WEBVTT 99:59:59.999 --> 99:59:59.999 Hi everyone, welcome back 99:59:59.999 --> 99:59:59.999 So today we're going to try something a little bit different. 99:59:59.999 --> 99:59:59.999 We're gonna start a new video series 99:59:59.999 --> 99:59:59.999 about all the different ways to expose or access our homelab 99:59:59.999 --> 99:59:59.999 from the internet. 99:59:59.999 --> 99:59:59.999 The reason is mainly because there's tons of options out there, 99:59:59.999 --> 99:59:59.999 and I feel like it's not talked enough about on YouTube. 99:59:59.999 --> 99:59:59.999 Especially the security part 99:59:59.999 --> 99:59:59.999 which is most important. 99:59:59.999 --> 99:59:59.999 Almost everyone just assumes it's secure, which isn't always the case, 99:59:59.999 --> 99:59:59.999 so make sure to hit the Like button 99:59:59.999 --> 99:59:59.999 Subscribe and Share 99:59:59.999 --> 99:59:59.999 and let's get started. 99:59:59.999 --> 99:59:59.999 Okay so how to do it, 99:59:59.999 --> 99:59:59.999 to expose our homelab there are five main ways 99:59:59.999 --> 99:59:59.999 1. Secure Tunnels like Cloudflare 99:59:59.999 --> 99:59:59.999 2. Reverse proxies like Nginx 99:59:59.999 --> 99:59:59.999 3. Traditional VPNs like Wireguard or OpenVPN protocols 99:59:59.999 --> 99:59:59.999 4. Mesh VPNs like ZeroTier and Tailscale 99:59:59.999 --> 99:59:59.999 and lastly 5. the old classic port forwarding or NAT 99:59:59.999 --> 99:59:59.999 So let's break down each one of them quickly to understand the differences. 99:59:59.999 --> 99:59:59.999 First secure tunnels like Cloudflare. 99:59:59.999 --> 99:59:59.999 This is often defined as secure tunnels to access your app without exposing your IP 99:59:59.999 --> 99:59:59.999 making remote access easy. 99:59:59.999 --> 99:59:59.999 It's also fairly easy to setup, 99:59:59.999 --> 99:59:59.999 however, by default it's not secured enough 99:59:59.999 --> 99:59:59.999 and solely [relies] on your app security 99:59:59.999 --> 99:59:59.999 but this can be improved. 99:59:59.999 --> 99:59:59.999 We'll cover this later in another video. 99:59:59.999 --> 99:59:59.999 Next, reverse proxies 99:59:59.999 --> 99:59:59.999 like nginx. 99:59:59.999 --> 99:59:59.999 It's a server that sits in the middle and forward requests to your homelab 99:59:59.999 --> 99:59:59.999 helping you manage multiple services under one domain. 99:59:59.999 --> 99:59:59.999 While adding another layer of protection, 99:59:59.999 --> 99:59:59.999 you will have more control over your services 99:59:59.999 --> 99:59:59.999 and how to contr- manage them. 99:59:59.999 --> 99:59:59.999 However, it exposes your IP and you must open a port on your router to access it. 99:59:59.999 --> 99:59:59.999 Next, traditional VPNs like Wireguard or OpenVPN. 99:59:59.999 --> 99:59:59.999 It creates an encrypted tunnel between your device and 99:59:59.999 --> 99:59:59.999 your homelab 99:59:59.999 --> 99:59:59.999 making it feel like you are on the same local network. 99:59:59.999 --> 99:59:59.999 It's good for privacy and security 99:59:59.999 --> 99:59:59.999 but only useful when you are the only user because 99:59:59.999 --> 99:59:59.999 it's impossible to share access without sharing your private key 99:59:59.999 --> 99:59:59.999 to other users. 99:59:59.999 --> 99:59:59.999 Next, mesh VPNs 99:59:59.999 --> 99:59:59.999 like ZeroTier or Tailscale 99:59:59.999 --> 99:59:59.999 this is similar to normal VPNs except it connects devices between each other 99:59:59.999 --> 99:59:59.999 instead of connecting them to a central server. 