WEBVTT

00:00:00.521 --> 00:00:02.082
Hi everyone, welcome back

00:00:02.162 --> 00:00:05.092
So today we're going to try
something a little bit different.

00:00:05.142 --> 00:00:08.126
We're gonna start a new video series

00:00:09.247 --> 00:00:12.621
about all the different ways to
expose or access our homelab

00:00:12.621 --> 00:00:14.059
from the internet.

00:00:14.779 --> 00:00:18.289
The reason is mainly because
there's tons of options out there,

00:00:18.411 --> 00:00:21.131
and I feel like it's not talked enough
about on YouTube.

00:00:21.393 --> 00:00:24.735
Especially the security part
which is most important.

NOTE Paragraph

00:00:24.799 --> 00:00:28.675
Almost everyone just assumes it's secure,
which isn't always the case,

00:00:28.885 --> 00:00:31.748
so make sure to hit the Like button
Subscribe and Share

00:00:31.929 --> 00:00:33.450
and let's get started.

00:00:33.738 --> 00:00:35.256
Okay so how to do it,

00:00:35.527 --> 00:00:38.719
to expose our homelab
there are five main ways

00:00:39.126 --> 00:00:41.689
1. Secure Tunnels like Cloudflare

00:00:42.058 --> 00:00:44.000
2. Reverse proxies like Nginx

00:00:44.289 --> 00:00:48.129
3. Traditional VPNs like Wireguard
or OpenVPN protocols

00:00:48.493 --> 00:00:51.204
4. Mesh VPNs like ZeroTier and Tailscale

00:00:51.531 --> 00:00:55.349
and lastly 5. the old classic 
port forwarding or NAT

00:00:55.349 --> 00:00:59.146
So let's break down each one of them
quickly to understand the differences.

00:00:59.441 --> 00:01:02.330
First secure tunnels like Cloudflare.

00:01:02.330 --> 00:01:06.722
This is often defined as secure tunnels to
access your app without exposing your IP

00:01:06.722 --> 00:01:08.856
making remote access easy.

00:01:08.856 --> 00:01:10.949
It's also fairly easy to setup,

00:01:11.129 --> 00:01:14.169
however, by default it's
not secured enough

00:01:14.240 --> 00:01:16.916
and solely [relies] on your app security

00:01:16.916 --> 00:01:18.520
but this can be improved.

00:01:18.520 --> 00:01:21.599
We'll cover this later in another video.

00:01:21.599 --> 00:01:24.154
Next, reverse proxies
like nginx.

00:01:24.226 --> 00:01:28.198
It's a server that sits in the middle
and forward requests to your homelab

00:01:28.416 --> 00:01:31.520
helping you manage multiple
services under one domain.

00:01:31.662 --> 00:01:33.758
While adding another layer of protection,

00:01:33.758 --> 00:01:38.660
you will have more control over 
your services and how to

00:01:38.983 --> 00:01:40.668
contr-
manage them.

00:01:41.032 --> 00:01:46.288
However, it exposes your IP and you must
open a port on your router to access it.

00:01:47.000 --> 00:01:51.006
Next, traditional VPNs like Wireguard
or OpenVPN.

00:01:51.006 --> 00:01:54.938
It creates an encrypted tunnel between
your device and your homelab

00:01:55.076 --> 00:01:57.854
making it feel like you are on
the same local network.

00:01:57.854 --> 00:02:00.634
It's good for privacy and security

00:02:00.634 --> 00:02:03.318
but only useful when you are
the only user because

00:02:03.318 --> 00:02:07.198
it's impossible to share access
without sharing your private key

00:02:07.198 --> 00:02:09.530
to other users.

00:02:09.530 --> 00:02:14.306
Next, mesh VPNs
like ZeroTier or Tailscale.

00:02:14.306 --> 00:02:18.984
This is similar to normal VPNs except it
connects devices between each other

00:02:18.984 --> 00:02:21.702
instead of connecting them
to a central server.

00:02:21.702 --> 00:02:25.476
It has more control over normal VPNs in 
the way that you can choose which

00:02:25.476 --> 00:02:29.067
devices to share
but you must manually join the network

00:02:29.067 --> 00:02:31.606
each time for each devices
you want to give access to.

