1 99:59:59,999 --> 99:59:59,999 Hi everyone, welcome back 2 99:59:59,999 --> 99:59:59,999 So today we're going to try something a little bit different. 3 99:59:59,999 --> 99:59:59,999 We're gonna start a new video series 4 99:59:59,999 --> 99:59:59,999 about all the different ways to expose or access our homelab 5 99:59:59,999 --> 99:59:59,999 from the internet. 6 99:59:59,999 --> 99:59:59,999 The reason is mainly because there's tons of options out there, 7 99:59:59,999 --> 99:59:59,999 and I feel like it's not talked enough about on YouTube. 8 99:59:59,999 --> 99:59:59,999 Especially the security part 9 99:59:59,999 --> 99:59:59,999 which is most important. 10 99:59:59,999 --> 99:59:59,999 Almost everyone just assumes it's secure, which isn't always the case, 11 99:59:59,999 --> 99:59:59,999 so make sure to hit the Like button 12 99:59:59,999 --> 99:59:59,999 Subscribe and Share 13 99:59:59,999 --> 99:59:59,999 and let's get started. 14 99:59:59,999 --> 99:59:59,999 Okay so how to do it, 15 99:59:59,999 --> 99:59:59,999 to expose our homelab there are five main ways 16 99:59:59,999 --> 99:59:59,999 1. Secure Tunnels like Cloudflare 17 99:59:59,999 --> 99:59:59,999 2. Reverse proxies like Nginx 18 99:59:59,999 --> 99:59:59,999 3. Traditional VPNs like Wireguard or OpenVPN protocols 19 99:59:59,999 --> 99:59:59,999 4. Mesh VPNs like ZeroTier and Tailscale 20 99:59:59,999 --> 99:59:59,999 and lastly 5. the old classic port forwarding or NAT 21 99:59:59,999 --> 99:59:59,999 So let's break down each one of them quickly to understand the differences. 22 99:59:59,999 --> 99:59:59,999 First secure tunnels like Cloudflare. 23 99:59:59,999 --> 99:59:59,999 This is often defined as secure tunnels to access your app without exposing your IP 24 99:59:59,999 --> 99:59:59,999 making remote access easy. 25 99:59:59,999 --> 99:59:59,999 It's also fairly easy to setup, 26 99:59:59,999 --> 99:59:59,999 however, by default it's not secured enough 27 99:59:59,999 --> 99:59:59,999 and solely [relies] on your app security 28 99:59:59,999 --> 99:59:59,999 but this can be improved. 29 99:59:59,999 --> 99:59:59,999 We'll cover this later in another video. 30 99:59:59,999 --> 99:59:59,999 Next, reverse proxies 31 99:59:59,999 --> 99:59:59,999 like nginx. 32 99:59:59,999 --> 99:59:59,999 It's a server that sits in the middle and forward requests to your homelab 33 99:59:59,999 --> 99:59:59,999 helping you manage multiple services under one domain. 34 99:59:59,999 --> 99:59:59,999 While adding another layer of protection, 35 99:59:59,999 --> 99:59:59,999 you will have more control over your services 36 99:59:59,999 --> 99:59:59,999 and how to contr- manage them. 37 99:59:59,999 --> 99:59:59,999 However, it exposes your IP and you must open a port on your router to access it. 38 99:59:59,999 --> 99:59:59,999 Next, traditional VPNs like Wireguard or OpenVPN. 39 99:59:59,999 --> 99:59:59,999 It creates an encrypted tunnel between your device and 40 99:59:59,999 --> 99:59:59,999 your homelab 41 99:59:59,999 --> 99:59:59,999 making it feel like you are on the same local network. 42 99:59:59,999 --> 99:59:59,999 It's good for privacy and security 43 99:59:59,999 --> 99:59:59,999 but only useful when you are the only user because 44 99:59:59,999 --> 99:59:59,999 it's impossible to share access without sharing your private key 45 99:59:59,999 --> 99:59:59,999 to other users. 