WEBVTT 99:59:59.999 --> 99:59:59.999 Hi everyone, welcome back 99:59:59.999 --> 99:59:59.999 So today we're going to try something a little bit different. 99:59:59.999 --> 99:59:59.999 We're gonna start a new video series 99:59:59.999 --> 99:59:59.999 about all the different ways to expose or access our homelab 99:59:59.999 --> 99:59:59.999 from the internet. 99:59:59.999 --> 99:59:59.999 The reason is mainly because there's tons of options out there, 99:59:59.999 --> 99:59:59.999 and I feel like it's not talked enough about on YouTube. 99:59:59.999 --> 99:59:59.999 Especially the security part 99:59:59.999 --> 99:59:59.999 which is most important. 99:59:59.999 --> 99:59:59.999 Almost everyone just assumes it's secure, which isn't always the case, 99:59:59.999 --> 99:59:59.999 so make sure to hit the Like button 99:59:59.999 --> 99:59:59.999 Subscribe and Share 99:59:59.999 --> 99:59:59.999 and let's get started. 99:59:59.999 --> 99:59:59.999 Okay so how to do it, 99:59:59.999 --> 99:59:59.999 to expose our homelab there are five main ways 99:59:59.999 --> 99:59:59.999 1. Secure Tunnels like Cloudflare 99:59:59.999 --> 99:59:59.999 2. Reverse proxies like Nginx 99:59:59.999 --> 99:59:59.999 3. Traditional VPNs like Wireguard or OpenVPN protocols 99:59:59.999 --> 99:59:59.999 4. Mesh VPNs like ZeroTier and Tailscale 99:59:59.999 --> 99:59:59.999 and lastly 5. the old classic port forwarding or NAT 99:59:59.999 --> 99:59:59.999 So let's break down each one of them quickly to understand the differences. 99:59:59.999 --> 99:59:59.999 First secure tunnels like Cloudflare. 99:59:59.999 --> 99:59:59.999 This is often defined as secure tunnels to access your app without exposing your IP 99:59:59.999 --> 99:59:59.999 making remote access easy. 99:59:59.999 --> 99:59:59.999 It's also fairly easy to setup, 99:59:59.999 --> 99:59:59.999 however, by default it's not secured enough 99:59:59.999 --> 99:59:59.999 and solely [relies] on your app security 99:59:59.999 --> 99:59:59.999 but this can be improved. 99:59:59.999 --> 99:59:59.999 We'll cover this later in another video. 99:59:59.999 --> 99:59:59.999 Next, reverse proxies 99:59:59.999 --> 99:59:59.999 like nginx. 99:59:59.999 --> 99:59:59.999 It's a server that sits in the middle and forward requests to your homelab 99:59:59.999 --> 99:59:59.999 helping you manage multiple services under one domain. 99:59:59.999 --> 99:59:59.999 While adding another layer of protection, 99:59:59.999 --> 99:59:59.999 you will have more control over your services 99:59:59.999 --> 99:59:59.999 and how to contr- manage them. 99:59:59.999 --> 99:59:59.999 However, it exposes your IP and you must open a port on your router to access it. 99:59:59.999 --> 99:59:59.999 Next, traditional VPNs like Wireguard or OpenVPN. 99:59:59.999 --> 99:59:59.999 It creates an encrypted tunnel between your device and 99:59:59.999 --> 99:59:59.999 your homelab 99:59:59.999 --> 99:59:59.999 making it feel like you are on the same local network. 99:59:59.999 --> 99:59:59.999 It's good for privacy and security 99:59:59.999 --> 99:59:59.999 but only useful when you are the only user because 99:59:59.999 --> 99:59:59.999 it's impossible to share access without sharing your private key 99:59:59.999 --> 99:59:59.999 to other users. 99:59:59.999 --> 99:59:59.999 Next, mesh VPNs 99:59:59.999 --> 99:59:59.999 like ZeroTier or Tailscale 99:59:59.999 --> 99:59:59.999 this is similar to normal VPNs except it connects devices between each other 99:59:59.999 --> 99:59:59.999 instead of connecting them to a central server. 