1
00:00:00,521 --> 00:00:02,082
Hi everyone, welcome back

2
00:00:02,082 --> 00:00:05,092
So today we're going to try
something a little bit different.

3
00:00:05,142 --> 00:00:08,126
We're gonna start a new video series

4
00:00:09,247 --> 00:00:12,621
about all the different ways to
expose or access our homelab

5
00:00:12,621 --> 00:00:14,059
from the internet.

6
00:00:14,779 --> 00:00:18,199
The reason is mainly because
there's tons of options out there,

7
00:00:18,411 --> 00:00:21,131
and I feel like it's not talked enough
about on YouTube.

8
00:00:21,393 --> 00:00:23,227
Especially the security part

9
00:00:23,227 --> 00:00:24,619
which is most important.

10
00:00:24,619 --> 00:00:28,675
Almost everyone just assumes it's secure,
which isn't always the case,

11
00:00:29,005 --> 00:00:30,548
so make sure to hit the Like button

12
00:00:30,548 --> 00:00:31,888
Subscribe and Share

13
00:00:31,929 --> 00:00:33,450
and let's get started.

14
00:00:33,738 --> 00:00:35,256
Okay so how to do it,

15
00:00:35,527 --> 00:00:38,719
to expose our homelab
there are five main ways

16
00:00:39,126 --> 00:00:41,689
1. Secure Tunnels like Cloudflare

17
00:00:42,058 --> 00:00:44,000
2. Reverse proxies like Nginx

18
00:00:44,289 --> 00:00:48,129
3. Traditional VPNs like Wireguard
or OpenVPN protocols

19
00:00:48,493 --> 00:00:51,204
4. Mesh VPNs like ZeroTier and Tailscale

20
00:00:51,531 --> 00:00:55,349
and lastly 5. the old classic 
port forwarding or NAT

21
00:00:55,349 --> 00:00:59,146
So let's break down each one of them
quickly to understand the differences.

22
00:00:59,441 --> 00:01:02,330
First secure tunnels like Cloudflare.

23
00:01:02,330 --> 00:01:06,722
This is often defined as secure tunnels to 
access your app without exposing your IP

24
00:01:06,722 --> 00:01:08,856
making remote access easy.

25
00:01:08,856 --> 00:01:10,949
It's also fairly easy to setup,

26
00:01:10,949 --> 00:01:11,199
however, by default it's not secured enough

27
00:01:14,240 --> 00:01:16,916
and solely [relies] on your app security

28
00:01:16,916 --> 00:01:18,520
but this can be improved.

29
00:01:18,520 --> 00:01:21,599
We'll cover this later in another video.

30
00:01:21,599 --> 00:01:23,801
Next, reverse proxies

31
00:01:23,801 --> 00:01:24,886
like nginx.

32
00:01:24,886 --> 00:01:28,198
It's a server that sits in the middle and forward requests to your homelab

33
00:01:28,416 --> 00:01:31,520
helping you manage multiple services under one domain.

34
00:01:31,832 --> 00:01:33,758
While adding another layer of protection,

35
00:01:33,758 --> 00:01:38,660
you will have more control over your services
and how to

36
00:01:38,983 --> 00:01:40,668
contr-
manage them.

37
00:01:41,032 --> 00:01:46,288
However, it exposes your IP and you must open a port on your router to access it.

38
00:01:47,000 --> 00:01:51,006
Next, traditional VPNs like Wireguard or OpenVPN.

39
00:01:51,006 --> 00:01:53,838
It creates an encrypted tunnel between your device and

40
00:01:53,838 --> 00:01:55,076
your homelab

41
00:01:55,076 --> 00:01:57,854
making it feel like you are on the same local network.

42
00:01:57,854 --> 00:02:00,634
It's good for privacy and security

43
00:02:00,634 --> 00:02:03,318
but only useful when you are the only user because

44
00:02:03,318 --> 00:02:07,198
it's impossible to share access without sharing your private key

45
00:02:07,198 --> 00:02:09,530
to other users.

