-
Hi everyone, welcome back
-
So today we're going to try
something a little bit different.
-
We're gonna start a new video series
-
about all the different ways to
expose or access our homelab
-
from the internet.
-
The reason is mainly because
there's tons of options out there,
-
and I feel like it's not talked enough
about on YouTube.
-
Especially the security part
which is most important.
-
Almost everyone just assumes it's secure,
which isn't always the case,
-
so make sure to hit the Like button
Subscribe and Share
-
and let's get started.
-
Okay so how to do it,
-
to expose our homelab
there are five main ways
-
1. Secure Tunnels like Cloudflare
-
2. Reverse proxies like Nginx
-
3. Traditional VPNs like Wireguard
or OpenVPN protocols
-
4. Mesh VPNs like ZeroTier and Tailscale
-
and lastly 5. the old classic
port forwarding or NAT
-
So let's break down each one of them
quickly to understand the differences.
-
First secure tunnels like Cloudflare.
-
This is often defined as secure tunnels to
access your app without exposing your IP
-
making remote access easy.
-
It's also fairly easy to setup,
-
however, by default it's
not secured enough
-
and solely [relies] on your app security
-
but this can be improved.
-
We'll cover this later in another video.
-
Next, reverse proxies
like nginx.
-
It's a server that sits in the middle
and forward requests to your homelab
-
helping you manage multiple
services under one domain.
-
While adding another layer of protection,
-
you will have more control over
your services and how to
-
contr-
manage them.
-
However, it exposes your IP and you must
open a port on your router to access it.
-
Next, traditional VPNs like Wireguard
or OpenVPN.
-
It creates an encrypted tunnel between
your device and your homelab
-
making it feel like you are on
the same local network.
-
It's good for privacy and security
-
but only useful when you are
the only user because
-
it's impossible to share access
without sharing your private key
-
to other users.
-
Next, mesh VPNs
like ZeroTier or Tailscale.
-
This is similar to normal VPNs except it
connects devices between each other
-
instead of connecting them
to a central server.
-
It has more control over normal VPNs in
the way that you can choose which
-
devices to share
but you must manually join the network
-
each time for each devices
you want to give access to.
-
Finally NAT this is a classic way of
opening specific ports on your router
-
to expose your homelab.
-
It's simple but it also carries high
security risk if you rely on it alone.
-
Keep in mind NAT often gets used with
other methods like previously showed,
-
but going purely [on it's own] port
forwarding is a no-go for secure setups.
-
Now, you may be wondering,
-
what's the most secure setup
to expose your home lab?
-
Actually, [it] depends on your apps
and what you want to do?
-
In my opinion, it's not about
which method you use
-
but more about how you combine
between them.
-
The best setup is to mix them
and make them work all together
-
to have the perfect setup.
-
Okay so first let's go to cloudflare.com
-
Go to "Sign Up"
-
and free at the website.
-
And let's create a new account now.
-
After that if you already have [a]
domain [previously purchased]
-
enter it here or for me I'm just
going to create a new domain.
-
For some reason I got an error
when trying to pay
-
So I'm just going to import an existing
domain. Just going to type it here.
-
Okay, so then go down
-
and choose the free package.
-
Next click on continue to activation.
-
Confirm. Next we need to
do some modifications
-
We need to modify,
the current name servers
-
with Cloudflare nameservers
-
to allow Cloudflare to control the domain.
-
To do that,
-
we go to the domain provider
in my case it's NameCheap.
-
So in my case I'm gonna do
custom DNS and then I copy....
-
the nameservers
-
and then I save.
-
It tells you that it can take
up to 48 hours
-
But it's not true it [can take] just a
few seconds or a few minutes max
-
But, just in case
-
If it take a long time to update
-
Uh, this is normal so
just wait
-
There is no other choice
-
Okay, so after a while,
-
We get this page this means
everything is good
-
Now we go to access page
-
and then Launch Zero Trust.
-
We choose our account
-
Next you go to access
-
Next we choose teamname
-
Just anything
-
Then we choose the free package of course
-
There is zero payment
-
Next we go to Networks
-
Tunnels
-
And we add a tunnel
-
We choose this one Cloudflared
-
We name our Tunnel
Homelab uh test
-
Next it will ask you to choose
your environment
-
In this case you just uh
You just choose docker
-
and then we just copy the comment
-
because we just need the token.
We don't need to run anything docker
-
Then we go back to TrueNAS
-
and we install
-
the Cloudflared app.
-
This one
-
And here we['ve] got [to just]
paste what we had
-
and we just keep.
-
Remove everything, we just keep the token.
-
So anything before this goes.
-
That's it.
-
We don't need to setup anything else.
-
Even storage, it's not necessary.
-
And we install.
-
Okay now it's up and running.