46 99:59:59,999 --> 99:59:59,999 Next, mesh VPNs 47 99:59:59,999 --> 99:59:59,999 like ZeroTier or Tailscale 48 99:59:59,999 --> 99:59:59,999 this is similar to normal VPNs except it connects devices between each other 49 99:59:59,999 --> 99:59:59,999 instead of connecting them to a central server. 50 99:59:59,999 --> 99:59:59,999 It has more control over normal VPNs in the way that you can choose which devices to share 51 99:59:59,999 --> 99:59:59,999 but you must manually join the network 52 99:59:59,999 --> 99:59:59,999 each time for each devices you want to give access to. 53 99:59:59,999 --> 99:59:59,999 Finally NAT this is a classic way of opening specific ports on your router 54 99:59:59,999 --> 99:59:59,999 to expose your homelab. 55 99:59:59,999 --> 99:59:59,999 It's simple but it also carries high security risk if you rely on it alone. 56 99:59:59,999 --> 99:59:59,999 Keep in mind NAT often gets used with other 57 99:59:59,999 --> 99:59:59,999 methods like previously showed, 58 99:59:59,999 --> 99:59:59,999 but going purely [on it's own] port forwarding is a no-go for secure setups. 59 99:59:59,999 --> 99:59:59,999 Now, you may be wondering, 60 99:59:59,999 --> 99:59:59,999 what's the most secure setup 61 99:59:59,999 --> 99:59:59,999 to expose your home lab? 62 99:59:59,999 --> 99:59:59,999 Actually, [it] depends on your apps and what you want to do? 63 99:59:59,999 --> 99:59:59,999 In my opinion, it's not about which method you use 64 99:59:59,999 --> 99:59:59,999 but more about how you combine between them. 65 99:59:59,999 --> 99:59:59,999 The best setup is to mix them and make them work all together 66 99:59:59,999 --> 99:59:59,999 to have the perfect setup. 67 99:59:59,999 --> 99:59:59,999 Okay so first let's go to cloudflare.com 68 99:59:59,999 --> 99:59:59,999 Go to "Sign Up" 69 99:59:59,999 --> 99:59:59,999 and free at the website. 70 99:59:59,999 --> 99:59:59,999 And let's create a new account now. 71 99:59:59,999 --> 99:59:59,999 After that if you already have [a] domain [previously purchased] 72 99:59:59,999 --> 99:59:59,999 enter it here 73 99:59:59,999 --> 99:59:59,999 or for me I'm just going to create a new domain. 74 99:59:59,999 --> 99:59:59,999 For some reason I got an error 75 99:59:59,999 --> 99:59:59,999 when trying to pay 76 99:59:59,999 --> 99:59:59,999 So I'm just going to import an existing domain 77 99:59:59,999 --> 99:59:59,999 Just going to type it here. 78 99:59:59,999 --> 99:59:59,999 Okay, so then go down 79 99:59:59,999 --> 99:59:59,999 and choose the free package. 80 99:59:59,999 --> 99:59:59,999 Next click on continue to activation. 81 99:59:59,999 --> 99:59:59,999 Confirm. Next we need to do some modifications 82 99:59:59,999 --> 99:59:59,999 We need to modify, the current name servers 83 99:59:59,999 --> 99:59:59,999 with Cloudflare nameservers 84 99:59:59,999 --> 99:59:59,999 to allow Cloudflare to control the domain. 85 99:59:59,999 --> 99:59:59,999 To do that, 86 99:59:59,999 --> 99:59:59,999 we go to the domain provider 87 99:59:59,999 --> 99:59:59,999 in my case it's NameCheap. 