00:02:31.606 --> 00:02:36.176
Finally NAT this is a classic way of
opening specific ports on your router

00:02:36.176 --> 00:02:37.667
to expose your homelab.

00:02:37.667 --> 00:02:42.200
It's simple but it also carries high
security risk if you rely on it alone.

00:02:42.200 --> 00:02:46.623
Keep in mind NAT often gets used with
other methods like previously showed,

00:02:46.750 --> 00:02:50.843
but going purely [on it's own] port
forwarding is a no-go for secure setups.

00:02:51.402 --> 00:02:52.773
Now, you may be wondering,

00:02:53.137 --> 00:02:56.117
what's the most secure setup
to expose your home lab?

NOTE Paragraph

00:02:56.236 --> 00:02:59.759
Actually, [it] depends on your apps
and what you want to do?

00:02:59.759 --> 00:03:02.555
In my opinion, it's not about
which method you use

00:03:02.555 --> 00:03:05.529
but more about how you combine
between them.

00:03:05.529 --> 00:03:09.779
The best setup is to mix them
and make them work all together

00:03:09.779 --> 00:03:11.731
to have the perfect setup.

00:03:13.593 --> 00:03:16.780
Okay so first let's go to cloudflare.com

00:03:16.780 --> 00:03:18.320
Go to "Sign Up"

00:03:18.767 --> 00:03:21.625
and free at the website.

00:03:23.020 --> 00:03:25.981
And let's create a new account now.

00:03:29.304 --> 00:03:32.378
After that if you already have [a]
domain [previously purchased]

00:03:32.379 --> 00:03:36.447
enter it here or for me I'm just
going to create a new domain.

00:03:39.574 --> 00:03:42.307
For some reason I got an error
when trying to pay

00:03:42.506 --> 00:03:47.308
So I'm just going to import an existing
domain. Just going to type it here.

00:03:51.347 --> 00:03:53.683
Okay, so then go down

00:03:54.517 --> 00:03:56.227
and choose the free package.

00:03:59.963 --> 00:04:02.678
Next click on continue to activation.

00:04:03.224 --> 00:04:07.187
Confirm. Next we need to 
do some modifications

00:04:07.467 --> 00:04:10.949
We need to modify,
the current name servers

00:04:11.124 --> 00:04:12.859
with Cloudflare nameservers

00:04:13.243 --> 00:04:16.360
to allow Cloudflare to control the domain.

00:04:16.750 --> 00:04:17.631
To do that,

00:04:17.957 --> 00:04:22.157
we go to the domain provider
in my case it's NameCheap.

00:04:25.978 --> 00:04:30.843
So in my case I'm gonna do
custom DNS and then I copy....

00:04:35.710 --> 00:04:37.504
the nameservers

00:04:38.754 --> 00:04:39.796
and then I save.

00:04:42.779 --> 00:04:46.192
It tells you that it can take 
up to 48 hours

00:04:46.192 --> 00:04:49.761
But it's not true it [can take] just a
few seconds or a few minutes max

00:04:50.361 --> 00:04:52.118
But, just in case

00:04:53.139 --> 00:04:55.176
If it take a long time to update

00:04:55.426 --> 00:04:58.024
Uh, this is normal so
just wait

00:04:58.254 --> 00:05:00.183
There is no other choice

00:05:00.725 --> 00:05:02.085
Okay, so after a while,

00:05:02.085 --> 00:05:04.453
We get this page this means
everything is good

00:05:04.603 --> 00:05:07.324
Now we go to access page

00:05:07.524 --> 00:05:09.709
and then Launch Zero Trust.