99:59:59.999 --> 99:59:59.999 It has more control over normal VPNs in the way that you can choose which devices to share 99:59:59.999 --> 99:59:59.999 but you must manually join the network 99:59:59.999 --> 99:59:59.999 each time for each devices you want to give access to. 99:59:59.999 --> 99:59:59.999 Finally NAT this is a classic way of opening specific ports on your router 99:59:59.999 --> 99:59:59.999 to expose your homelab. 99:59:59.999 --> 99:59:59.999 It's simple but it also carries high security risk if you rely on it alone. 99:59:59.999 --> 99:59:59.999 Keep in mind NAT often gets used with other 99:59:59.999 --> 99:59:59.999 methods like previously showed, 99:59:59.999 --> 99:59:59.999 but going purely [on it's own] port forwarding is a no-go for secure setups. 99:59:59.999 --> 99:59:59.999 Now, you may be wondering, 99:59:59.999 --> 99:59:59.999 what's the most secure setup NOTE Paragraph 99:59:59.999 --> 99:59:59.999 to expose your home lab? 99:59:59.999 --> 99:59:59.999 Actually, [it] depends on your apps and what you want to do? 99:59:59.999 --> 99:59:59.999 In my opinion, it's not about which method you use 99:59:59.999 --> 99:59:59.999 but more about how you combine between them. 99:59:59.999 --> 99:59:59.999 The best setup is to mix them and make them work all together 99:59:59.999 --> 99:59:59.999 99:59:59.999 --> 99:59:59.999 to have the perfect setup. 99:59:59.999 --> 99:59:59.999 Okay so first let's go to cloudflare.com 99:59:59.999 --> 99:59:59.999 Go to "Sign Up" 99:59:59.999 --> 99:59:59.999 and free at the website. 99:59:59.999 --> 99:59:59.999 And let's create a new account now. 99:59:59.999 --> 99:59:59.999 After that if you already have [a] domain [previously purchased] 99:59:59.999 --> 99:59:59.999 enter it here 99:59:59.999 --> 99:59:59.999 or for me I'm just going to create a new domain. 99:59:59.999 --> 99:59:59.999 For some reason I got an error 99:59:59.999 --> 99:59:59.999 when trying to pay 99:59:59.999 --> 99:59:59.999 So I'm just going to import an existing domain 99:59:59.999 --> 99:59:59.999 Just going to type it here. 99:59:59.999 --> 99:59:59.999 Okay, so then go down 99:59:59.999 --> 99:59:59.999 and choose the free package. 99:59:59.999 --> 99:59:59.999 Next click on continue to activation. 99:59:59.999 --> 99:59:59.999 Confirm. Next we need to do some modifications 99:59:59.999 --> 99:59:59.999 99:59:59.999 --> 99:59:59.999 We need to modify, the current name servers 99:59:59.999 --> 99:59:59.999 with Cloudflare nameservers 99:59:59.999 --> 99:59:59.999 to allow Cloudflare to control the domain. 99:59:59.999 --> 99:59:59.999 To do that, 99:59:59.999 --> 99:59:59.999 we go to the domain provider 99:59:59.999 --> 99:59:59.999 in my case it's NameCheap. 99:59:59.999 --> 99:59:59.999 So in my case 99:59:59.999 --> 99:59:59.999 I'm gonna do custom DNS 99:59:59.999 --> 99:59:59.999 and then I copy.... 99:59:59.999 --> 99:59:59.999 the nameservers 99:59:59.999 --> 99:59:59.999 and then I save. 99:59:59.999 --> 99:59:59.999 It tells you that it can take up to 48 hours 99:59:59.999 --> 99:59:59.999 But it's not true it [can take] just a few seconds 99:59:59.999 --> 99:59:59.999 or a few minutes max 99:59:59.999 --> 99:59:59.999 But, just in case 99:59:59.999 --> 99:59:59.999 If it take a long time to update 99:59:59.999 --> 99:59:59.999 Uh, this is normal so 99:59:59.999 --> 99:59:59.999 just wait 99:59:59.999 --> 99:59:59.999 There is no other choice 99:59:59.999 --> 99:59:59.999 Okay, so after a while, 99:59:59.999 --> 99:59:59.999 We get this page this means everything is good 99:59:59.999 --> 99:59:59.999 Now we go to access page 99:59:59.999 --> 99:59:59.999 and then NetZero Trust. 