88 99:59:59,999 --> 99:59:59,999 So in my case 89 99:59:59,999 --> 99:59:59,999 I'm gonna do custom DNS 90 99:59:59,999 --> 99:59:59,999 and then I copy.... 91 99:59:59,999 --> 99:59:59,999 the nameservers 92 99:59:59,999 --> 99:59:59,999 and then I save. 93 99:59:59,999 --> 99:59:59,999 It tells you that it can take up to 48 hours 94 99:59:59,999 --> 99:59:59,999 But it's not true it [can take] just a few seconds 95 99:59:59,999 --> 99:59:59,999 or a few minutes max 96 99:59:59,999 --> 99:59:59,999 But, just in case 97 99:59:59,999 --> 99:59:59,999 If it take a long time to update 98 99:59:59,999 --> 99:59:59,999 Uh, this is normal so 99 99:59:59,999 --> 99:59:59,999 just wait 100 99:59:59,999 --> 99:59:59,999 There is no other choice 101 99:59:59,999 --> 99:59:59,999 Okay, so after a while, 102 99:59:59,999 --> 99:59:59,999 We get this page this means everything is good 103 99:59:59,999 --> 99:59:59,999 Now we go to access page 104 99:59:59,999 --> 99:59:59,999 and then NetZero Trust. 105 99:59:59,999 --> 99:59:59,999 We choose our account 106 99:59:59,999 --> 99:59:59,999 Next you go to access 107 99:59:59,999 --> 99:59:59,999 Next we choose teamname 108 99:59:59,999 --> 99:59:59,999 Just anything 109 99:59:59,999 --> 99:59:59,999 Then we choose the free package of course 110 99:59:59,999 --> 99:59:59,999 There is zero payment 111 99:59:59,999 --> 99:59:59,999 Next we go to Networks 112 99:59:59,999 --> 99:59:59,999 Tunnels 113 99:59:59,999 --> 99:59:59,999 And we add a tunnel 114 99:59:59,999 --> 99:59:59,999 We choose this one Cloudflared 115 99:59:59,999 --> 99:59:59,999 We name our Tunnel 116 99:59:59,999 --> 99:59:59,999 Homelab uh test 117 99:59:59,999 --> 99:59:59,999 Next it will ask you to choose your environment 118 99:59:59,999 --> 99:59:59,999 In this case you just uh 119 99:59:59,999 --> 99:59:59,999 You just choose docker 120 99:59:59,999 --> 99:59:59,999 and then we just copy the comment 121 99:59:59,999 --> 99:59:59,999 because we just need the token. 122 99:59:59,999 --> 99:59:59,999 We don't need to run anything docker 123 99:59:59,999 --> 99:59:59,999 Then we go back to TrueNAS 124 99:59:59,999 --> 99:59:59,999 and we install 125 99:59:59,999 --> 99:59:59,999 the Cloudflared app. 126 99:59:59,999 --> 99:59:59,999 This one 127 99:59:59,999 --> 99:59:59,999 And here we['ve] got [to just] paste what we had 128 99:59:59,999 --> 99:59:59,999 and we just keep. 129 99:59:59,999 --> 99:59:59,999 Remove everything, we just keep the token. 130 99:59:59,999 --> 99:59:59,999 So anything before this goes. 131 99:59:59,999 --> 99:59:59,999 That's it. 132 99:59:59,999 --> 99:59:59,999 We don't need to setup anything else. 133 99:59:59,999 --> 99:59:59,999 Even storage, it's not necessary. 134 99:59:59,999 --> 99:59:59,999 And we install. 135 99:59:59,999 --> 99:59:59,999 Okay now it's up and running. 136 99:59:59,999 --> 99:59:59,999 Let's go back to Cloudflared profile. 137 99:59:59,999 --> 99:59:59,999 Now we need to wait until we get uh 138 99:59:59,999 --> 99:59:59,999 something here in connectors. 139 99:59:59,999 --> 99:59:59,999 It will automatically search. 140 99:59:59,999 --> 99:59:59,999 Alright here we go 141 99:59:59,999 --> 99:59:59,999 It's connected. 142 99:59:59,999 --> 99:59:59,999 So now we can continue. 143 99:59:59,999 --> 99:59:59,999 Next 144 99:59:59,999 --> 99:59:59,999 Now we're ready to add our first service. 