00:05:10.446 --> 00:05:11.865
We choose our account

00:05:12.218 --> 00:05:14.409
Next you go to access

00:05:15.202 --> 00:05:17.558
Next we choose teamname

00:05:17.599 --> 00:05:18.783
Just anything

00:05:23.051 --> 00:05:26.135
Then we choose the free package of course

00:05:27.473 --> 00:05:29.562
There is zero payment

00:05:33.126 --> 00:05:34.940
Next we go to Networks

00:05:35.299 --> 00:05:36.254
Tunnels

00:05:37.337 --> 00:05:39.403
And we add a tunnel

00:05:39.595 --> 00:05:41.237
We choose this one Cloudflared

00:05:41.581 --> 00:05:45.112
We name our Tunnel
Homelab uh test

00:05:47.279 --> 00:05:50.189
Next it will ask you to choose
your environment

00:05:50.339 --> 00:05:53.319
In this case you just uh
You just choose docker

00:05:53.404 --> 00:05:55.267
and then we just copy the comment

00:05:55.267 --> 00:06:00.015
because we just need the token.
We don't need to run anything docker

00:06:00.104 --> 00:06:01.747
Then we go back to TrueNAS

00:06:02.278 --> 00:06:03.742
and we install

00:06:03.942 --> 00:06:05.846
the Cloudflared app.

00:06:07.320 --> 00:06:08.621
This one

00:06:10.581 --> 00:06:13.442
And here we['ve] got [to just]
paste what we had

00:06:13.442 --> 00:06:14.577
and we just keep.

00:06:15.957 --> 00:06:19.195
Remove everything, we just keep the token.

00:06:24.636 --> 00:06:27.117
So anything before this goes.

00:06:29.145 --> 00:06:30.366
That's it.

00:06:31.599 --> 00:06:34.373
We don't need to setup anything else.

00:06:35.159 --> 00:06:37.754
Even storage, it's not necessary.

00:06:39.630 --> 00:06:40.859
And we install.

00:06:43.528 --> 00:06:45.364
Okay now it's up and running.

00:06:45.791 --> 00:06:47.918
Let's go back to Cloudflared profile.

00:06:48.858 --> 00:06:52.825
Now we need to wait until we get uh
something here in connectors.

00:06:53.067 --> 00:06:54.585
It will automatically search.

00:06:54.585 --> 00:06:56.029
Alright here we go

00:06:56.029 --> 00:06:58.749
It's connected.
So now we can continue.

00:06:58.922 --> 00:07:00.107
Next

00:07:01.852 --> 00:07:05.704
Now we're ready to add our first service.

00:07:06.627 --> 00:07:09.269
Let's start by adding TrueNAS itself.

00:07:09.529 --> 00:07:11.873
So let's just copy the IP

00:07:15.334 --> 00:07:17.046
Then we choose the subdomain

00:07:17.280 --> 00:07:18.047
TrueNAS

00:07:18.485 --> 00:07:19.548
and choose the domain

00:07:20.894 --> 00:07:22.920
then we choose HTTP

00:07:24.338 --> 00:07:25.860
and then the IP

00:07:26.715 --> 00:07:30.052
There is nothing specific to add there.

00:07:30.228 --> 00:07:31.116
That's save.

00:07:33.201 --> 00:07:35.850
To test this I'm going to disconnect
from the VPN

00:07:36.267 --> 00:07:40.501
Because i'm not at home I'm
connected to my home VPN.

00:07:40.811 --> 00:07:43.639
So I'm just going to deactivate it
and try this.

00:07:44.952 --> 00:07:50.706
To show that likely if I try to go
to the same IP

00:07:52.710 --> 00:07:56.366
It's not going to work,
because I disconnected from the VPN.

00:07:56.870 --> 00:07:58.017
And if I try

00:07:58.642 --> 00:07:59.685
a domain,

00:08:00.206 --> 00:08:01.164
new domain.

00:08:04.502 --> 00:08:05.315
It works.

00:08:05.608 --> 00:08:06.356
So now

00:08:09.027 --> 00:08:10.915
TrueNAS is accessible

00:08:11.201 --> 00:08:12.140
from the outside.

00:08:12.518 --> 00:08:15.155
But this is not recommended of course.

00:08:15.155 --> 00:08:18.913
If you want to expose something
just expose the apps individually

00:08:19.238 --> 00:08:21.253
don't expose the whole thing.

00:08:21.709 --> 00:08:22.773
so

00:08:23.500 --> 00:08:25.358
So now I'm just going to delete it

00:08:25.714 --> 00:08:28.507
and then I'm gonna add something else.

00:08:33.865 --> 00:08:36.145
Okay now I want to add another service.

