9:59:59.000,9:59:59.000 Hi everyone, welcome back 9:59:59.000,9:59:59.000 So today we're going to try[br]something a little bit different. 9:59:59.000,9:59:59.000 We're gonna start a new video series 9:59:59.000,9:59:59.000 about all the different ways to[br]expose or access our homelab 9:59:59.000,9:59:59.000 from the internet. 9:59:59.000,9:59:59.000 The reason is mainly because[br]there's tons of options out there, 9:59:59.000,9:59:59.000 and I feel like it's not talked enough about on YouTube. 9:59:59.000,9:59:59.000 Especially the security part 9:59:59.000,9:59:59.000 which is most important. 9:59:59.000,9:59:59.000 Almost everyone just assumes it's secure, which isn't always the case, 9:59:59.000,9:59:59.000 so make sure to hit the Like button 9:59:59.000,9:59:59.000 Subscribe and Share 9:59:59.000,9:59:59.000 and let's get started. 9:59:59.000,9:59:59.000 Okay so how to do it, 9:59:59.000,9:59:59.000 to expose our homelab[br]there are five main ways 9:59:59.000,9:59:59.000 1. Secure Tunnels like Cloudflare 9:59:59.000,9:59:59.000 2. Reverse proxies like Nginx 9:59:59.000,9:59:59.000 3. Traditional VPNs like Wireguard[br]or OpenVPN protocols 9:59:59.000,9:59:59.000 4. Mesh VPNs like ZeroTier and Tailscale 9:59:59.000,9:59:59.000 and lastly 5. the old classic [br]port forwarding or NAT 9:59:59.000,9:59:59.000 So let's break down each one of them[br]quickly to understand the differences. 9:59:59.000,9:59:59.000 First secure tunnels like Cloudflare. 9:59:59.000,9:59:59.000 This is often defined as secure tunnels to [br]access your app without exposing your IP 9:59:59.000,9:59:59.000 making remote access easy. 9:59:59.000,9:59:59.000 It's also fairly easy to setup, 9:59:59.000,9:59:59.000 however, by default it's not secured enough 9:59:59.000,9:59:59.000 and solely [relies] on your app security 9:59:59.000,9:59:59.000 but this can be improved. 9:59:59.000,9:59:59.000 We'll cover this later in another video. 9:59:59.000,9:59:59.000 Next, reverse proxies 9:59:59.000,9:59:59.000 like nginx. 9:59:59.000,9:59:59.000 It's a server that sits in the middle and forward requests to your homelab 9:59:59.000,9:59:59.000 helping you manage multiple services under one domain. 9:59:59.000,9:59:59.000 While adding another layer of protection, 9:59:59.000,9:59:59.000 you will have more control over your services 9:59:59.000,9:59:59.000 and how to contr-[br]manage them. 9:59:59.000,9:59:59.000 However, it exposes your IP and you must open a port on your router to access it. 9:59:59.000,9:59:59.000 Next, traditional VPNs like Wireguard or OpenVPN. 9:59:59.000,9:59:59.000 It creates an encrypted tunnel between your device and 9:59:59.000,9:59:59.000 your homelab 9:59:59.000,9:59:59.000 making it feel like you are on the same local network. 9:59:59.000,9:59:59.000 It's good for privacy and security 9:59:59.000,9:59:59.000 but only useful when you are the only user because 9:59:59.000,9:59:59.000 it's impossible to share access without sharing your private key 9:59:59.000,9:59:59.000 to other users. 9:59:59.000,9:59:59.000 Next, mesh VPNs 9:59:59.000,9:59:59.000 like ZeroTier or Tailscale 9:59:59.000,9:59:59.000 this is similar to normal VPNs except it connects devices between each other 9:59:59.000,9:59:59.000 instead of connecting them to a central server. 