145 99:59:59,999 --> 99:59:59,999 Let's start by adding TrueNAS itself. 146 99:59:59,999 --> 99:59:59,999 So let's just copy the IP 147 99:59:59,999 --> 99:59:59,999 Then we choose the subdomain 148 99:59:59,999 --> 99:59:59,999 TrueNAS 149 99:59:59,999 --> 99:59:59,999 and choose the domain 150 99:59:59,999 --> 99:59:59,999 then we choose HTTP 151 99:59:59,999 --> 99:59:59,999 and then the IP 152 99:59:59,999 --> 99:59:59,999 There is nothing specific to add there. 153 99:59:59,999 --> 99:59:59,999 That's save. 154 99:59:59,999 --> 99:59:59,999 To test this I'm going to disconnect from the VPN 155 99:59:59,999 --> 99:59:59,999 Because i'm not at home I'm connected to my home VPN. 156 99:59:59,999 --> 99:59:59,999 So i'm just going to deactivate it 157 99:59:59,999 --> 99:59:59,999 and try this. 158 99:59:59,999 --> 99:59:59,999 To show that likely if I try to go to the same IP 159 99:59:59,999 --> 99:59:59,999 It's not going to work, 160 99:59:59,999 --> 99:59:59,999 because I disconnected from the VPN. 161 99:59:59,999 --> 99:59:59,999 And if I try 162 99:59:59,999 --> 99:59:59,999 a domain, 163 99:59:59,999 --> 99:59:59,999 new domain. 164 99:59:59,999 --> 99:59:59,999 It works. 165 99:59:59,999 --> 99:59:59,999 So now 166 99:59:59,999 --> 99:59:59,999 TrueNAS is accessible 167 99:59:59,999 --> 99:59:59,999 from the outside. 168 99:59:59,999 --> 99:59:59,999 But this is not recommended of course. 169 99:59:59,999 --> 99:59:59,999 If you want to expose something 170 99:59:59,999 --> 99:59:59,999 just expose the apps individually 171 99:59:59,999 --> 99:59:59,999 don't expose the whole thing. 172 99:59:59,999 --> 99:59:59,999 so 173 99:59:59,999 --> 99:59:59,999 So now I'm just going to delete it 174 99:59:59,999 --> 99:59:59,999 and then I'm gonna add something else. 175 99:59:59,999 --> 99:59:59,999 Okay now I want to add another service. 176 99:59:59,999 --> 99:59:59,999 Maybe, Proxmox 177 99:59:59,999 --> 99:59:59,999 Let's go to add the public hostname 178 99:59:59,999 --> 99:59:59,999 Proxmox 179 99:59:59,999 --> 99:59:59,999 same thing 180 99:59:59,999 --> 99:59:59,999 here's we're going to choose HTTPS instead of HTTP 181 99:59:59,999 --> 99:59:59,999 and then the IP 182 99:59:59,999 --> 99:59:59,999 as well as the port which is 8... 183 99:59:59,999 --> 99:59:59,999 8006 184 99:59:59,999 --> 99:59:59,999 and then we go to Additional Settings > TLS 185 99:59:59,999 --> 99:59:59,999 and we enable No TLS verify. 186 99:59:59,999 --> 99:59:59,999 It will not check certificates. 187 99:59:59,999 --> 99:59:59,999 Now let's save. 188 99:59:59,999 --> 99:59:59,999 Let's try again now. 189 99:59:59,999 --> 99:59:59,999 NIce! Now it works. 190 99:59:59,999 --> 99:59:59,999 And we'll disconnect the VPN 191 99:59:59,999 --> 99:59:59,999 and refresh 192 99:59:59,999 --> 99:59:59,999 and it still works. 193 99:59:59,999 --> 99:59:59,999 Okay now before we're finishing the video 194 99:59:59,999 --> 99:59:59,999 let's do 195 99:59:59,999 --> 99:59:59,999 one last service which is 196 99:59:59,999 --> 99:59:59,999 Paperless. 