1 99:59:59,999 --> 99:59:59,999 Hi everyone, welcome back 2 99:59:59,999 --> 99:59:59,999 So today we're going to try something a little bit different. 3 99:59:59,999 --> 99:59:59,999 We're gonna start a new video series 4 99:59:59,999 --> 99:59:59,999 about all the different ways to expose or access our homelab 5 99:59:59,999 --> 99:59:59,999 from the internet. 6 99:59:59,999 --> 99:59:59,999 The reason is mainly because there's tons of options out there, 7 99:59:59,999 --> 99:59:59,999 and I feel like it's not talked enough about on YouTube. 8 99:59:59,999 --> 99:59:59,999 Especially the security part 9 99:59:59,999 --> 99:59:59,999 which is most important. 10 99:59:59,999 --> 99:59:59,999 Almost everyone just assumes it's secure, which isn't always the case, 11 99:59:59,999 --> 99:59:59,999 so make sure to hit the Like button 12 99:59:59,999 --> 99:59:59,999 Subscribe and Share 13 99:59:59,999 --> 99:59:59,999 and let's get started. 14 99:59:59,999 --> 99:59:59,999 Okay so how to do it, 15 99:59:59,999 --> 99:59:59,999 to expose our homelab there are five main ways 16 99:59:59,999 --> 99:59:59,999 1. Secure Tunnels like Cloudflare 17 99:59:59,999 --> 99:59:59,999 2. Reverse proxies like Nginx 18 99:59:59,999 --> 99:59:59,999 3. Traditional VPNs like Wireguard or OpenVPN protocols 19 99:59:59,999 --> 99:59:59,999 4. Mesh VPNs like ZeroTier and Tailscale 20 99:59:59,999 --> 99:59:59,999 and lastly 5. the old classic port forwarding or NAT 21 99:59:59,999 --> 99:59:59,999 So let's break down each one of them quickly to understand the differences. 22 99:59:59,999 --> 99:59:59,999 First secure tunnels like Cloudflare. 23 99:59:59,999 --> 99:59:59,999 This is often defined as secure tunnels to access your app without exposing your IP 24 99:59:59,999 --> 99:59:59,999 making remote access easy. 25 99:59:59,999 --> 99:59:59,999 It's also fairly easy to setup, 26 99:59:59,999 --> 99:59:59,999 however, by default it's not secured enough 27 99:59:59,999 --> 99:59:59,999 and solely [relies] on your app security 28 99:59:59,999 --> 99:59:59,999 but this can be improved. 29 99:59:59,999 --> 99:59:59,999 We'll cover this later in another video. 30 99:59:59,999 --> 99:59:59,999 Next, reverse proxies 31 99:59:59,999 --> 99:59:59,999 like nginx. 32 99:59:59,999 --> 99:59:59,999 It's a server that sits in the middle and forward requests to your homelab 33 99:59:59,999 --> 99:59:59,999 helping you manage multiple services under one domain. 34 99:59:59,999 --> 99:59:59,999 While adding another layer of protection, 35 99:59:59,999 --> 99:59:59,999 you will have more control over your services 36 99:59:59,999 --> 99:59:59,999 and how to contr- manage them. 37 99:59:59,999 --> 99:59:59,999 However, it exposes your IP and you must open a port on your router to access it. 38 99:59:59,999 --> 99:59:59,999 Next, traditional VPNs like Wireguard or OpenVPN. 39 99:59:59,999 --> 99:59:59,999 It creates an encrypted tunnel between your device and 40 99:59:59,999 --> 99:59:59,999 your homelab 41 99:59:59,999 --> 99:59:59,999 making it feel like you are on the same local network. 42 99:59:59,999 --> 99:59:59,999 It's good for privacy and security 43 99:59:59,999 --> 99:59:59,999 but only useful when you are the only user because 44 99:59:59,999 --> 99:59:59,999 it's impossible to share access without sharing your private key 45 99:59:59,999 --> 99:59:59,999 to other users. 