9:59:59.000,9:59:59.000 It has more control over normal VPNs in the way that you can choose which devices to share 9:59:59.000,9:59:59.000 but you must manually join the network 9:59:59.000,9:59:59.000 each time for each devices you want to give access to. 9:59:59.000,9:59:59.000 Finally NAT this is a classic way of opening specific ports on your router 9:59:59.000,9:59:59.000 to expose your homelab. 9:59:59.000,9:59:59.000 It's simple but it also carries high security risk if you rely on it alone. 9:59:59.000,9:59:59.000 Keep in mind NAT often gets used with other 9:59:59.000,9:59:59.000 methods like previously showed, 9:59:59.000,9:59:59.000 but going purely [on it's own] port forwarding is a no-go for secure setups. 9:59:59.000,9:59:59.000 Now, you may be wondering, 9:59:59.000,9:59:59.000 what's the most secure setup 9:59:59.000,9:59:59.000 to expose your home lab? 9:59:59.000,9:59:59.000 Actually, [it] depends on your apps and what you want to do? 9:59:59.000,9:59:59.000 In my opinion, it's not about which method you use 9:59:59.000,9:59:59.000 but more about how you combine between them. 9:59:59.000,9:59:59.000 The best setup is to mix them[br]and make them work all together 9:59:59.000,9:59:59.000 9:59:59.000,9:59:59.000 to have the perfect setup. 9:59:59.000,9:59:59.000 Okay so first let's go to cloudflare.com 9:59:59.000,9:59:59.000 Go to "Sign Up" 9:59:59.000,9:59:59.000 and free at the website. 9:59:59.000,9:59:59.000 And let's create a new account now. 9:59:59.000,9:59:59.000 After that if you already have [a][br]domain [previously purchased] 9:59:59.000,9:59:59.000 enter it here 9:59:59.000,9:59:59.000 or for me I'm just going to create a new domain. 9:59:59.000,9:59:59.000 For some reason I got an error 9:59:59.000,9:59:59.000 when trying to pay 9:59:59.000,9:59:59.000 So I'm just going to import an existing domain 9:59:59.000,9:59:59.000 Just going to type it here. 9:59:59.000,9:59:59.000 Okay, so then go down 9:59:59.000,9:59:59.000 and choose the free package. 9:59:59.000,9:59:59.000 Next click on continue to activation. 9:59:59.000,9:59:59.000 Confirm. Next we need to [br]do some modifications 9:59:59.000,9:59:59.000 9:59:59.000,9:59:59.000 We need to modify, the current name servers 9:59:59.000,9:59:59.000 with Cloudflare nameservers 9:59:59.000,9:59:59.000 to allow Cloudflare to control the domain. 9:59:59.000,9:59:59.000 To do that, 9:59:59.000,9:59:59.000 we go to the domain provider 9:59:59.000,9:59:59.000 in my case it's NameCheap. 9:59:59.000,9:59:59.000 So in my case 9:59:59.000,9:59:59.000 I'm gonna do custom DNS 9:59:59.000,9:59:59.000 and then I copy.... 9:59:59.000,9:59:59.000 the nameservers 9:59:59.000,9:59:59.000 and then I save. 9:59:59.000,9:59:59.000 It tells you that it can take [br]up to 48 hours 9:59:59.000,9:59:59.000 But it's not true it [can take] just a few seconds 9:59:59.000,9:59:59.000 or a few minutes max 9:59:59.000,9:59:59.000 But, just in case 9:59:59.000,9:59:59.000 If it take a long time to update 9:59:59.000,9:59:59.000 Uh, this is normal so 9:59:59.000,9:59:59.000 just wait 9:59:59.000,9:59:59.000 There is no other choice 9:59:59.000,9:59:59.000 Okay, so after a while, 9:59:59.000,9:59:59.000 We get this page this means everything is good 9:59:59.000,9:59:59.000 Now we go to access page 9:59:59.000,9:59:59.000 and then NetZero Trust. 