Hi everyone, welcome back
So today we're going to try
something a little bit different.
We're gonna start a new video series
about all the different ways to
expose or access our homelab
from the internet.
The reason is mainly because
there's tons of options out there,
and I feel like it's not talked enough about on YouTube.
Especially the security part
which is most important.
Almost everyone just assumes it's secure, which isn't always the case,
so make sure to hit the Like button
Subscribe and Share
and let's get started.
Okay so how to do it,
to expose our homelab
there are five main ways
1. Secure Tunnels like Cloudflare
2. Reverse proxies like Nginx
3. Traditional VPNs like Wireguard
or OpenVPN protocols
4. Mesh VPNs like ZeroTier and Tailscale
and lastly 5. the old classic
port forwarding or NAT
So let's break down each one of them
quickly to understand the differences.
First secure tunnels like Cloudflare.
This is often defined as secure tunnels to
access your app without exposing your IP
making remote access easy.
It's also fairly easy to setup,
however, by default it's not secured enough
and solely [relies] on your app security
but this can be improved.
We'll cover this later in another video.
Next, reverse proxies
like nginx.
It's a server that sits in the middle and forward requests to your homelab
helping you manage multiple services under one domain.
While adding another layer of protection,
you will have more control over your services
and how to contr-
manage them.
However, it exposes your IP and you must open a port on your router to access it.
Next, traditional VPNs like Wireguard or OpenVPN.
It creates an encrypted tunnel between your device and
your homelab
making it feel like you are on the same local network.
It's good for privacy and security
but only useful when you are the only user because
it's impossible to share access without sharing your private key
to other users.
Next, mesh VPNs
like ZeroTier or Tailscale
this is similar to normal VPNs except it connects devices between each other
instead of connecting them to a central server.
It has more control over normal VPNs in the way that you can choose which devices to share
but you must manually join the network
each time for each devices you want to give access to.
Finally NAT this is a classic way of opening specific ports on your router
to expose your homelab.
It's simple but it also carries high security risk if you rely on it alone.
Keep in mind NAT often gets used with other
methods like previously showed,
but going purely [on it's own] port forwarding is a no-go for secure setups.
Now, you may be wondering,
what's the most secure setup
to expose your home lab?
Actually, [it] depends on your apps and what you want to do?
In my opinion, it's not about which method you use
but more about how you combine between them.
The best setup is to mix them
and make them work all together
to have the perfect setup.
Okay so first let's go to cloudflare.com
Go to "Sign Up"
and free at the website
And let's create a new account now
After that if you already have [a] domain [previously purchased]
enter it here
or for me I'm just going to create a new domain.
For some reason I got an error
when trying to pay
So I'm just going to import an existing domain
Just going to type it here
Okay, so then go down
and choose the free package
Next click on continue to activation
confirm
Next we need to do some modifications
We need to modify, the current name servers
with Cloudflare nameservers
To allow cloudflare to control the domain
to do that
We go to the domain provider
in my case it's NameCheap
So in my case
I'm gonna do custom DNS
and then I copy....