46 99:59:59,999 --> 99:59:59,999 Next, mesh VPNs 47 99:59:59,999 --> 99:59:59,999 like ZeroTier or Tailscale 48 99:59:59,999 --> 99:59:59,999 this is similar to normal VPNs except it connects devices between each other 49 99:59:59,999 --> 99:59:59,999 instead of connecting them to a central server. 50 99:59:59,999 --> 99:59:59,999 It has more control over normal VPNs in the way that you can choose which devices to share 51 99:59:59,999 --> 99:59:59,999 but you must manually join the network 52 99:59:59,999 --> 99:59:59,999 each time for each devices you want to give access to. 53 99:59:59,999 --> 99:59:59,999 Finally NAT this is a classic way of opening specific ports on your router 54 99:59:59,999 --> 99:59:59,999 to expose your homelab. 55 99:59:59,999 --> 99:59:59,999 It's simple but it also carries high security risk if you rely on it alone. 56 99:59:59,999 --> 99:59:59,999 Keep in mind NAT often gets used with other 57 99:59:59,999 --> 99:59:59,999 methods like previously showed, 58 99:59:59,999 --> 99:59:59,999 but going purely [on it's own] port forwarding is a no-go for secure setups. 59 99:59:59,999 --> 99:59:59,999 Now, you may be wondering, 60 99:59:59,999 --> 99:59:59,999 what's the most secure setup 61 99:59:59,999 --> 99:59:59,999 to expose your home lab? 62 99:59:59,999 --> 99:59:59,999 Actually, [it] depends on your apps and what you want to do? 63 99:59:59,999 --> 99:59:59,999 In my opinion, it's not about which method you use 64 99:59:59,999 --> 99:59:59,999 but more about how you combine between them. 65 99:59:59,999 --> 99:59:59,999 The best setup is to mix them and make them work all together 66 99:59:59,999 --> 99:59:59,999 67 99:59:59,999 --> 99:59:59,999 to have the perfect setup. 68 99:59:59,999 --> 99:59:59,999 Okay so first let's go to cloudflare.com 69 99:59:59,999 --> 99:59:59,999 Go to "Sign Up" 70 99:59:59,999 --> 99:59:59,999 and free at the website 71 99:59:59,999 --> 99:59:59,999 And let's create a new account now 72 99:59:59,999 --> 99:59:59,999 After that if you already have [a] domain [previously purchased] 73 99:59:59,999 --> 99:59:59,999 enter it here 74 99:59:59,999 --> 99:59:59,999 or for me I'm just going to create a new domain. 75 99:59:59,999 --> 99:59:59,999 For some reason I got an error 76 99:59:59,999 --> 99:59:59,999 when trying to pay 77 99:59:59,999 --> 99:59:59,999 So I'm just going to import an existing domain 78 99:59:59,999 --> 99:59:59,999 Just going to type it here 79 99:59:59,999 --> 99:59:59,999 Okay, so then go down 80 99:59:59,999 --> 99:59:59,999 and choose the free package 81 99:59:59,999 --> 99:59:59,999 Next click on continue to activation 82 99:59:59,999 --> 99:59:59,999 confirm 83 99:59:59,999 --> 99:59:59,999 Next we need to do some modifications 84 99:59:59,999 --> 99:59:59,999 We need to modify, the current name servers 85 99:59:59,999 --> 99:59:59,999 with Cloudflare nameservers 86 99:59:59,999 --> 99:59:59,999 To allow cloudflare to control the domain 87 99:59:59,999 --> 99:59:59,999 to do that 88 99:59:59,999 --> 99:59:59,999 We go to the domain provider 89 99:59:59,999 --> 99:59:59,999 in my case it's NameCheap 90 99:59:59,999 --> 99:59:59,999 So in my