9:59:59.000,9:59:59.000 We choose our account 9:59:59.000,9:59:59.000 Next you go to access 9:59:59.000,9:59:59.000 Next we choose teamname 9:59:59.000,9:59:59.000 Just anything 9:59:59.000,9:59:59.000 Then we choose the free package of course 9:59:59.000,9:59:59.000 There is zero payment 9:59:59.000,9:59:59.000 Next we go to Networks 9:59:59.000,9:59:59.000 Tunnels 9:59:59.000,9:59:59.000 And we add a tunnel 9:59:59.000,9:59:59.000 We choose this one Cloudflared 9:59:59.000,9:59:59.000 We name our Tunnel 9:59:59.000,9:59:59.000 Homelab uh test 9:59:59.000,9:59:59.000 Next it will ask you to choose your environment 9:59:59.000,9:59:59.000 In this case you just uh 9:59:59.000,9:59:59.000 You just choose docker 9:59:59.000,9:59:59.000 and then we just copy the comment 9:59:59.000,9:59:59.000 because we just need the token. 9:59:59.000,9:59:59.000 We don't need to run anything docker 9:59:59.000,9:59:59.000 Then we go back to TrueNAS 9:59:59.000,9:59:59.000 and we install 9:59:59.000,9:59:59.000 the Cloudflared app. 9:59:59.000,9:59:59.000 This one 9:59:59.000,9:59:59.000 And here we['ve] got [to just][br]paste what we had 9:59:59.000,9:59:59.000 9:59:59.000,9:59:59.000 and we just keep. 9:59:59.000,9:59:59.000 Remove everything, we just keep the token. 9:59:59.000,9:59:59.000 So anything before this goes. 9:59:59.000,9:59:59.000 That's it. 9:59:59.000,9:59:59.000 We don't need to setup anything else. 9:59:59.000,9:59:59.000 Even storage, it's not necessary. 9:59:59.000,9:59:59.000 And we install. 9:59:59.000,9:59:59.000 Okay now it's up and running. 9:59:59.000,9:59:59.000 Let's go back to Cloudflared profile. 9:59:59.000,9:59:59.000 Now we need to wait until we get uh 9:59:59.000,9:59:59.000 something here in connectors. 9:59:59.000,9:59:59.000 It will automatically search. 9:59:59.000,9:59:59.000 Alright here we go 9:59:59.000,9:59:59.000 It's connected. 9:59:59.000,9:59:59.000 So now we can continue. 9:59:59.000,9:59:59.000 Next 9:59:59.000,9:59:59.000 Now we're ready to add our first service. 9:59:59.000,9:59:59.000 Let's start by adding TrueNAS itself. 9:59:59.000,9:59:59.000 So let's just copy the IP 9:59:59.000,9:59:59.000 Then we choose the subdomain 9:59:59.000,9:59:59.000 TrueNAS 9:59:59.000,9:59:59.000 and choose the domain 9:59:59.000,9:59:59.000 then we choose HTTP 9:59:59.000,9:59:59.000 and then the IP 9:59:59.000,9:59:59.000 There is nothing specific to add there. 9:59:59.000,9:59:59.000 That's save. 9:59:59.000,9:59:59.000 To test this I'm going to disconnect from the VPN 9:59:59.000,9:59:59.000 Because i'm not at home I'm connected to my home VPN. 9:59:59.000,9:59:59.000 So i'm just going to deactivate it 9:59:59.000,9:59:59.000 and try this. 9:59:59.000,9:59:59.000 To show that likely if I try to go to the same IP 9:59:59.000,9:59:59.000 9:59:59.000,9:59:59.000 It's not going to work, 9:59:59.000,9:59:59.000 because I disconnected from the VPN. 9:59:59.000,9:59:59.000 And if I try 9:59:59.000,9:59:59.000 a domain, 9:59:59.000,9:59:59.000 new domain. 9:59:59.000,9:59:59.000 It works. 9:59:59.000,9:59:59.000 So now 9:59:59.000,9:59:59.000 TrueNAS is accessible 9:59:59.000,9:59:59.000 from the outside. 9:59:59.000,9:59:59.000 But this is not recommended of course. 9:59:59.000,9:59:59.000 If you want to expose something 9:59:59.000,9:59:59.000 just expose the apps individually 9:59:59.000,9:59:59.000 don't expose the whole thing. 