-
Let's go back to Cloudflared profile.
-
Now we need to wait until we get uh
something here in connectors.
-
It will automatically search.
-
Alright here we go
-
It's connected.
So now we can continue.
-
Next
-
Now we're ready to add our first service.
-
Let's start by adding TrueNAS itself.
-
So let's just copy the IP
-
Then we choose the subdomain
-
TrueNAS
-
and choose the domain
-
then we choose HTTP
-
and then the IP
-
There is nothing specific to add there.
-
That's save.
-
To test this I'm going to disconnect
from the VPN
-
Because i'm not at home I'm
connected to my home VPN.
-
So I'm just going to deactivate it
and try this.
-
To show that likely if I try to go
to the same IP
-
It's not going to work,
because I disconnected from the VPN.
-
And if I try
-
a domain,
-
new domain.
-
It works.
-
So now
-
TrueNAS is accessible
-
from the outside.
-
But this is not recommended of course.
-
If you want to expose something
just expose the apps individually
-
don't expose the whole thing.
-
so
-
So now I'm just going to delete it
-
and then I'm gonna add something else.
-
Okay now I want to add another service.
-
Maybe, Proxmox
-
Let's go to add the public hostname
-
Proxmox
-
same thing
-
here's we're going to choose HTTPS
instead of HTTP
-
and then the IP
-
as well as the port which is 8...
-
8006
-
and then we go to
Additional Settings > TLS
-
and we enable No TLS verify.
-
It will not check certificates.
-
Okay, now let's save.
-
Let's try again now.
-
NIce! Now it works.
-
And we'll disconnect the VPN
-
and refresh
-
and it still works.
-
Okay now before we're finishing the video
-
let's do one last service
which is Paperless.
-
Since we already covered this
in a previous video,
-
we're going to see how to expose this
-
Why did I choose Paperless because
it's a bit tricky to setup
-
it's not as simple as
-
adding the hostname.
-
So, let's see first we just add the
hostname of course
-
same thing as always,
-
HTTPS, and then we take the URL
-
which is IP and Port
-
It chooses HTTP not HTTPS
-
Service name
-
So first it's gonna work normally
-
If I try to access.
-
Alright
-
Uh, but the problem is when you
try to login
-
You get this error.
CSRF verification failed.
-
Why?
-
We need to change some settings
to make it accessible.
-
According to the documentation,
-
we need to set this environment
variable (PAPERLESS_URL)
-
uh and uh, set it to the domain name
-
we used in Cloudflare.
-
So let's do that
-
go to Paperless > Edit
-
and let's just add it as an
environment variable here
-
PAPERLESS_URL
-
set it to paperless.yourdomain
-
make sure to add HTTPS to the beginning
-
and that's it.
Update.
-
In case you got stuck in deploying
-
which was the case for me
-
I'm not sure why but the
container Paperless
-
just stuck like this for a long time
-
So what I did is stop this instance
-
and create another instance
-
using the already created datasets.
-
So you're not going to lose anything
of your files.
-
So let's start another instance
-
Let's call it paperless-cloudflare.
-
We can change password if you want.
-
By the way you can choose any secret
key you want. Just want some random stuff
-
You don't need to remember it.
-
Okay, add an email
-
just a fake email.
-
Password.
-
Now we add again environment variable
-
PAPERLESS_URL
-
HTTPS
-
paperless…
-
dot
-
your domain
-
and then we add the other host path
-
Paperless this is the data.
-
let's copy this
-
And now Media
-
and then Consume
-
and Trash
-
this is PostScript
-
Make sure to check
"Automatic Permissions".
-
Then we hit install.
-
Let's wait [a] little bit.
It works but it takes some time.
-
Okay now it's running.
-
Let's start it.
-
First let's get the IP
-
I mean let's get the port--
IP is the same.
-
Go back to cloudflare
-
Hit it
-
Going to put the new port
-
Save
-
Let's try now
-
Okay, now new password
-
And now it works. We don't got
the error, the previous error.
-
And as you can see we still have the [same] documents as
-
before we didn't lost anything.
-
We still got all our documents.
-
Open them
-
And uh, everything works fine
-
That's it
-
Basically this is how to
-
expose your services on the cloud
-
To recap:
-
When you want to expose your app,
this is how it works.
-
We don't access the app directly
but rather you access the cloud server
-
cloudflare server. Cloudflare will
make exchanges
-
with your LAN network through Cloudflare
-
and then
-
It will give access to your app.
-
This way you don't access your app
directly which means you don't expose your
-
IP and you don't go through the NAT
-
you don't need to open a port
-
but be careful if your app is insecure
and you get hacked.
-
You directly expose all of your homelab
-
It doesn't matter if you use
Cloudflare or not
-
Like and Share if you made it this far.
See you in the next video
Captions Requested