46
00:02:09,530 --> 00:02:11,732
Next, mesh VPNs

47
00:02:11,732 --> 00:02:14,306
like ZeroTier or Tailscale

48
00:02:14,306 --> 00:02:18,984
this is similar to normal VPNs except it connects devices between each other

49
00:02:18,984 --> 00:02:21,702
instead of connecting them to a central server.

50
00:02:21,702 --> 00:02:26,333
It has more control over normal VPNs in the way that you can choose which devices to share

51
00:02:26,333 --> 00:02:29,067
but you must manually join the network

52
00:02:29,067 --> 00:02:31,606
each time for each devices you want to give access to.

53
00:02:31,606 --> 00:02:36,176
Finally NAT this is a classic way of opening specific ports on your router

54
00:02:36,176 --> 00:02:37,667
to expose your homelab.

55
00:02:37,667 --> 00:02:42,200
It's simple but it also carries high
security risk if you rely on it alone.

56
00:02:42,200 --> 00:02:46,623
Keep in mind NAT often gets used with other
methods like previously showed,

57
00:02:46,750 --> 00:02:50,843
but going purely [on it's own] port forwarding is a no-go for secure setups.

58
00:02:51,752 --> 00:02:52,773
Now, you may be wondering,

59
00:02:53,137 --> 00:02:54,967
what's the most secure setup

60
00:02:54,967 --> 00:02:56,236
to expose your home lab?

61
00:02:56,236 --> 00:02:59,759
Actually, [it] depends on your apps and what you want to do?

62
00:02:59,759 --> 00:03:02,555
In my opinion, it's not about which method you use

63
00:03:02,555 --> 00:03:05,529
but more about how you combine between them.

64
00:03:05,529 --> 00:03:09,779
The best setup is to mix them
and make them work all together

65
00:03:09,779 --> 00:03:11,731
to have the perfect setup.

66
00:03:13,593 --> 00:03:16,780
Okay so first let's go to cloudflare.com

67
00:03:16,780 --> 00:03:17,030
Go to "Sign Up"

68
00:03:18,967 --> 00:03:21,625
and free at the website.

69
00:03:23,020 --> 00:03:25,981
And let's create a new account now.

70
00:03:29,984 --> 00:03:32,048
After that if you already have [a]
domain [previously purchased]

71
00:03:32,389 --> 00:03:33,309
enter it here

72
00:03:33,309 --> 00:03:36,447
or for me I'm just going to create a new domain.

73
00:03:39,574 --> 00:03:41,307
For some reason I got an error

74
00:03:41,307 --> 00:03:42,277
when trying to pay

75
00:03:42,716 --> 00:03:44,868
So I'm just going to import an existing domain

76
00:03:44,929 --> 00:03:47,134
Just going to type it here.

77
00:03:51,347 --> 00:03:53,683
Okay, so then go down

78
00:03:54,517 --> 00:03:56,227
and choose the free package.

79
00:03:59,963 --> 00:04:02,678
Next click on continue to activation.

80
00:04:03,224 --> 00:04:07,187
Confirm. Next we need to 
do some modifications

81
00:04:07,467 --> 00:04:10,949
We need to modify, the current name servers

82
00:04:11,124 --> 00:04:12,859
with Cloudflare nameservers

83
00:04:13,243 --> 00:04:16,360
to allow Cloudflare to control the domain.

84
00:04:16,750 --> 00:04:17,631
To do that,

85
00:04:17,957 --> 00:04:20,137
we go to the domain provider

86
00:04:20,174 --> 00:04:22,432
in my case it's NameCheap.

87
00:04:25,978 --> 00:04:29,172
So in my case
I'm gonna do custom DNS

88
00:04:29,172 --> 00:04:30,994
and then I copy....

89
00:04:35,710 --> 00:04:37,504
the nameservers

90
00:04:38,754 --> 00:04:39,796
and then I save.