99:59:59.999 --> 99:59:59.999 It has more control over normal VPNs in the way that you can choose which devices to share 99:59:59.999 --> 99:59:59.999 but you must manually join the network 99:59:59.999 --> 99:59:59.999 each time for each devices you want to give access to. 99:59:59.999 --> 99:59:59.999 Finally NAT this is a classic way of opening specific ports on your router 99:59:59.999 --> 99:59:59.999 to expose your homelab. 99:59:59.999 --> 99:59:59.999 It's simple but it also carries high security risk if you rely on it alone. 99:59:59.999 --> 99:59:59.999 Keep in mind NAT often gets used with other 99:59:59.999 --> 99:59:59.999 methods like previously showed, 99:59:59.999 --> 99:59:59.999 but going purely [on it's own] port forwarding is a no-go for secure setups. 99:59:59.999 --> 99:59:59.999 Now, you may be wondering, 99:59:59.999 --> 99:59:59.999 what's the most secure setup NOTE Paragraph 99:59:59.999 --> 99:59:59.999 to expose your home lab? 99:59:59.999 --> 99:59:59.999 Actually, [it] depends on your apps and what you want to do? 99:59:59.999 --> 99:59:59.999 In my opinion, it's not about which method you use 99:59:59.999 --> 99:59:59.999 but more about how you combine between them. 99:59:59.999 --> 99:59:59.999 The best setup is to mix them and make them work all together 99:59:59.999 --> 99:59:59.999 99:59:59.999 --> 99:59:59.999 to have the perfect setup. 99:59:59.999 --> 99:59:59.999 Okay so first let's go to cloudflare.com 99:59:59.999 --> 99:59:59.999 Go to "Sign Up" 99:59:59.999 --> 99:59:59.999 and free at the website 99:59:59.999 --> 99:59:59.999 And let's create a new account now 99:59:59.999 --> 99:59:59.999 After that if you already have [a] domain [previously purchased] 99:59:59.999 --> 99:59:59.999 enter it here 99:59:59.999 --> 99:59:59.999 or for me I'm just going to create a new domain. 99:59:59.999 --> 99:59:59.999 For some reason I got an error 99:59:59.999 --> 99:59:59.999 when trying to pay 99:59:59.999 --> 99:59:59.999 So I'm just going to import an existing domain 99:59:59.999 --> 99:59:59.999 Just going to type it here 99:59:59.999 --> 99:59:59.999 Okay, so then go down 99:59:59.999 --> 99:59:59.999 and choose the free package 99:59:59.999 --> 99:59:59.999 Next click on continue to activation 99:59:59.999 --> 99:59:59.999 confirm 99:59:59.999 --> 99:59:59.999 Next we need to do some modifications 99:59:59.999 --> 99:59:59.999 We need to modify, the current name servers 99:59:59.999 --> 99:59:59.999 with Cloudflare nameservers 99:59:59.999 --> 99:59:59.999 To allow cloudflare to control the domain 99:59:59.999 --> 99:59:59.999 to do that 99:59:59.999 --> 99:59:59.999 We go to the domain provider 99:59:59.999 --> 99:59:59.999 in my case it's NameCheap 99:59:59.999 --> 99:59:59.999 So in my case 99:59:59.999 --> 99:59:59.999 I'm gonna do custom DNS 99:59:59.999 --> 99:59:59.999 and then I copy.... 99:59:59.999 --> 99:59:59.999 the nameservers 99:59:59.999 --> 99:59:59.999 and then I save 99:59:59.999 --> 99:59:59.999 It tells you that it can take up to 48 hours 99:59:59.999 --> 99:59:59.999 But it's not true it [can take] just a few seconds 99:59:59.999 --> 99:59:59.999 or a few minutes max 99:59:59.999 --> 99:59:59.999 But, just in case 99:59:59.999 --> 99:59:59.999 If it take a long time to update 99:59:59.999 --> 99:59:59.999 Uh, this is normal so 99:59:59.999 --> 99:59:59.999 just wait 99:59:59.999 --> 99:59:59.999 There is no other choice 99:59:59.999 --> 99:59:59.999 Okay, so after a while, 99:59:59.999 --> 99:59:59.999 We get this page this means everything is good 99:59:59.999 --> 99:59:59.999 Now we go to access page 99:59:59.999 --> 99:59:59.999 and then NetZero™ Trust 99:59:59.999 --> 99:59:59.999 We choose our account 99:59:59.999 --> 99:59:59.999 Next you go to access 99:59:59.999 --> 99:59:59.999 Next we choose teamname 99:59:59.999 --> 99:59:59.999 Just anything 