case 91 99:59:59,999 --> 99:59:59,999 I'm gonna do custom DNS 92 99:59:59,999 --> 99:59:59,999 and then I copy.... 93 99:59:59,999 --> 99:59:59,999 the nameservers 94 99:59:59,999 --> 99:59:59,999 and then I save 95 99:59:59,999 --> 99:59:59,999 It tells you that it can take up to 48 hours 96 99:59:59,999 --> 99:59:59,999 But it's not true it [can take] just a few seconds 97 99:59:59,999 --> 99:59:59,999 or a few minutes max 98 99:59:59,999 --> 99:59:59,999 But, just in case 99 99:59:59,999 --> 99:59:59,999 If it take a long time to update 100 99:59:59,999 --> 99:59:59,999 Uh, this is normal so 101 99:59:59,999 --> 99:59:59,999 just wait 102 99:59:59,999 --> 99:59:59,999 There is no other choice 103 99:59:59,999 --> 99:59:59,999 Okay, so after a while, 104 99:59:59,999 --> 99:59:59,999 We get this page this means everything is good 105 99:59:59,999 --> 99:59:59,999 Now we go to access page 106 99:59:59,999 --> 99:59:59,999 and then NetZero™ Trust 107 99:59:59,999 --> 99:59:59,999 We choose our account 108 99:59:59,999 --> 99:59:59,999 Next you go to access 109 99:59:59,999 --> 99:59:59,999 Next we choose teamname 110 99:59:59,999 --> 99:59:59,999 Just anything 111 99:59:59,999 --> 99:59:59,999 Then we choose the free package of course 112 99:59:59,999 --> 99:59:59,999 There is zero payment 113 99:59:59,999 --> 99:59:59,999 Next we go to Networks 114 99:59:59,999 --> 99:59:59,999 Tunnels 115 99:59:59,999 --> 99:59:59,999 And we add a tunnel 116 99:59:59,999 --> 99:59:59,999 We choose this one Cloudflared 117 99:59:59,999 --> 99:59:59,999 We name our Tunnel 118 99:59:59,999 --> 99:59:59,999 Homelab uh test 119 99:59:59,999 --> 99:59:59,999 Next it will ask you to choose your home environment 120 99:59:59,999 --> 99:59:59,999 In this case you just uh 121 99:59:59,999 --> 99:59:59,999 You just choose docker 122 99:59:59,999 --> 99:59:59,999 and then we just copy the comment 123 99:59:59,999 --> 99:59:59,999 because we just need the token 124 99:59:59,999 --> 99:59:59,999 we don't need to run anything docker 125 99:59:59,999 --> 99:59:59,999 Then we go back to TrueNAS 126 99:59:59,999 --> 99:59:59,999 and we install 127 99:59:59,999 --> 99:59:59,999 the cloudflared app 128 99:59:59,999 --> 99:59:59,999 This one 129 99:59:59,999 --> 99:59:59,999 and here we got 130 99:59:59,999 --> 99:59:59,999 best what we had 131 99:59:59,999 --> 99:59:59,999 and we just keep 132 99:59:59,999 --> 99:59:59,999 remove everything we just keep the token 133 99:59:59,999 --> 99:59:59,999 So anything before this goes 134 99:59:59,999 --> 99:59:59,999 That's it 135 99:59:59,999 --> 99:59:59,999 We don't need to setup anything else 136 99:59:59,999 --> 99:59:59,999 even storage, it's not necessary 137 99:59:59,999 --> 99:59:59,999 and we install 138 99:59:59,999 --> 99:59:59,999 okday now it's up and running 139 99:59:59,999 --> 99:59:59,999 let's go back to cloudflared profile 140 99:59:59,999 --> 99:59:59,999 now we need to wait until we get uh 141 99:59:59,999 --> 99:59:59,999 Something here in connectors 142 99:59:59,999 --> 99:59:59,999 It will automatically serve 143 99:59:59,999 --> 99:59:59,999 Alright here we go 144 99:59:59,999 --> 99:59:59,999 It's connected 145 99:59:59,999 --> 99:59:59,999 So now we can continue 146 99:59:59,999 --> 99:59:59,999 next 