00:08:36.285 --> 00:08:37.975
Maybe, Proxmox

00:08:40.194 --> 00:08:42.314
Let's go to add the public hostname

00:08:42.945 --> 00:08:43.866
Proxmox

00:08:44.482 --> 00:08:45.442
same thing

00:08:47.818 --> 00:08:50.174
here's we're going to choose HTTPS
instead of HTTP

00:08:50.821 --> 00:08:52.843
and then the IP

00:08:54.429 --> 00:08:58.099
as well as the port which is 8...

00:08:58.515 --> 00:09:00.068
8006

00:09:03.950 --> 00:09:07.454
and then we go to 
Additional Settings > TLS

00:09:08.017 --> 00:09:10.750
and we enable No TLS verify.

00:09:10.873 --> 00:09:12.354
It will not check certificates.

00:09:12.823 --> 00:09:13.899
Okay, now let's save.

00:09:15.920 --> 00:09:18.130
Let's try again now.

00:09:25.117 --> 00:09:26.389
NIce! Now it works.

00:09:32.916 --> 00:09:34.980
And we'll disconnect the VPN

00:09:35.607 --> 00:09:36.399
and refresh

00:09:36.921 --> 00:09:38.129
and it still works.

00:09:39.255 --> 00:09:41.490
Okay now before we're finishing the video

00:09:41.816 --> 00:09:45.990
let's do one last service
which is Paperless.

00:09:46.365 --> 00:09:49.885
Since we already covered this
in a previous video,

00:09:50.260 --> 00:09:52.158
we're going to see how to expose this

00:09:52.469 --> 00:09:56.158
Why did I choose Paperless because
it's a bit tricky to setup

00:09:56.620 --> 00:09:58.458
it's not as simple as

00:09:58.785 --> 00:10:00.415
adding the hostname.

00:10:01.103 --> 00:10:04.293
So, let's see first we just add the
hostname of course

00:10:06.756 --> 00:10:08.402
same thing as always,

00:10:09.528 --> 00:10:13.338
HTTPS, and then we take the URL

00:10:16.860 --> 00:10:19.056
which is IP and Port

00:10:24.856 --> 00:10:27.568
It chooses HTTP not HTTPS

00:10:29.048 --> 00:10:30.175
Service name

00:10:31.196 --> 00:10:34.324
So first it's gonna work normally

00:10:34.930 --> 00:10:36.578
If I try to access.

00:10:39.852 --> 00:10:40.893
Alright

00:10:41.580 --> 00:10:45.423
Uh, but the problem is when you 
try to login

00:10:49.212 --> 00:10:52.591
You get this error.
CSRF verification failed.

00:10:52.949 --> 00:10:53.775
Why?

00:10:54.058 --> 00:10:57.801
We need to change some settings
to make it accessible.

00:10:58.332 --> 00:11:01.545
According to the documentation,

00:11:02.192 --> 00:11:05.923
we need to set this environment
variable (PAPERLESS_URL)

00:11:06.488 --> 00:11:10.574
uh and uh, set it to the domain name

00:11:10.907 --> 00:11:12.410
we used in Cloudflare.

00:11:12.680 --> 00:11:14.308
So let's do that

00:11:15.322 --> 00:11:18.329
go to Paperless > Edit

00:11:20.053 --> 00:11:24.999
and let's just add it as an
environment variable here

00:11:25.912 --> 00:11:28.350
PAPERLESS_URL

00:11:28.682 --> 00:11:32.021
set it to paperless.yourdomain

00:11:36.024 --> 00:11:40.028
make sure to add HTTPS to the beginning

00:11:42.450 --> 00:11:44.294
and that's it.
Update.

00:11:48.088 --> 00:11:51.235
In case you got stuck in deploying

00:11:51.485 --> 00:11:53.301
which was the case for me

00:11:53.717 --> 00:11:56.262
I'm not sure why but the
container Paperless

00:11:56.824 --> 00:11:59.640
just stuck like this for a long time

00:12:00.035 --> 00:12:03.664
So what I did is stop this instance

00:12:04.103 --> 00:12:05.936
and create another instance

00:12:06.480 --> 00:12:10.631
using the already created datasets.

00:12:11.171 --> 00:12:14.329
So you're not going to lose anything
of your files.