99:59:59.999 --> 99:59:59.999 Then we choose the free package of course 99:59:59.999 --> 99:59:59.999 There is zero payment 99:59:59.999 --> 99:59:59.999 Next we go to Networks 99:59:59.999 --> 99:59:59.999 Tunnels 99:59:59.999 --> 99:59:59.999 And we add a tunnel 99:59:59.999 --> 99:59:59.999 We choose this one Cloudflared 99:59:59.999 --> 99:59:59.999 We name our Tunnel 99:59:59.999 --> 99:59:59.999 Homelab uh test 99:59:59.999 --> 99:59:59.999 Next it will ask you to choose your home environment 99:59:59.999 --> 99:59:59.999 In this case you just uh 99:59:59.999 --> 99:59:59.999 You just choose docker 99:59:59.999 --> 99:59:59.999 and then we just copy the comment 99:59:59.999 --> 99:59:59.999 because we just need the token 99:59:59.999 --> 99:59:59.999 we don't need to run anything docker 99:59:59.999 --> 99:59:59.999 Then we go back to TrueNAS 99:59:59.999 --> 99:59:59.999 and we install 99:59:59.999 --> 99:59:59.999 the cloudflared app 99:59:59.999 --> 99:59:59.999 This one 99:59:59.999 --> 99:59:59.999 and here we got 99:59:59.999 --> 99:59:59.999 best what we had 99:59:59.999 --> 99:59:59.999 and we just keep 99:59:59.999 --> 99:59:59.999 remove everything we just keep the token 99:59:59.999 --> 99:59:59.999 So anything before this goes 99:59:59.999 --> 99:59:59.999 That's it 99:59:59.999 --> 99:59:59.999 We don't need to setup anything else 99:59:59.999 --> 99:59:59.999 even storage, it's not necessary 99:59:59.999 --> 99:59:59.999 and we install 99:59:59.999 --> 99:59:59.999 okday now it's up and running 99:59:59.999 --> 99:59:59.999 let's go back to cloudflared profile 99:59:59.999 --> 99:59:59.999 now we need to wait until we get uh 99:59:59.999 --> 99:59:59.999 Something here in connectors 99:59:59.999 --> 99:59:59.999 It will automatically serve 99:59:59.999 --> 99:59:59.999 Alright here we go 99:59:59.999 --> 99:59:59.999 It's connected 99:59:59.999 --> 99:59:59.999 So now we can continue 99:59:59.999 --> 99:59:59.999 next 99:59:59.999 --> 99:59:59.999 Now we're ready to add our first service 99:59:59.999 --> 99:59:59.999 Let's start by adding TrueNAS itself 99:59:59.999 --> 99:59:59.999 So let's just copy the IP 99:59:59.999 --> 99:59:59.999 Then we choose the subdomain 99:59:59.999 --> 99:59:59.999 TrueNAS 99:59:59.999 --> 99:59:59.999 and choose the domain 99:59:59.999 --> 99:59:59.999 then we choose HTTP 99:59:59.999 --> 99:59:59.999 and then the IP 99:59:59.999 --> 99:59:59.999 There is nothing specific to add there 99:59:59.999 --> 99:59:59.999 That's save 99:59:59.999 --> 99:59:59.999 To test this I'm going to disconnect from the VPN 99:59:59.999 --> 99:59:59.999 Because i'm not at home I'm connected to my home VPN 99:59:59.999 --> 99:59:59.999 So i'm just going to deactivate it 99:59:59.999 --> 99:59:59.999 and try this 99:59:59.999 --> 99:59:59.999 To show that likely if I try to go to the same IP 99:59:59.999 --> 99:59:59.999 it 99:59:59.999 --> 99:59:59.999 s not going to work 99:59:59.999 --> 99:59:59.999 because I disconnected from the VPN 99:59:59.999 --> 99:59:59.999 and if I try 99:59:59.999 --> 99:59:59.999 a domain 99:59:59.999 --> 99:59:59.999 from the new domain 99:59:59.999 --> 99:59:59.999 it works 99:59:59.999 --> 99:59:59.999 so now 99:59:59.999 --> 99:59:59.999 TrueNAS is accessible 99:59:59.999 --> 99:59:59.999 from the outside 99:59:59.999 --> 99:59:59.999 But this is not recommended of course 99:59:59.999 --> 99:59:59.999 If you want to expose something 99:59:59.999 --> 99:59:59.999 just expose the apps individually 99:59:59.999 --> 99:59:59.999 don't expose the whole thing 99:59:59.999 --> 99:59:59.999 so 99:59:59.999 --> 99:59:59.999 So now I'm just going to delete it 99:59:59.999 --> 99:59:59.999 and then I'm gonna add something else 99:59:59.999 --> 99:59:59.999 Okay now I want to add another service 99:59:59.999 --> 99:59:59.999 Maybe, ProxMox 99:59:59.999 --> 99:59:59.999 Let's go to add the public [sub] domain 99:59:59.999 --> 99:59:59.999 ProxMox 99:59:59.999 --> 99:59:59.999 same thing 99:59:59.999 --> 99:59:59.999 here's we're going to choose HTTPS instead of HTTP 99:59:59.999 --> 99:59:59.999 and then the IP 99:59:59.999 --> 99:59:59.999 as well as the port which is 8... 