147 99:59:59,999 --> 99:59:59,999 Now we're ready to add our first service 148 99:59:59,999 --> 99:59:59,999 Let's start by adding TrueNAS itself 149 99:59:59,999 --> 99:59:59,999 So let's just copy the IP 150 99:59:59,999 --> 99:59:59,999 Then we choose the subdomain 151 99:59:59,999 --> 99:59:59,999 TrueNAS 152 99:59:59,999 --> 99:59:59,999 and choose the domain 153 99:59:59,999 --> 99:59:59,999 then we choose HTTP 154 99:59:59,999 --> 99:59:59,999 and then the IP 155 99:59:59,999 --> 99:59:59,999 There is nothing specific to add there 156 99:59:59,999 --> 99:59:59,999 That's save 157 99:59:59,999 --> 99:59:59,999 To test this I'm going to disconnect from the VPN 158 99:59:59,999 --> 99:59:59,999 Because i'm not at home I'm connected to my home VPN 159 99:59:59,999 --> 99:59:59,999 So i'm just going to deactivate it 160 99:59:59,999 --> 99:59:59,999 and try this 161 99:59:59,999 --> 99:59:59,999 To show that likely if I try to go to the same IP 162 99:59:59,999 --> 99:59:59,999 it 163 99:59:59,999 --> 99:59:59,999 s not going to work 164 99:59:59,999 --> 99:59:59,999 because I disconnected from the VPN 165 99:59:59,999 --> 99:59:59,999 and if I try 166 99:59:59,999 --> 99:59:59,999 a domain 167 99:59:59,999 --> 99:59:59,999 from the new domain 168 99:59:59,999 --> 99:59:59,999 it works 169 99:59:59,999 --> 99:59:59,999 so now 170 99:59:59,999 --> 99:59:59,999 TrueNAS is accessible 171 99:59:59,999 --> 99:59:59,999 from the outside 172 99:59:59,999 --> 99:59:59,999 But this is not recommended of course 173 99:59:59,999 --> 99:59:59,999 If you want to expose something 174 99:59:59,999 --> 99:59:59,999 just expose the apps individually 175 99:59:59,999 --> 99:59:59,999 don't expose the whole thing 176 99:59:59,999 --> 99:59:59,999 so 177 99:59:59,999 --> 99:59:59,999 So now I'm just going to delete it 178 99:59:59,999 --> 99:59:59,999 and then I'm gonna add something else 179 99:59:59,999 --> 99:59:59,999 Okay now I want to add another service 180 99:59:59,999 --> 99:59:59,999 Maybe, ProxMox 181 99:59:59,999 --> 99:59:59,999 Let's go to add the public [sub] domain 182 99:59:59,999 --> 99:59:59,999 ProxMox 183 99:59:59,999 --> 99:59:59,999 same thing 184 99:59:59,999 --> 99:59:59,999 here's we're going to choose HTTPS instead of HTTP 185 99:59:59,999 --> 99:59:59,999 and then the IP 186 99:59:59,999 --> 99:59:59,999 as well as the port which is 8... 187 99:59:59,999 --> 99:59:59,999 8006 188 99:59:59,999 --> 99:59:59,999 and then we go to additional settings > TLS 189 99:59:59,999 --> 99:59:59,999 and we enable no TLS verify 190 99:59:59,999 --> 99:59:59,999 it will not check certificates 191 99:59:59,999 --> 99:59:59,999 now let's save 192 99:59:59,999 --> 99:59:59,999 let's try again now 193 99:59:59,999 --> 99:59:59,999 NIce! Now it works 194 99:59:59,999 --> 99:59:59,999 and we'll disconnect the VPN 195 99:59:59,999 --> 99:59:59,999 and refresh 196 99:59:59,999 --> 99:59:59,999 and it still works 197 99:59:59,999 --> 99:59:59,999 Okay now before we're finishing the video 198 99:59:59,999 --> 99:59:59,999 let's do 199 99:59:59,999 --> 99:59:59,999 one last service which is 200 99:59:59,999 --> 99:59:59,999 paperless 201 99:59:59,999 --> 99:59:59,999 Since we already covered this in a previous video 202 99:59:59,999 --> 99:59:59,999 