It works but it takes some time. Okay now it's running. Let's start it. First let's get the IP I mean let's get the port-- IP is the same. Go back to cloudflare Hit it Going to put the new port Save Let's try now Okay, now new password And now it works. We don't got the error, the previous error. And as you can see we still have the [same] documents as before we didn't lost anything. We still got all our documents. Open them And uh, everything works fine That's it Basically this is how to expose your services on the cloud To recap: When you want to expose your app, this is how it works. We don't access the app directly but rather you access the cloud server cloudflare server. Cloudflare will make exchanges with your LAN network through Cloudflare and then It will give access to your app. This way you don't access your app directly which means you don't expose your IP and you don't go through the NAT you don't need to open a port but be careful if your app is insecure and you get hacked. You directly expose all of your homelab It doesn't matter if you use Cloudflare or not Like and Share if you made it this far. See you in the next video