99:59:59.999 --> 99:59:59.999 We choose our account 99:59:59.999 --> 99:59:59.999 Next you go to access 99:59:59.999 --> 99:59:59.999 Next we choose teamname 99:59:59.999 --> 99:59:59.999 Just anything 99:59:59.999 --> 99:59:59.999 Then we choose the free package of course 99:59:59.999 --> 99:59:59.999 There is zero payment 99:59:59.999 --> 99:59:59.999 Next we go to Networks 99:59:59.999 --> 99:59:59.999 Tunnels 99:59:59.999 --> 99:59:59.999 And we add a tunnel 99:59:59.999 --> 99:59:59.999 We choose this one Cloudflared 99:59:59.999 --> 99:59:59.999 We name our Tunnel 99:59:59.999 --> 99:59:59.999 Homelab uh test 99:59:59.999 --> 99:59:59.999 Next it will ask you to choose your environment 99:59:59.999 --> 99:59:59.999 In this case you just uh 99:59:59.999 --> 99:59:59.999 You just choose docker 99:59:59.999 --> 99:59:59.999 and then we just copy the comment 99:59:59.999 --> 99:59:59.999 because we just need the token. 99:59:59.999 --> 99:59:59.999 We don't need to run anything docker 99:59:59.999 --> 99:59:59.999 Then we go back to TrueNAS 99:59:59.999 --> 99:59:59.999 and we install 99:59:59.999 --> 99:59:59.999 the Cloudflared app. 99:59:59.999 --> 99:59:59.999 This one 99:59:59.999 --> 99:59:59.999 And here we['ve] got [to just] paste what we had 99:59:59.999 --> 99:59:59.999 99:59:59.999 --> 99:59:59.999 and we just keep. 99:59:59.999 --> 99:59:59.999 Remove everything, we just keep the token. 99:59:59.999 --> 99:59:59.999 So anything before this goes. 99:59:59.999 --> 99:59:59.999 That's it. 99:59:59.999 --> 99:59:59.999 We don't need to setup anything else. 99:59:59.999 --> 99:59:59.999 Even storage, it's not necessary. 99:59:59.999 --> 99:59:59.999 And we install. 99:59:59.999 --> 99:59:59.999 Okay now it's up and running. 99:59:59.999 --> 99:59:59.999 Let's go back to Cloudflared profile. 99:59:59.999 --> 99:59:59.999 Now we need to wait until we get uh 99:59:59.999 --> 99:59:59.999 something here in connectors. 99:59:59.999 --> 99:59:59.999 It will automatically search. 99:59:59.999 --> 99:59:59.999 Alright here we go 99:59:59.999 --> 99:59:59.999 It's connected. 99:59:59.999 --> 99:59:59.999 So now we can continue. 99:59:59.999 --> 99:59:59.999 Next 99:59:59.999 --> 99:59:59.999 Now we're ready to add our first service. 99:59:59.999 --> 99:59:59.999 Let's start by adding TrueNAS itself. 99:59:59.999 --> 99:59:59.999 So let's just copy the IP 99:59:59.999 --> 99:59:59.999 Then we choose the subdomain 99:59:59.999 --> 99:59:59.999 TrueNAS 99:59:59.999 --> 99:59:59.999 and choose the domain 99:59:59.999 --> 99:59:59.999 then we choose HTTP 99:59:59.999 --> 99:59:59.999 and then the IP 99:59:59.999 --> 99:59:59.999 There is nothing specific to add there. 99:59:59.999 --> 99:59:59.999 That's save. 99:59:59.999 --> 99:59:59.999 To test this I'm going to disconnect from the VPN 99:59:59.999 --> 99:59:59.999 Because i'm not at home I'm connected to my home VPN. 99:59:59.999 --> 99:59:59.999 So i'm just going to deactivate it 99:59:59.999 --> 99:59:59.999 and try this. 99:59:59.999 --> 99:59:59.999 To show that likely if I try to go to the same IP 99:59:59.999 --> 99:59:59.999 99:59:59.999 --> 99:59:59.999 It's not going to work, 99:59:59.999 --> 99:59:59.999 because I disconnected from the VPN. 99:59:59.999 --> 99:59:59.999 And if I try 99:59:59.999 --> 99:59:59.999 a domain, 99:59:59.999 --> 99:59:59.999 new domain. 99:59:59.999 --> 99:59:59.999 It works. 99:59:59.999 --> 99:59:59.999 So now 99:59:59.999 --> 99:59:59.999 TrueNAS is accessible 99:59:59.999 --> 99:59:59.999 from the outside. 99:59:59.999 --> 99:59:59.999 But this is not recommended of course. 99:59:59.999 --> 99:59:59.999 If you want to expose something 99:59:59.999 --> 99:59:59.999 just expose the apps individually 99:59:59.999 --> 99:59:59.999 don't expose the whole thing. 99:59:59.999 --> 99:59:59.999 so 99:59:59.999 --> 99:59:59.999 So now I'm just going to delete it 99:59:59.999 --> 99:59:59.999 and then I'm gonna add something else. 99:59:59.999 --> 99:59:59.999 Okay now I want to add another service. 