We're going to see how to expose this 203 99:59:59,999 --> 99:59:59,999 Why did I choose paperless because 204 99:59:59,999 --> 99:59:59,999 it's a bit tricky to setup 205 99:59:59,999 --> 99:59:59,999 it's not as simple as 206 99:59:59,999 --> 99:59:59,999 adding the host name 207 99:59:59,999 --> 99:59:59,999 So, let's see first we just add the host name of course 208 99:59:59,999 --> 99:59:59,999 same thing as always 209 99:59:59,999 --> 99:59:59,999 HTTPS, and then we take the URL 210 99:59:59,999 --> 99:59:59,999 which is IP and Port 211 99:59:59,999 --> 99:59:59,999 It chooses HTTP node to HTTPS 212 99:59:59,999 --> 99:59:59,999 Service name 213 99:59:59,999 --> 99:59:59,999 So first it's gonna work normally 214 99:59:59,999 --> 99:59:59,999 If I try to access 215 99:59:59,999 --> 99:59:59,999 Alright 216 99:59:59,999 --> 99:59:59,999 Uh, but the problem is when you 217 99:59:59,999 --> 99:59:59,999 try to login 218 99:59:59,999 --> 99:59:59,999 You get this 219 99:59:59,999 --> 99:59:59,999 error. CSRF verification failed. 220 99:59:59,999 --> 99:59:59,999 Why? 221 99:59:59,999 --> 99:59:59,999 We need to change some settings 222 99:59:59,999 --> 99:59:59,999 to make it accessible 223 99:59:59,999 --> 99:59:59,999 According to the documentation 224 99:59:59,999 --> 99:59:59,999 we need to set this environment variable (PAPERLESS_URL) 225 99:59:59,999 --> 99:59:59,999 Uh and uh, set it to the domain name 226 99:59:59,999 --> 99:59:59,999 We used in the closer 227 99:59:59,999 --> 99:59:59,999 So let's do that 228 99:59:59,999 --> 99:59:59,999 go to paperless > Edit 229 99:59:59,999 --> 99:59:59,999 and let's just add it as an environment variable there 230 99:59:59,999 --> 99:59:59,999 PAPERLESS_URL 231 99:59:59,999 --> 99:59:59,999 set it to paperless.youdomainname 232 99:59:59,999 --> 99:59:59,999 make sure to add HTTPS to the beginning 233 99:59:59,999 --> 99:59:59,999 and that's it 234 99:59:59,999 --> 99:59:59,999 update 235 99:59:59,999 --> 99:59:59,999 In case you got stuck in deploying 236 99:59:59,999 --> 99:59:59,999 which was the case for me 237 99:59:59,999 --> 99:59:59,999 I'm not sure why but the container paperless 238 99:59:59,999 --> 99:59:59,999 just stuck like this for a long time 239 99:59:59,999 --> 99:59:59,999 So what I did is stop this instance 240 99:59:59,999 --> 99:59:59,999 and create another instance 241 99:59:59,999 --> 99:59:59,999 using the already created datasets 242 99:59:59,999 --> 99:59:59,999 So you're not going to lose anything 243 99:59:59,999 --> 99:59:59,999 of your files 244 99:59:59,999 --> 99:59:59,999 So let's start another instance 245 99:59:59,999 --> 99:59:59,999 Let's call it paperless-cloudflare 246 99:59:59,999 --> 99:59:59,999 We can change password if you want 247 99:59:59,999 --> 99:59:59,999 By the way you can choose any secret key 248 99:59:59,999 --> 99:59:59,999 you want. Just want some random stuff 249 99:59:59,999 --> 99:59:59,999 You don't need to remember it. 250 99:59:59,999 --> 99:59:59,999 Okay, add an email 251 99:59:59,999 --> 99:59:59,999 just a fake email. 252 99:59:59,999 --> 99:59:59,999 Password. 