91
00:04:42,779 --> 00:04:46,192
It tells you that it can take 
up to 48 hours

92
00:04:46,192 --> 00:04:48,761
But it's not true it [can take] just a few seconds

93
00:04:48,761 --> 00:04:50,361
or a few minutes max

94
00:04:50,361 --> 00:04:52,118
But, just in case

95
00:04:53,139 --> 00:04:55,176
If it take a long time to update

96
00:04:55,176 --> 00:04:56,786
Uh, this is normal so

97
00:04:56,786 --> 00:04:58,114
just wait

98
00:04:58,114 --> 00:05:00,183
There is no other choice

99
00:05:00,725 --> 00:05:02,085
Okay, so after a while,

100
00:05:02,085 --> 00:05:04,603
We get this page this means everything is good

101
00:05:04,603 --> 00:05:07,324
Now we go to access page

102
00:05:07,324 --> 00:05:09,709
and then NetZero Trust.

103
00:05:10,446 --> 00:05:11,865
We choose our account

104
00:05:12,218 --> 00:05:14,409
Next you go to access

105
00:05:15,202 --> 00:05:17,558
Next we choose teamname

106
00:05:17,829 --> 00:05:20,403
Just anything

107
00:05:23,051 --> 00:05:26,135
Then we choose the free package of course

108
00:05:27,183 --> 00:05:29,562
There is zero payment

109
00:05:33,126 --> 00:05:34,940
Next we go to Networks

110
00:05:35,629 --> 00:05:36,254
Tunnels

111
00:05:37,337 --> 00:05:39,403
And we add a tunnel

112
00:05:39,945 --> 00:05:41,237
We choose this one Cloudflared

113
00:05:41,581 --> 00:05:43,142
We name our Tunnel

114
00:05:43,142 --> 00:05:45,029
Homelab uh test

115
00:05:47,589 --> 00:05:50,189
Next it will ask you to choose your environment

116
00:05:50,189 --> 00:05:52,089
In this case you just uh

117
00:05:52,089 --> 00:05:53,524
You just choose docker

118
00:05:53,524 --> 00:05:55,267
and then we just copy the comment

119
00:05:55,267 --> 00:05:58,245
because we just need the token.

120
00:05:58,245 --> 00:06:00,104
We don't need to run anything docker

121
00:06:00,104 --> 00:06:01,805
Then we go back to TrueNAS

122
00:06:02,278 --> 00:06:03,942
and we install

123
00:06:03,942 --> 00:06:05,846
the Cloudflared app.

124
00:06:07,320 --> 00:06:08,621
This one

125
00:06:10,581 --> 00:06:13,442
And here we['ve] got [to just]
paste what we had

126
00:06:13,442 --> 00:06:14,577
and we just keep.

127
00:06:15,957 --> 00:06:19,195
Remove everything, we just keep the token.

128
00:06:24,636 --> 00:06:27,117
So anything before this goes.

129
00:06:28,869 --> 00:06:30,226
That's it.

130
00:06:31,789 --> 00:06:34,373
We don't need to setup anything else.

131
00:06:34,999 --> 00:06:37,754
Even storage, it's not necessary.

132
00:06:39,630 --> 00:06:40,859
And we install.

133
00:06:43,528 --> 00:06:45,364
Okay now it's up and running.

134
00:06:45,791 --> 00:06:47,758
Let's go back to Cloudflared profile.

135
00:06:47,758 --> 00:06:50,965
Now we need to wait until we get uh

136
00:06:50,965 --> 00:06:52,852
something here in connectors.

137
00:06:53,217 --> 00:06:54,585
It will automatically search.

138
00:06:54,585 --> 00:06:56,029
Alright here we go

139
00:06:56,029 --> 00:06:57,169
It's connected.

140
00:06:57,169 --> 00:06:58,866
So now we can continue.

141
00:06:58,922 --> 00:07:00,107
Next

142
00:07:01,672 --> 00:07:05,704
Now we're ready to add our first service.

143
00:07:06,627 --> 00:07:09,269
Let's start by adding TrueNAS itself.