99:59:59.999 --> 99:59:59.999 8006 99:59:59.999 --> 99:59:59.999 and then we go to additional settings > TLS 99:59:59.999 --> 99:59:59.999 and we enable no TLS verify 99:59:59.999 --> 99:59:59.999 it will not check certificates 99:59:59.999 --> 99:59:59.999 now let's save 99:59:59.999 --> 99:59:59.999 let's try again now 99:59:59.999 --> 99:59:59.999 NIce! Now it works 99:59:59.999 --> 99:59:59.999 and we'll disconnect the VPN 99:59:59.999 --> 99:59:59.999 and refresh 99:59:59.999 --> 99:59:59.999 and it still works 99:59:59.999 --> 99:59:59.999 Okay now before we're finishing the video 99:59:59.999 --> 99:59:59.999 let's do 99:59:59.999 --> 99:59:59.999 one last service which is 99:59:59.999 --> 99:59:59.999 paperless 99:59:59.999 --> 99:59:59.999 Since we already covered this in a previous video 99:59:59.999 --> 99:59:59.999 We're going to see how to expose this 99:59:59.999 --> 99:59:59.999 Why did I choose paperless because 99:59:59.999 --> 99:59:59.999 it's a bit tricky to setup 99:59:59.999 --> 99:59:59.999 it's not as simple as 99:59:59.999 --> 99:59:59.999 adding the host name 99:59:59.999 --> 99:59:59.999 So, let's see first we just add the host name of course 99:59:59.999 --> 99:59:59.999 same thing as always 99:59:59.999 --> 99:59:59.999 HTTPS, and then we take the URL 99:59:59.999 --> 99:59:59.999 which is IP and Port 99:59:59.999 --> 99:59:59.999 It chooses HTTP node to HTTPS 99:59:59.999 --> 99:59:59.999 Service name 99:59:59.999 --> 99:59:59.999 So first it's gonna work normally 99:59:59.999 --> 99:59:59.999 If I try to access 99:59:59.999 --> 99:59:59.999 Alright 99:59:59.999 --> 99:59:59.999 Uh, but the problem is when you 99:59:59.999 --> 99:59:59.999 try to login 99:59:59.999 --> 99:59:59.999 You get this 99:59:59.999 --> 99:59:59.999 error. CSRF verification failed. 99:59:59.999 --> 99:59:59.999 Why? 99:59:59.999 --> 99:59:59.999 We need to change some settings 99:59:59.999 --> 99:59:59.999 to make it accessible 99:59:59.999 --> 99:59:59.999 According to the documentation 99:59:59.999 --> 99:59:59.999 we need to set this environment variable (PAPERLESS_URL) 99:59:59.999 --> 99:59:59.999 Uh and uh, set it to the domain name 99:59:59.999 --> 99:59:59.999 We used in the closer 99:59:59.999 --> 99:59:59.999 So let's do that 99:59:59.999 --> 99:59:59.999 go to paperless > Edit 99:59:59.999 --> 99:59:59.999 and let's just add it as an environment variable there 99:59:59.999 --> 99:59:59.999 PAPERLESS_URL 99:59:59.999 --> 99:59:59.999 set it to paperless.youdomainname 99:59:59.999 --> 99:59:59.999 make sure to add HTTPS to the beginning 99:59:59.999 --> 99:59:59.999 and that's it 99:59:59.999 --> 99:59:59.999 update 99:59:59.999 --> 99:59:59.999 In case you got stuck in deploying 99:59:59.999 --> 99:59:59.999 which was the case for me 99:59:59.999 --> 99:59:59.999 I'm not sure why but the container paperless 99:59:59.999 --> 99:59:59.999 just stuck like this for a long time 99:59:59.999 --> 99:59:59.999 So what I did is stop this instance 99:59:59.999 --> 99:59:59.999 and create another instance 99:59:59.999 --> 99:59:59.999 using the already created datasets 99:59:59.999 --> 99:59:59.999 So you're not going to lose anything 99:59:59.999 --> 99:59:59.999 of your files 99:59:59.999 --> 99:59:59.999 So let's start another instance 99:59:59.999 --> 99:59:59.999 Let's call it paperless-cloudflare 99:59:59.999 --> 99:59:59.999 We can change password if you want 99:59:59.999 --> 99:59:59.999 By the way you can choose any secret key 99:59:59.999 --> 99:59:59.999 you want. Just want some random stuff 99:59:59.999 --> 99:59:59.999 You don't need to remember it. 99:59:59.999 --> 99:59:59.999 Okay, add an email 99:59:59.999 --> 99:59:59.999 just a fake email. 