9:59:59.000,9:59:59.000 so 9:59:59.000,9:59:59.000 So now I'm just going to delete it 9:59:59.000,9:59:59.000 and then I'm gonna add something else. 9:59:59.000,9:59:59.000 Okay now I want to add another service. 9:59:59.000,9:59:59.000 Maybe, Proxmox 9:59:59.000,9:59:59.000 Let's go to add the public hostname 9:59:59.000,9:59:59.000 Proxmox 9:59:59.000,9:59:59.000 same thing 9:59:59.000,9:59:59.000 here's we're going to choose HTTPS instead of HTTP 9:59:59.000,9:59:59.000 and then the IP 9:59:59.000,9:59:59.000 as well as the port which is 8... 9:59:59.000,9:59:59.000 8006 9:59:59.000,9:59:59.000 and then we go to Additional Settings > TLS 9:59:59.000,9:59:59.000 and we enable No TLS verify. 9:59:59.000,9:59:59.000 It will not check certificates. 9:59:59.000,9:59:59.000 Now let's save. 9:59:59.000,9:59:59.000 Let's try again now. 9:59:59.000,9:59:59.000 NIce! Now it works. 9:59:59.000,9:59:59.000 And we'll disconnect the VPN 9:59:59.000,9:59:59.000 and refresh 9:59:59.000,9:59:59.000 and it still works. 9:59:59.000,9:59:59.000 Okay now before we're finishing the video 9:59:59.000,9:59:59.000 let's do 9:59:59.000,9:59:59.000 one last service which is 9:59:59.000,9:59:59.000 Paperless. 9:59:59.000,9:59:59.000 Since we already covered this in a previous video, 9:59:59.000,9:59:59.000 we're going to see how to expose this 9:59:59.000,9:59:59.000 Why did I choose Paperless because 9:59:59.000,9:59:59.000 it's a bit tricky to setup 9:59:59.000,9:59:59.000 it's not as simple as 9:59:59.000,9:59:59.000 adding the hostname. 9:59:59.000,9:59:59.000 So, let's see first we just add the hostname of course 9:59:59.000,9:59:59.000 same thing as always, 9:59:59.000,9:59:59.000 HTTPS, and then we take the URL 9:59:59.000,9:59:59.000 which is IP and Port 9:59:59.000,9:59:59.000 It chooses HTTP not HTTPS 9:59:59.000,9:59:59.000 Service name 9:59:59.000,9:59:59.000 So first it's gonna work normally 9:59:59.000,9:59:59.000 ff I try to access. 9:59:59.000,9:59:59.000 Alright 9:59:59.000,9:59:59.000 Uh, but the problem is when you 9:59:59.000,9:59:59.000 try to login 9:59:59.000,9:59:59.000 You get this 9:59:59.000,9:59:59.000 error. CSRF verification failed. 9:59:59.000,9:59:59.000 Why? 9:59:59.000,9:59:59.000 We need to change some settings 9:59:59.000,9:59:59.000 to make it accessible. 9:59:59.000,9:59:59.000 According to the documentation 9:59:59.000,9:59:59.000 we need to set this environment variable (PAPERLESS_URL) 9:59:59.000,9:59:59.000 uh and uh, set it to the domain name 9:59:59.000,9:59:59.000 we used in Cloudflare. 9:59:59.000,9:59:59.000 So let's do that 9:59:59.000,9:59:59.000 go to Paperless > Edit 9:59:59.000,9:59:59.000 and let's just add it as an environment variable here 9:59:59.000,9:59:59.000 PAPERLESS_URL 9:59:59.000,9:59:59.000 set it to paperless.yourdomain 9:59:59.000,9:59:59.000 make sure to add HTTPS to the beginning 9:59:59.000,9:59:59.000 and that's it. 9:59:59.000,9:59:59.000 Update. 9:59:59.000,9:59:59.000 In case you got stuck in deploying 9:59:59.000,9:59:59.000 which was the case for me 9:59:59.000,9:59:59.000 I'm not sure why but the container Paperless 9:59:59.000,9:59:59.000 just stuck like this for a long time 9:59:59.000,9:59:59.000 So what I did is stop this instance 9:59:59.000,9:59:59.000 and create another instance 9:59:59.000,9:59:59.000 using the already created datasets. 9:59:59.000,9:59:59.000 So you're not going to lose anything 9:59:59.000,9:59:59.000 of your files. 