144
00:07:09,309 --> 00:07:11,873
So let's just copy the IP

145
00:07:15,334 --> 00:07:17,046
Then we choose the subdomain

146
00:07:17,440 --> 00:07:18,047
TrueNAS

147
00:07:18,485 --> 00:07:19,548
and choose the domain

148
00:07:20,894 --> 00:07:22,920
then we choose HTTP

149
00:07:24,338 --> 00:07:25,860
and then the IP

150
00:07:26,715 --> 00:07:30,052
There is nothing specific to add there.

151
00:07:30,448 --> 00:07:31,116
That's save.

152
00:07:33,201 --> 00:07:35,850
To test this I'm going to disconnect
from the VPN

153
00:07:36,267 --> 00:07:40,501
Because i'm not at home I'm
connected to my home VPN.

154
00:07:40,811 --> 00:07:42,679
So i'm just going to deactivate it

155
00:07:42,679 --> 00:07:43,805
and try this.

156
00:07:44,952 --> 00:07:50,706
To show that likely if I try to go to the same IP

157
00:07:52,710 --> 00:07:54,065
It's not going to work,

158
00:07:54,176 --> 00:07:56,264
because I disconnected from the VPN.

159
00:07:56,870 --> 00:07:58,017
And if I try

160
00:07:58,642 --> 00:07:59,685
a domain,

161
00:08:00,206 --> 00:08:01,164
new domain.

162
00:08:04,502 --> 00:08:05,315
It works.

163
00:08:05,608 --> 00:08:06,356
So now

164
00:08:09,027 --> 00:08:10,915
TrueNAS is accessible

165
00:08:11,201 --> 00:08:12,140
from the outside.

166
00:08:12,518 --> 00:08:15,155
But this is not recommended of course.

167
00:08:15,155 --> 00:08:17,073
If you want to expose something

168
00:08:17,073 --> 00:08:18,978
just expose the apps individually

169
00:08:19,018 --> 00:08:21,253
don't expose the whole thing.

170
00:08:21,589 --> 00:08:22,583
so

171
00:08:23,500 --> 00:08:25,358
So now I'm just going to delete it

172
00:08:25,714 --> 00:08:28,507
and then I'm gonna add something else.

173
00:08:33,865 --> 00:08:36,474
Okay now I want to add another service.

174
00:08:36,785 --> 00:08:37,975
Maybe, Proxmox

175
00:08:39,894 --> 00:08:42,144
Let's go to add the public hostname

176
00:08:42,835 --> 00:08:43,606
Proxmox

177
00:08:44,482 --> 00:08:45,212
same thing

178
00:08:47,818 --> 00:08:50,174
here's we're going to choose HTTPS instead of HTTP

179
00:08:50,821 --> 00:08:52,843
and then the IP

180
00:08:54,429 --> 00:08:58,039
as well as the port which is 8...

181
00:08:58,515 --> 00:09:00,068
8006

182
00:09:03,950 --> 00:09:07,454
and then we go to Additional Settings > TLS

183
00:09:08,017 --> 00:09:10,750
and we enable No TLS verify.

184
00:09:11,123 --> 00:09:12,354
It will not check certificates.

185
00:09:13,023 --> 00:09:13,899
Now let's save.

186
00:09:15,920 --> 00:09:18,130
Let's try again now.

187
00:09:25,117 --> 00:09:26,389
NIce! Now it works.

188
00:09:32,916 --> 00:09:34,980
And we'll disconnect the VPN

189
00:09:35,607 --> 00:09:36,399
and refresh

190
00:09:36,921 --> 00:09:38,129
and it still works.

191
00:09:39,255 --> 00:09:41,490
Okay now before we're finishing the video

192
00:09:41,816 --> 00:09:42,902
let's do

193
00:09:42,902 --> 00:09:44,766
one last service which is

194
00:09:44,766 --> 00:09:46,057
Paperless.

195
00:09:46,365 --> 00:09:49,885
Since we already covered this in a previous video,

196
00:09:50,260 --> 00:09:52,158
we're going to see how to expose this

197
00:09:52,469 --> 00:09:54,578
Why did I choose Paperless because

198
00:09:54,828 --> 00:09:56,203
it's a bit tricky to setup

199
00:09:56,620 --> 00:09:58,458
it's not as simple as

200
00:09:58,785 --> 00:10:00,415
adding the hostname.