00:12:16.831 --> 00:12:18.917
So let's start another instance

00:12:20.502 --> 00:12:23.046
Let's call it paperless-cloudflare.

00:12:26.132 --> 00:12:29.177
We can change password if you want.

00:12:32.283 --> 00:12:36.075
By the way you can choose any secret
key you want. Just want some random stuff

00:12:36.245 --> 00:12:38.172
You don't need to remember it.

00:12:42.545 --> 00:12:44.903
Okay, add an email

00:12:45.422 --> 00:12:47.278
just a fake email.

00:12:50.804 --> 00:12:51.806
Password.

00:13:02.233 --> 00:13:05.715
Now we add again environment variable

00:13:06.340 --> 00:13:08.196
PAPERLESS_URL

00:13:09.049 --> 00:13:10.343
HTTPS

00:13:10.844 --> 00:13:11.637
paperless…

00:13:12.410 --> 00:13:13.355
dot

00:13:14.681 --> 00:13:16.079
your domain

00:13:20.937 --> 00:13:24.024
and then we add the other host path

00:13:27.737 --> 00:13:30.052
Paperless this is the data.

00:13:30.740 --> 00:13:31.678
let's copy this

00:13:33.452 --> 00:13:35.307
And now Media

00:13:39.687 --> 00:13:41.584
and then Consume

00:13:50.411 --> 00:13:51.516
and Trash

00:13:57.752 --> 00:13:59.400
this is PostScript

00:14:06.113 --> 00:14:09.076
Make sure to check 
"Automatic Permissions".

00:14:12.954 --> 00:14:14.309
Then we hit install.

00:14:18.405 --> 00:14:22.606
Let's wait [a] little bit. 
It works but it takes some time.

00:14:24.816 --> 00:14:26.359
Okay now it's running.

00:14:27.339 --> 00:14:28.362
Let's start it.

00:14:31.179 --> 00:14:32.970
First let's get the IP

00:14:33.409 --> 00:14:36.037
I mean let's get the port-- 
IP is the same.

00:14:36.952 --> 00:14:38.204
Go back to cloudflare

00:14:38.977 --> 00:14:39.810
Hit it

00:14:41.499 --> 00:14:44.189
Going to put the new port

00:14:45.338 --> 00:14:46.317
Save

00:14:49.821 --> 00:14:51.177
Let's try now

00:14:55.431 --> 00:14:57.703
Okay, now new password

00:15:03.418 --> 00:15:06.757
And now it works. We don't got
the error, the previous error.

00:15:07.837 --> 00:15:11.706
And as you can see we still have the [same] documents as

00:15:11.706 --> 00:15:14.435
before we didn't lost anything.

00:15:15.291 --> 00:15:17.458
We still got all our documents.

00:15:22.402 --> 00:15:23.645
Open them

00:15:26.510 --> 00:15:28.448
And uh, everything works fine

00:15:32.620 --> 00:15:33.411
That's it

00:15:33.580 --> 00:15:35.331
Basically this is how to

00:15:35.600 --> 00:15:39.064
expose your services on the cloud

00:15:42.796 --> 00:15:43.570
To recap:

00:15:43.825 --> 00:15:47.446
When you want to expose your app, 
this is how it works.

00:15:47.446 --> 00:15:53.217
We don't access the app directly 
but rather you access the cloud server

00:15:53.564 --> 00:15:56.666
cloudflare server. Cloudflare will
make exchanges

00:15:56.862 --> 00:16:00.140
with your LAN network through Cloudflare

00:16:00.424 --> 00:16:01.231
and then

00:16:01.541 --> 00:16:04.168
It will give access to your app.

00:16:04.529 --> 00:16:08.764
This way you don't access your app
directly which means you don't expose your

00:16:08.851 --> 00:16:11.230
IP and you don't go through the NAT

00:16:11.391 --> 00:16:12.875
you don't need to open a port

00:16:13.225 --> 00:16:16.787
but be careful if your app is insecure
and you get hacked.

00:16:16.927 --> 00:16:19.752
You directly expose all of your homelab

00:16:19.752 --> 00:16:22.692
It doesn't matter if you use
Cloudflare or not

00:16:22.854 --> 00:16:26.393
Like and Share if you made it this far.
See you in the next video