197 99:59:59,999 --> 99:59:59,999 Since we already covered this in a previous video, 198 99:59:59,999 --> 99:59:59,999 we're going to see how to expose this 199 99:59:59,999 --> 99:59:59,999 Why did I choose Paperless because 200 99:59:59,999 --> 99:59:59,999 it's a bit tricky to setup 201 99:59:59,999 --> 99:59:59,999 it's not as simple as 202 99:59:59,999 --> 99:59:59,999 adding the hostname. 203 99:59:59,999 --> 99:59:59,999 So, let's see first we just add the hostname of course 204 99:59:59,999 --> 99:59:59,999 same thing as always, 205 99:59:59,999 --> 99:59:59,999 HTTPS, and then we take the URL 206 99:59:59,999 --> 99:59:59,999 which is IP and Port 207 99:59:59,999 --> 99:59:59,999 It chooses HTTP not HTTPS 208 99:59:59,999 --> 99:59:59,999 Service name 209 99:59:59,999 --> 99:59:59,999 So first it's gonna work normally 210 99:59:59,999 --> 99:59:59,999 ff I try to access. 211 99:59:59,999 --> 99:59:59,999 Alright 212 99:59:59,999 --> 99:59:59,999 Uh, but the problem is when you 213 99:59:59,999 --> 99:59:59,999 try to login 214 99:59:59,999 --> 99:59:59,999 You get this 215 99:59:59,999 --> 99:59:59,999 error. CSRF verification failed. 216 99:59:59,999 --> 99:59:59,999 Why? 217 99:59:59,999 --> 99:59:59,999 We need to change some settings 218 99:59:59,999 --> 99:59:59,999 to make it accessible. 219 99:59:59,999 --> 99:59:59,999 According to the documentation 220 99:59:59,999 --> 99:59:59,999 we need to set this environment variable (PAPERLESS_URL) 221 99:59:59,999 --> 99:59:59,999 uh and uh, set it to the domain name 222 99:59:59,999 --> 99:59:59,999 we used in Cloudflare. 223 99:59:59,999 --> 99:59:59,999 So let's do that 224 99:59:59,999 --> 99:59:59,999 go to Paperless > Edit 225 99:59:59,999 --> 99:59:59,999 and let's just add it as an environment variable here 226 99:59:59,999 --> 99:59:59,999 PAPERLESS_URL 227 99:59:59,999 --> 99:59:59,999 set it to paperless.yourdomain 228 99:59:59,999 --> 99:59:59,999 make sure to add HTTPS to the beginning 229 99:59:59,999 --> 99:59:59,999 and that's it. 230 99:59:59,999 --> 99:59:59,999 Update. 231 99:59:59,999 --> 99:59:59,999 In case you got stuck in deploying 232 99:59:59,999 --> 99:59:59,999 which was the case for me 233 99:59:59,999 --> 99:59:59,999 I'm not sure why but the container Paperless 234 99:59:59,999 --> 99:59:59,999 just stuck like this for a long time 235 99:59:59,999 --> 99:59:59,999 So what I did is stop this instance 236 99:59:59,999 --> 99:59:59,999 and create another instance 237 99:59:59,999 --> 99:59:59,999 using the already created datasets. 238 99:59:59,999 --> 99:59:59,999 So you're not going to lose anything 239 99:59:59,999 --> 99:59:59,999 of your files. 240 99:59:59,999 --> 99:59:59,999 So let's start another instance 241 99:59:59,999 --> 99:59:59,999 Let's call it paperless-cloudflare. 242 99:59:59,999 --> 99:59:59,999 We can change password if you want. 243 99:59:59,999 --> 99:59:59,999 By the way you can choose any secret key 244 99:59:59,999 --> 99:59:59,999 you want. Just want some random stuff 245 99:59:59,999 --> 99:59:59,999 You don't need to remember it. 246 99:59:59,999 --> 99:59:59,999 Okay, add an email 247 99:59:59,999 --> 99:59:59,999 just a fake email. 248 99:59:59,999 --> 99:59:59,999 Password. 