201
00:10:01,103 --> 00:10:04,293
So, let's see first we just add the hostname of course

202
00:10:06,756 --> 00:10:08,402
same thing as always,

203
00:10:09,528 --> 00:10:13,338
HTTPS, and then we take the URL

204
00:10:16,860 --> 00:10:19,056
which is IP and Port

205
00:10:24,856 --> 00:10:27,568
It chooses HTTP not HTTPS

206
00:10:29,048 --> 00:10:30,175
Service name

207
00:10:31,196 --> 00:10:34,324
So first it's gonna work normally

208
00:10:34,930 --> 00:10:36,578
ff I try to access.

209
00:10:39,852 --> 00:10:40,893
Alright

210
00:10:41,580 --> 00:10:44,247
Uh, but the problem is when you

211
00:10:44,259 --> 00:10:45,300
try to login

212
00:10:49,212 --> 00:10:50,421
You get this

213
00:10:50,553 --> 00:10:52,615
error. CSRF verification failed.

214
00:10:52,949 --> 00:10:53,775
Why?

215
00:10:54,058 --> 00:10:55,701
We need to change some settings

216
00:10:55,829 --> 00:10:57,958
to make it accessible.

217
00:10:58,332 --> 00:11:01,545
According to the documentation

218
00:11:02,192 --> 00:11:05,923
we need to set this environment variable (PAPERLESS_URL)

219
00:11:06,488 --> 00:11:10,574
uh and uh, set it to the domain name

220
00:11:10,907 --> 00:11:12,410
we used in Cloudflare.

221
00:11:12,680 --> 00:11:14,308
So let's do that

222
00:11:15,322 --> 00:11:18,329
go to Paperless > Edit

223
00:11:20,053 --> 00:11:24,999
and let's just add it as an environment variable here

224
00:11:25,912 --> 00:11:28,350
PAPERLESS_URL

225
00:11:28,682 --> 00:11:32,021
set it to paperless.yourdomain

226
00:11:36,024 --> 00:11:40,028
make sure to add HTTPS to the beginning

227
00:11:42,450 --> 00:11:43,534
and that's it.

228
00:11:43,534 --> 00:11:44,520
Update.

229
00:11:48,088 --> 00:11:51,235
In case you got stuck in deploying

230
00:11:51,485 --> 00:11:53,301
which was the case for me

231
00:11:53,717 --> 00:11:56,262
I'm not sure why but the container Paperless

232
00:11:56,824 --> 00:11:59,640
just stuck like this for a long time

233
00:12:00,035 --> 00:12:03,664
So what I did is stop this instance

234
00:12:04,103 --> 00:12:05,936
and create another instance

235
00:12:06,480 --> 00:12:10,631
using the already created datasets.

236
00:12:11,171 --> 00:12:13,559
So you're not going to lose anything

237
00:12:13,583 --> 00:12:15,324
of your files.

238
00:12:16,831 --> 00:12:18,917
So let's start another instance

239
00:12:20,502 --> 00:12:23,046
Let's call it paperless-cloudflare.

240
00:12:26,132 --> 00:12:29,177
We can change password if you want.

241
00:12:32,283 --> 00:12:34,725
By the way you can choose any secret key

242
00:12:34,747 --> 00:12:36,345
you want. Just want some random stuff

243
00:12:36,345 --> 00:12:38,002
You don't need to remember it.

244
00:12:42,545 --> 00:12:44,903
Okay, add an email

245
00:12:45,422 --> 00:12:47,278
just a fake email.

246
00:12:50,804 --> 00:12:51,806
Password.

247
00:13:02,233 --> 00:13:05,715
Now we add again environment variable

248
00:13:06,340 --> 00:13:08,196
PAPERLESS_URL

249
00:13:09,049 --> 00:13:10,343
HTTPS

250
00:13:10,844 --> 00:13:11,637
paperless…

251
00:13:12,410 --> 00:13:13,075
dot

252
00:13:14,681 --> 00:13:16,079
your domain

253
00:13:20,937 --> 00:13:24,024
and then we add the other host path

254
00:13:27,737 --> 00:13:30,052
Paperless this is the data.