9:59:59.000,9:59:59.000 So let's start another instance 9:59:59.000,9:59:59.000 Let's call it paperless-cloudflare. 9:59:59.000,9:59:59.000 We can change password if you want. 9:59:59.000,9:59:59.000 By the way you can choose any secret key 9:59:59.000,9:59:59.000 you want. Just want some random stuff 9:59:59.000,9:59:59.000 You don't need to remember it. 9:59:59.000,9:59:59.000 Okay, add an email 9:59:59.000,9:59:59.000 just a fake email. 9:59:59.000,9:59:59.000 Password. 9:59:59.000,9:59:59.000 Now we add again environment variable 9:59:59.000,9:59:59.000 PAPERLESS_URL 9:59:59.000,9:59:59.000 HTTPS 9:59:59.000,9:59:59.000 paperless… 9:59:59.000,9:59:59.000 dot 9:59:59.000,9:59:59.000 your domain 9:59:59.000,9:59:59.000 and then we add the other host path 9:59:59.000,9:59:59.000 paperless this is the data 9:59:59.000,9:59:59.000 let's copy this 9:59:59.000,9:59:59.000 And now Media 9:59:59.000,9:59:59.000 and then Consume 9:59:59.000,9:59:59.000 and Trash 9:59:59.000,9:59:59.000 this is postscript 9:59:59.000,9:59:59.000 Make sure to check "Automatic Permissions" 9:59:59.000,9:59:59.000 Then we hit install 9:59:59.000,9:59:59.000 Let's wait [a] little bit 9:59:59.000,9:59:59.000 It works but it takes some time 9:59:59.000,9:59:59.000 Okay now it's running 9:59:59.000,9:59:59.000 Let's start it 9:59:59.000,9:59:59.000 First let's get the IP 9:59:59.000,9:59:59.000 I mean let's get the part-- IP is the same 9:59:59.000,9:59:59.000 Go back to cloudflare 9:59:59.000,9:59:59.000 Hit it 9:59:59.000,9:59:59.000 Going to put the new port 9:59:59.000,9:59:59.000 Save 9:59:59.000,9:59:59.000 Let's try now 9:59:59.000,9:59:59.000 Okay, now new password 9:59:59.000,9:59:59.000 And now it works. We don't got the error 9:59:59.000,9:59:59.000 the previous error. 9:59:59.000,9:59:59.000 And as you can see we still have the documents 9:59:59.000,9:59:59.000 as a before we didn't lost anything 9:59:59.000,9:59:59.000 We still got all our documents 9:59:59.000,9:59:59.000 Open them 9:59:59.000,9:59:59.000 And uh, everything works fine 9:59:59.000,9:59:59.000 That's it 9:59:59.000,9:59:59.000 Basically this is how to 9:59:59.000,9:59:59.000 expose your services on the cloud 9:59:59.000,9:59:59.000 To recap 9:59:59.000,9:59:59.000 when you want to expose your app 9:59:59.000,9:59:59.000 this is how it works 9:59:59.000,9:59:59.000 we don't access the app directly 9:59:59.000,9:59:59.000 but rather you access the cloudserver 9:59:59.000,9:59:59.000 cloudflare server. Cloudflare will make exchanges 9:59:59.000,9:59:59.000 with your 9:59:59.000,9:59:59.000 LAN network through Cloudflare 9:59:59.000,9:59:59.000 and then 9:59:59.000,9:59:59.000 It will give access to your app 9:59:59.000,9:59:59.000 This way you don't 9:59:59.000,9:59:59.000 access your app directly 9:59:59.000,9:59:59.000 which means you don't expose your 9:59:59.000,9:59:59.000 IP and you don't go through the NAT 9:59:59.000,9:59:59.000 you don't need to open a port 9:59:59.000,9:59:59.000 but be careful if your habit is insecure 9:59:59.000,9:59:59.000 and you get hacked. You directly expose 9:59:59.000,9:59:59.000 all of your homelab 9:59:59.000,9:59:59.000 It doesn't matter if you use Cloudflare 9:59:59.000,9:59:59.000 or not 9:59:59.000,9:59:59.000 Like and Share if you made it this far 9:59:59.000,9:59:59.000 See you in the next video