99:59:59.999 --> 99:59:59.999 Password. 99:59:59.999 --> 99:59:59.999 Now we add again environment variable 99:59:59.999 --> 99:59:59.999 PAPERLESS_URL 99:59:59.999 --> 99:59:59.999 HTTPS 99:59:59.999 --> 99:59:59.999 paperless… 99:59:59.999 --> 99:59:59.999 dot 99:59:59.999 --> 99:59:59.999 your domain 99:59:59.999 --> 99:59:59.999 and then we add the other host path 99:59:59.999 --> 99:59:59.999 paperless this is the data 99:59:59.999 --> 99:59:59.999 let's copy this 99:59:59.999 --> 99:59:59.999 And now Media 99:59:59.999 --> 99:59:59.999 and then Consume 99:59:59.999 --> 99:59:59.999 and Trash 99:59:59.999 --> 99:59:59.999 this is postscript 99:59:59.999 --> 99:59:59.999 Make sure to check "Automatic Permissions" 99:59:59.999 --> 99:59:59.999 Then we hit install 99:59:59.999 --> 99:59:59.999 Let's wait [a] little bit 99:59:59.999 --> 99:59:59.999 It works but it takes some time 99:59:59.999 --> 99:59:59.999 Okay now it's running 99:59:59.999 --> 99:59:59.999 Let's start it 99:59:59.999 --> 99:59:59.999 First let's get the IP 99:59:59.999 --> 99:59:59.999 I mean let's get the part-- IP is the same 99:59:59.999 --> 99:59:59.999 Go back to cloudflare 99:59:59.999 --> 99:59:59.999 Hit it 99:59:59.999 --> 99:59:59.999 Going to put the new port 99:59:59.999 --> 99:59:59.999 Save 99:59:59.999 --> 99:59:59.999 Let's try now 99:59:59.999 --> 99:59:59.999 Okay, now new password 99:59:59.999 --> 99:59:59.999 And now it works. We don't got the error 99:59:59.999 --> 99:59:59.999 the previous error. 99:59:59.999 --> 99:59:59.999 And as you can see we still have the documents 99:59:59.999 --> 99:59:59.999 as a before we didn't lost anything 99:59:59.999 --> 99:59:59.999 We still got all our documents 99:59:59.999 --> 99:59:59.999 Open them 99:59:59.999 --> 99:59:59.999 And uh, everything works fine 99:59:59.999 --> 99:59:59.999 That's it 99:59:59.999 --> 99:59:59.999 Basically this is how to 99:59:59.999 --> 99:59:59.999 expose your services on the cloud 99:59:59.999 --> 99:59:59.999 To recap 99:59:59.999 --> 99:59:59.999 when you want to expose your app 99:59:59.999 --> 99:59:59.999 this is how it works 99:59:59.999 --> 99:59:59.999 we don't access the app directly 99:59:59.999 --> 99:59:59.999 but rather you access the cloudserver 99:59:59.999 --> 99:59:59.999 cloudflare server. Cloudflare will make exchanges 99:59:59.999 --> 99:59:59.999 with your 99:59:59.999 --> 99:59:59.999 LAN network through Cloudflare 99:59:59.999 --> 99:59:59.999 and then 99:59:59.999 --> 99:59:59.999 It will give access to your app 99:59:59.999 --> 99:59:59.999 This way you don't 99:59:59.999 --> 99:59:59.999 access your app directly 99:59:59.999 --> 99:59:59.999 which means you don't expose your 99:59:59.999 --> 99:59:59.999 IP and you don't go through the NAT 99:59:59.999 --> 99:59:59.999 you don't need to open a port 99:59:59.999 --> 99:59:59.999 but be careful if your habit is insecure 99:59:59.999 --> 99:59:59.999 and you get hacked. You directly expose 99:59:59.999 --> 99:59:59.999 all of your homelab 99:59:59.999 --> 99:59:59.999 It doesn't matter if you use Cloudflare 99:59:59.999 --> 99:59:59.999 or not 99:59:59.999 --> 99:59:59.999 Like and Share if you made it this far 99:59:59.999 --> 99:59:59.999 See you in the next video