99:59:59.999 --> 99:59:59.999 Maybe, Proxmox 99:59:59.999 --> 99:59:59.999 Let's go to add the public hostname 99:59:59.999 --> 99:59:59.999 Proxmox 99:59:59.999 --> 99:59:59.999 same thing 99:59:59.999 --> 99:59:59.999 here's we're going to choose HTTPS instead of HTTP 99:59:59.999 --> 99:59:59.999 and then the IP 99:59:59.999 --> 99:59:59.999 as well as the port which is 8... 99:59:59.999 --> 99:59:59.999 8006 99:59:59.999 --> 99:59:59.999 and then we go to Additional Settings > TLS 99:59:59.999 --> 99:59:59.999 and we enable No TLS verify. 99:59:59.999 --> 99:59:59.999 It will not check certificates. 99:59:59.999 --> 99:59:59.999 Now let's save. 99:59:59.999 --> 99:59:59.999 Let's try again now. 99:59:59.999 --> 99:59:59.999 NIce! Now it works. 99:59:59.999 --> 99:59:59.999 And we'll disconnect the VPN 99:59:59.999 --> 99:59:59.999 and refresh 99:59:59.999 --> 99:59:59.999 and it still works. 99:59:59.999 --> 99:59:59.999 Okay now before we're finishing the video 99:59:59.999 --> 99:59:59.999 let's do 99:59:59.999 --> 99:59:59.999 one last service which is 99:59:59.999 --> 99:59:59.999 Paperless. 99:59:59.999 --> 99:59:59.999 Since we already covered this in a previous video, 99:59:59.999 --> 99:59:59.999 we're going to see how to expose this 99:59:59.999 --> 99:59:59.999 Why did I choose Paperless because 99:59:59.999 --> 99:59:59.999 it's a bit tricky to setup 99:59:59.999 --> 99:59:59.999 it's not as simple as 99:59:59.999 --> 99:59:59.999 adding the hostname. 99:59:59.999 --> 99:59:59.999 So, let's see first we just add the hostname of course 99:59:59.999 --> 99:59:59.999 same thing as always, 99:59:59.999 --> 99:59:59.999 HTTPS, and then we take the URL 99:59:59.999 --> 99:59:59.999 which is IP and Port 99:59:59.999 --> 99:59:59.999 It chooses HTTP not HTTPS 99:59:59.999 --> 99:59:59.999 Service name 99:59:59.999 --> 99:59:59.999 So first it's gonna work normally 99:59:59.999 --> 99:59:59.999 ff I try to access. 99:59:59.999 --> 99:59:59.999 Alright 99:59:59.999 --> 99:59:59.999 Uh, but the problem is when you 99:59:59.999 --> 99:59:59.999 try to login 99:59:59.999 --> 99:59:59.999 You get this 99:59:59.999 --> 99:59:59.999 error. CSRF verification failed. 99:59:59.999 --> 99:59:59.999 Why? 99:59:59.999 --> 99:59:59.999 We need to change some settings 99:59:59.999 --> 99:59:59.999 to make it accessible. 99:59:59.999 --> 99:59:59.999 According to the documentation 99:59:59.999 --> 99:59:59.999 we need to set this environment variable (PAPERLESS_URL) 99:59:59.999 --> 99:59:59.999 uh and uh, set it to the domain name 99:59:59.999 --> 99:59:59.999 we used in Cloudflare. 99:59:59.999 --> 99:59:59.999 So let's do that 99:59:59.999 --> 99:59:59.999 go to Paperless > Edit 99:59:59.999 --> 99:59:59.999 and let's just add it as an environment variable here 99:59:59.999 --> 99:59:59.999 PAPERLESS_URL 99:59:59.999 --> 99:59:59.999 set it to paperless.yourdomain 99:59:59.999 --> 99:59:59.999 make sure to add HTTPS to the beginning 99:59:59.999 --> 99:59:59.999 and that's it. 99:59:59.999 --> 99:59:59.999 Update. 99:59:59.999 --> 99:59:59.999 In case you got stuck in deploying 99:59:59.999 --> 99:59:59.999 which was the case for me 99:59:59.999 --> 99:59:59.999 I'm not sure why but the container Paperless 99:59:59.999 --> 99:59:59.999 just stuck like this for a long time 99:59:59.999 --> 99:59:59.999 So what I did is stop this instance 99:59:59.999 --> 99:59:59.999 and create another instance 99:59:59.999 --> 99:59:59.999 using the already created datasets. 99:59:59.999 --> 99:59:59.999 So you're not going to lose anything 99:59:59.999 --> 99:59:59.999 of your files. 