249 99:59:59,999 --> 99:59:59,999 Now we add again environment variable 250 99:59:59,999 --> 99:59:59,999 PAPERLESS_URL 251 99:59:59,999 --> 99:59:59,999 HTTPS 252 99:59:59,999 --> 99:59:59,999 paperless… 253 99:59:59,999 --> 99:59:59,999 dot 254 99:59:59,999 --> 99:59:59,999 your domain 255 99:59:59,999 --> 99:59:59,999 and then we add the other host path 256 99:59:59,999 --> 99:59:59,999 Paperless this is the data. 257 99:59:59,999 --> 99:59:59,999 let's copy this 258 99:59:59,999 --> 99:59:59,999 And now Media 259 99:59:59,999 --> 99:59:59,999 and then Consume 260 99:59:59,999 --> 99:59:59,999 and Trash 261 99:59:59,999 --> 99:59:59,999 this is PostScript 262 99:59:59,999 --> 99:59:59,999 Make sure to check "Automatic Permissions". 263 99:59:59,999 --> 99:59:59,999 Then we hit install. 264 99:59:59,999 --> 99:59:59,999 Let's wait [a] little bit. 265 99:59:59,999 --> 99:59:59,999 It works but it takes some time. 266 99:59:59,999 --> 99:59:59,999 Okay now it's running. 267 99:59:59,999 --> 99:59:59,999 Let's start it. 268 99:59:59,999 --> 99:59:59,999 First let's get the IP 269 99:59:59,999 --> 99:59:59,999 I mean let's get the port-- IP is the same. 270 99:59:59,999 --> 99:59:59,999 Go back to cloudflare 271 99:59:59,999 --> 99:59:59,999 Hit it 272 99:59:59,999 --> 99:59:59,999 Going to put the new port 273 99:59:59,999 --> 99:59:59,999 Save 274 99:59:59,999 --> 99:59:59,999 Let's try now 275 99:59:59,999 --> 99:59:59,999 Okay, now new password 276 99:59:59,999 --> 99:59:59,999 And now it works. We don't got the error 277 99:59:59,999 --> 99:59:59,999 the previous error. 278 99:59:59,999 --> 99:59:59,999 And as you can see we still have the [same] documents 279 99:59:59,999 --> 99:59:59,999 as before we didn't lost anything. 280 99:59:59,999 --> 99:59:59,999 We still got all our documents. 281 99:59:59,999 --> 99:59:59,999 Open them 282 99:59:59,999 --> 99:59:59,999 And uh, everything works fine 283 99:59:59,999 --> 99:59:59,999 That's it 284 99:59:59,999 --> 99:59:59,999 Basically this is how to 285 99:59:59,999 --> 99:59:59,999 expose your services on the cloud 286 99:59:59,999 --> 99:59:59,999 To recap: 287 99:59:59,999 --> 99:59:59,999 When you want to expose your app, 288 99:59:59,999 --> 99:59:59,999 this is how it works. 289 99:59:59,999 --> 99:59:59,999 We don't access the app directly 290 99:59:59,999 --> 99:59:59,999 but rather you access the cloud server 291 99:59:59,999 --> 99:59:59,999 cloudflare server. Cloudflare will make exchanges 292 99:59:59,999 --> 99:59:59,999 with your 293 99:59:59,999 --> 99:59:59,999 LAN network through Cloudflare 294 99:59:59,999 --> 99:59:59,999 and then 295 99:59:59,999 --> 99:59:59,999 It will give access to your app. 296 99:59:59,999 --> 99:59:59,999 This way you don't 297 99:59:59,999 --> 99:59:59,999 access your app directly 298 99:59:59,999 --> 99:59:59,999 which means you don't expose your 299 99:59:59,999 --> 99:59:59,999 IP and you don't go through the NAT 300 99:59:59,999 --> 99:59:59,999 you don't need to open a port 301 99:59:59,999 --> 99:59:59,999 but be careful if your habit is insecure 302 99:59:59,999 --> 99:59:59,999 and you get hacked. You directly expose 303 99:59:59,999 --> 99:59:59,999 all of your homelab 304 99:59:59,999 --> 99:59:59,999 It doesn't matter if you use Cloudflare 305 99:59:59,999 --> 99:59:59,999 or not 306 99:59:59,999 --> 99:59:59,999 Like and Share if you made it this far 307 99:59:59,999 --> 99:59:59,999 See you in the next video