the nameservers
and then I save
It tells you that it can take
up to 48 hours
But it's not true it [can take] just a few seconds
or a few minutes max
But, just in case
If it take a long time to update
Uh, this is normal so
just wait
There is no other choice
Okay, so after a while,
We get this page this means everything is good
Now we go to access page
and then NetZero™ Trust
We choose our account
Next you go to access
Next we choose teamname
Just anything
Then we choose the free package of course
There is zero payment
Next we go to Networks
Tunnels
And we add a tunnel
We choose this one Cloudflared
We name our Tunnel
Homelab uh test
Next it will ask you to choose your home environment
In this case you just uh
You just choose docker
and then we just copy the comment
because we just need the token
we don't need to run anything docker
Then we go back to TrueNAS
and we install
the cloudflared app
This one
and here we got
best what we had
and we just keep
remove everything we just keep the token
So anything before this goes
That's it
We don't need to setup anything else
even storage, it's not necessary
and we install
okday now it's up and running
let's go back to cloudflared profile
now we need to wait until we get uh
Something here in connectors
It will automatically serve
Alright here we go
It's connected
So now we can continue
next
Now we're ready to add our first service
Let's start by adding TrueNAS itself
So let's just copy the IP
Then we choose the subdomain
TrueNAS
and choose the domain
then we choose HTTP
and then the IP
There is nothing specific to add there
That's save
To test this I'm going to disconnect from the VPN
Because i'm not at home I'm connected to my home VPN
So i'm just going to deactivate it
and try this
To show that likely if I try to go to the same IP
it
s not going to work
because I disconnected from the VPN
and if I try
a domain
from the new domain
it works
so now
TrueNAS is accessible
from the outside
But this is not recommended of course
If you want to expose something
just expose the apps individually
don't expose the whole thing
so
So now I'm just going to delete it
and then I'm gonna add something else
Okay now I want to add another service
Maybe, ProxMox
Let's go to add the public [sub] domain
ProxMox
same thing
here's we're going to choose HTTPS instead of HTTP
and then the IP
as well as the port which is 8...
8006
and then we go to additional settings > TLS
and we enable no TLS verify
it will not check certificates
now let's save
let's try again now
NIce! Now it works
and we'll disconnect the VPN
and refresh
and it still works
Okay now before we're finishing the video
let's do
one last service which is
paperless
Since we already covered this in a previous video
We're going to see how to expose this
Why did I choose paperless because
it's a bit tricky to setup
it's not as simple as
adding the host name
So, let's see first we just add the host name of course
same thing as always
HTTPS, and then we take the URL
which is IP and Port
It chooses HTTP node to HTTPS
Service name
So first it's gonna work normally
If I try to access
Alright
Uh, but the problem is when you
try to login
You get this
error. CSRF verification failed.
Why?
We need to change some settings
to make it accessible
According to the documentation
we need to set this environment variable (PAPERLESS_URL)
Uh and uh, set it to the domain name
We used in the closer
So let's do that
go to paperless > Edit
and let's just add it as an environment variable there
PAPERLESS_URL
set it to paperless.youdomainname
make sure to add HTTPS to the beginning
and that's it
update
In case you got stuck in deploying
which was the case for me
I'm not sure why but the container paperless
just stuck like this for a long time
So what I did is stop this instance
and create another instance
using the already created datasets
So you're not going to lose anything
of your files
So let's start another instance
Let's call it paperless-cloudflare
We can change password if you want
By the way you can choose any secret key
you want. Just want some random stuff
You don't need to remember it.
Okay, add an email
just a fake email.
Password.
Now we add again environment variable
PAPERLESS_URL
HTTPS
paperless…
dot
your domain
and then we add the other host path
paperless this is the data
let's copy this
And now Media
and then Consume
and Trash
this is postscript
Make sure to check "Automatic Permissions"
Then we hit install
Let's wait [a] little bit
It works but it takes some time
Okay now it's running
Let's start it
First let's get the IP
I mean let's get the part-- IP is the same
Go back to cloudflare
Hit it
Going to put the new port
Save
Let's try now
Okay, now new password
And now it works. We don't got the error
the previous error.
And as you can see we still have the documents
as a before we didn't lost anything
We still got all our documents
Open them
And uh, everything works fine
That's it
Basically this is how to
expose your services on the cloud
To recap
when you want to expose your app
this is how it works
we don't access the app directly
but rather you access the cloudserver
cloudflare server. Cloudflare will make exchanges
with your
LAN network through Cloudflare
and then
It will give access to your app
This way you don't
access your app directly
which means you don't expose your
IP and you don't go through the NAT
you don't need to open a port
but be careful if your habit is insecure
and you get hacked. You directly expose
all of your homelab
It doesn't matter if you use Cloudflare
or not
Like and Share if you made it this far
See you in the next video