99:59:59.999 --> 99:59:59.999 So let's start another instance 99:59:59.999 --> 99:59:59.999 Let's call it paperless-cloudflare. 99:59:59.999 --> 99:59:59.999 We can change password if you want. 99:59:59.999 --> 99:59:59.999 By the way you can choose any secret key 99:59:59.999 --> 99:59:59.999 you want. Just want some random stuff 99:59:59.999 --> 99:59:59.999 You don't need to remember it. 99:59:59.999 --> 99:59:59.999 Okay, add an email 99:59:59.999 --> 99:59:59.999 just a fake email. 99:59:59.999 --> 99:59:59.999 Password. 99:59:59.999 --> 99:59:59.999 Now we add again environment variable 99:59:59.999 --> 99:59:59.999 PAPERLESS_URL 99:59:59.999 --> 99:59:59.999 HTTPS 99:59:59.999 --> 99:59:59.999 paperless… 99:59:59.999 --> 99:59:59.999 dot 99:59:59.999 --> 99:59:59.999 your domain 99:59:59.999 --> 99:59:59.999 and then we add the other host path 99:59:59.999 --> 99:59:59.999 paperless this is the data 99:59:59.999 --> 99:59:59.999 let's copy this 99:59:59.999 --> 99:59:59.999 And now Media 99:59:59.999 --> 99:59:59.999 and then Consume 99:59:59.999 --> 99:59:59.999 and Trash 99:59:59.999 --> 99:59:59.999 this is postscript 99:59:59.999 --> 99:59:59.999 Make sure to check "Automatic Permissions" 99:59:59.999 --> 99:59:59.999 Then we hit install 99:59:59.999 --> 99:59:59.999 Let's wait [a] little bit 99:59:59.999 --> 99:59:59.999 It works but it takes some time 99:59:59.999 --> 99:59:59.999 Okay now it's running 99:59:59.999 --> 99:59:59.999 Let's start it 99:59:59.999 --> 99:59:59.999 First let's get the IP 99:59:59.999 --> 99:59:59.999 I mean let's get the part-- IP is the same 99:59:59.999 --> 99:59:59.999 Go back to cloudflare 99:59:59.999 --> 99:59:59.999 Hit it 99:59:59.999 --> 99:59:59.999 Going to put the new port 99:59:59.999 --> 99:59:59.999 Save 99:59:59.999 --> 99:59:59.999 Let's try now 99:59:59.999 --> 99:59:59.999 Okay, now new password 99:59:59.999 --> 99:59:59.999 And now it works. We don't got the error 99:59:59.999 --> 99:59:59.999 the previous error. 99:59:59.999 --> 99:59:59.999 And as you can see we still have the documents 99:59:59.999 --> 99:59:59.999 as a before we didn't lost anything 99:59:59.999 --> 99:59:59.999 We still got all our documents 99:59:59.999 --> 99:59:59.999 Open them 99:59:59.999 --> 99:59:59.999 And uh, everything works fine 99:59:59.999 --> 99:59:59.999 That's it 99:59:59.999 --> 99:59:59.999 Basically this is how to 99:59:59.999 --> 99:59:59.999 expose your services on the cloud 99:59:59.999 --> 99:59:59.999 To recap 99:59:59.999 --> 99:59:59.999 when you want to expose your app 99:59:59.999 --> 99:59:59.999 this is how it works 99:59:59.999 --> 99:59:59.999 we don't access the app directly 99:59:59.999 --> 99:59:59.999 but rather you access the cloudserver 99:59:59.999 --> 99:59:59.999 cloudflare server. Cloudflare will make exchanges 99:59:59.999 --> 99:59:59.999 with your 99:59:59.999 --> 99:59:59.999 LAN network through Cloudflare 99:59:59.999 --> 99:59:59.999 and then 99:59:59.999 --> 99:59:59.999 It will give access to your app 99:59:59.999 --> 99:59:59.999 This way you don't 99:59:59.999 --> 99:59:59.999 access your app directly 99:59:59.999 --> 99:59:59.999 which means you don't expose your 99:59:59.999 --> 99:59:59.999 IP and you don't go through the NAT 99:59:59.999 --> 99:59:59.999 you don't need to open a port 99:59:59.999 --> 99:59:59.999 but be careful if your habit is insecure 99:59:59.999 --> 99:59:59.999 and you get hacked. You directly expose 99:59:59.999 --> 99:59:59.999 all of your homelab 99:59:59.999 --> 99:59:59.999 It doesn't matter if you use Cloudflare 99:59:59.999 --> 99:59:59.999 or not 99:59:59.999 --> 99:59:59.999 Like and Share if you made it this far 99:59:59.999 --> 99:59:59.999 See you in the next video