255
00:13:30,740 --> 00:13:31,678
let's copy this

256
00:13:33,452 --> 00:13:35,307
And now Media

257
00:13:39,687 --> 00:13:41,584
and then Consume

258
00:13:50,411 --> 00:13:51,516
and Trash

259
00:13:57,752 --> 00:13:59,400
this is PostScript

260
00:14:06,113 --> 00:14:09,076
Make sure to check "Automatic Permissions".

261
00:14:12,954 --> 00:14:14,309
Then we hit install.

262
00:14:18,405 --> 00:14:19,916
Let's wait [a] little bit.

263
00:14:19,916 --> 00:14:22,606
It works but it takes some time.

264
00:14:24,816 --> 00:14:26,359
Okay now it's running.

265
00:14:27,339 --> 00:14:28,362
Let's start it.

266
00:14:31,179 --> 00:14:32,970
First let's get the IP

267
00:14:33,409 --> 00:14:36,037
I mean let's get the port-- IP is the same.

268
00:14:36,952 --> 00:14:38,204
Go back to cloudflare

269
00:14:38,977 --> 00:14:39,810
Hit it

270
00:14:41,499 --> 00:14:44,189
Going to put the new port

271
00:14:45,338 --> 00:14:46,317
Save

272
00:14:49,821 --> 00:14:51,177
Let's try now

273
00:14:55,431 --> 00:14:57,703
Okay, now new password

274
00:15:03,418 --> 00:15:05,463
And now it works. We don't got the error

275
00:15:05,463 --> 00:15:06,757
the previous error.

276
00:15:07,837 --> 00:15:10,428
And as you can see we still have the [same] documents

277
00:15:10,428 --> 00:15:14,435
as before we didn't lost anything.

278
00:15:15,291 --> 00:15:17,458
We still got all our documents.

279
00:15:22,402 --> 00:15:23,485
Open them

280
00:15:26,510 --> 00:15:28,448
And uh, everything works fine

281
00:15:32,620 --> 00:15:33,161
That's it

282
00:15:33,580 --> 00:15:35,331
Basically this is how to

283
00:15:35,600 --> 00:15:39,064
expose your services on the cloud

284
00:15:42,796 --> 00:15:43,570
To recap:

285
00:15:43,825 --> 00:15:46,099
When you want to expose your app,

286
00:15:46,099 --> 00:15:47,316
this is how it works.

287
00:15:47,316 --> 00:15:49,219
We don't access the app directly

288
00:15:49,411 --> 00:15:53,217
but rather you access the cloud server

289
00:15:53,564 --> 00:15:56,666
cloudflare server. Cloudflare will make exchanges

290
00:15:56,862 --> 00:15:58,247
with your

291
00:15:58,247 --> 00:16:00,140
LAN network through Cloudflare

292
00:16:00,424 --> 00:16:01,231
and then

293
00:16:01,541 --> 00:16:04,168
It will give access to your app.

294
00:16:04,529 --> 00:16:06,031
This way you don't

295
00:16:06,175 --> 00:16:07,615
access your app directly

296
00:16:07,615 --> 00:16:09,041
which means you don't expose your

297
00:16:09,041 --> 00:16:11,230
IP and you don't go through the NAT

298
00:16:11,472 --> 00:16:13,035
you don't need to open a port

299
00:16:13,035 --> 00:16:15,935
but be careful if your habit is insecure

300
00:16:15,935 --> 00:16:18,769
and you get hacked. You directly expose

301
00:16:18,769 --> 00:16:19,956
all of your homelab

302
00:16:19,956 --> 00:16:22,032
It doesn't matter if you use Cloudflare

303
00:16:22,032 --> 00:16:22,692
or not

304
00:16:22,854 --> 00:16:24,748
Like and Share if you made it this far

305
00:16:25,059 --> 00:16:26,393
See you in the next video