253 99:59:59,999 --> 99:59:59,999 Now we add again environment variable 254 99:59:59,999 --> 99:59:59,999 PAPERLESS_URL 255 99:59:59,999 --> 99:59:59,999 HTTPS 256 99:59:59,999 --> 99:59:59,999 paperless… 257 99:59:59,999 --> 99:59:59,999 dot 258 99:59:59,999 --> 99:59:59,999 your domain 259 99:59:59,999 --> 99:59:59,999 and then we add the other host path 260 99:59:59,999 --> 99:59:59,999 paperless this is the data 261 99:59:59,999 --> 99:59:59,999 let's copy this 262 99:59:59,999 --> 99:59:59,999 And now Media 263 99:59:59,999 --> 99:59:59,999 and then Consume 264 99:59:59,999 --> 99:59:59,999 and Trash 265 99:59:59,999 --> 99:59:59,999 this is postscript 266 99:59:59,999 --> 99:59:59,999 Make sure to check "Automatic Permissions" 267 99:59:59,999 --> 99:59:59,999 Then we hit install 268 99:59:59,999 --> 99:59:59,999 Let's wait [a] little bit 269 99:59:59,999 --> 99:59:59,999 It works but it takes some time 270 99:59:59,999 --> 99:59:59,999 Okay now it's running 271 99:59:59,999 --> 99:59:59,999 Let's start it 272 99:59:59,999 --> 99:59:59,999 First let's get the IP 273 99:59:59,999 --> 99:59:59,999 I mean let's get the part-- IP is the same 274 99:59:59,999 --> 99:59:59,999 Go back to cloudflare 275 99:59:59,999 --> 99:59:59,999 Hit it 276 99:59:59,999 --> 99:59:59,999 Going to put the new port 277 99:59:59,999 --> 99:59:59,999 Save 278 99:59:59,999 --> 99:59:59,999 Let's try now 279 99:59:59,999 --> 99:59:59,999 Okay, now new password 280 99:59:59,999 --> 99:59:59,999 And now it works. We don't got the error 281 99:59:59,999 --> 99:59:59,999 the previous error. 282 99:59:59,999 --> 99:59:59,999 And as you can see we still have the documents 283 99:59:59,999 --> 99:59:59,999 as a before we didn't lost anything 284 99:59:59,999 --> 99:59:59,999 We still got all our documents 285 99:59:59,999 --> 99:59:59,999 Open them 286 99:59:59,999 --> 99:59:59,999 And uh, everything works fine 287 99:59:59,999 --> 99:59:59,999 That's it 288 99:59:59,999 --> 99:59:59,999 Basically this is how to 289 99:59:59,999 --> 99:59:59,999 expose your services on the cloud 290 99:59:59,999 --> 99:59:59,999 To recap 291 99:59:59,999 --> 99:59:59,999 when you want to expose your app 292 99:59:59,999 --> 99:59:59,999 this is how it works 293 99:59:59,999 --> 99:59:59,999 we don't access the app directly 294 99:59:59,999 --> 99:59:59,999 but rather you access the cloudserver 295 99:59:59,999 --> 99:59:59,999 cloudflare server. Cloudflare will make exchanges 296 99:59:59,999 --> 99:59:59,999 with your 297 99:59:59,999 --> 99:59:59,999 LAN network through Cloudflare 298 99:59:59,999 --> 99:59:59,999 and then 299 99:59:59,999 --> 99:59:59,999 It will give access to your app 300 99:59:59,999 --> 99:59:59,999 This way you don't 301 99:59:59,999 --> 99:59:59,999 access your app directly 302 99:59:59,999 --> 99:59:59,999 which means you don't expose your 303 99:59:59,999 --> 99:59:59,999 IP and you don't go through the NAT 304 99:59:59,999 --> 99:59:59,999 you don't need to open a port 305 99:59:59,999 --> 99:59:59,999 but be careful if your habit is insecure 306 99:59:59,999 --> 99:59:59,999 and you get hacked. You directly expose 307 99:59:59,999 --> 99:59:59,999 all of your homelab 308 99:59:59,999 --> 99:59:59,999 It doesn't matter if you use Cloudflare 309 99:59:59,999 --> 99:59:59,999 or not 310 99:59:59,999 --> 99:59:59,999 Like and Share if you made it this far 311 99:59:59,999 --> 99:59:59,999 See you in the next video