DataWinter

How to have external access to Local Applications in Homelab?

Date published

Imagem flat em preto e branco mostrando um mundo digital

One of the main dilemmas and questions when starting in the world of self-hosting or homelab is: how do I access an application when I’m away from home? Or even: how do I grant access to family members so they can reach my Jellyfin?

There are several ways to achieve this access, but each method has its own difficulties, usability problems, and security challenges. After all, one of your concerns should be how to securely expose an application for external access, avoiding total exposure on the internet and being left "with your pants down."

In this article, I will address the main ways to allow remote access to your applications, as well as discuss crucial points that deserve your attention.

Risks and Precautions

Nextcloud Preview

When discussing data self-custody, the last thing you want is to expose your personal information to the internet. Facing issues like massive bot access and attempts to invade your application can be a nightmare, especially for those hosting open-source applications. It’s like leaving the door of your house wide open without worrying about who might enter.

Another point to consider is the quantity of data that might circulate through your network. For example, sharing access to Jellyfin with your family can significantly increase your upload traffic. This becomes an issue for those with bandwidth or speed limitations on their connection.

Fortunately, many of these challenges can be addressed through proper application configuration and implementing strategies such as CDN (Content Delivery Network) and caching. Even a partial opening of access to your network can be a viable solution. However, let's explore this in more detail later. First, it’s essential to present some of the tools and techniques you can use to achieve external access to applications in your homelab.

Techniques

Today, it’s possible to implement remote access in various ways. The choice of solution will depend on your specific needs. Here, I will suggest a few approaches that I utilize in my homelab, which have already helped me grant remote access to friends and family without headaches.

VPN

A VPN (Virtual Private Network) is a service that provides security and privacy by creating a tunnel between your device and a remote server. This practice is quite common, and many of us have seen ads for NordVPN while watching videos. However, when adjusting this solution for a homelab, it’s crucial to remember that setup can be quite manual, requiring a remote server to make the connection.

While the VPN is one of the safest options — creating an end-to-end tunnel without the need for third parties or domains — the complexity of setup and the maintenance cost of a VPS can be discouraging. For me, dealing with a complicated setup while still having to pay a fee that may be low but accumulates over time makes the idea less attractive.

Personally, I’m more inclined to avoid using VPNs for external access to the homelab. I argue that this technology should mainly be used for protection when accessing your ISP’s network or, in more specific situations, against state organizations.

Reverse Proxy

Now, imagine you are in a building and need to deliver a letter. You go to the doorman and say you want to send the letter to apartment 301. The doorman knows exactly how to do that, but you don’t. The same applies to the Reverse Proxy.

This type of server acts as an intermediary, receiving and delivering all communications from services it knows. This way, it’s possible to redirect static file traffic to CDNs and lighten the load on the final server. The Reverse Proxy is a powerful option that offers many positives, such as caching, load balancing, and dynamic redirection. However, it’s always important to consider that each entry method may have its drawbacks.

For example, by using port forwarding, you expose your IP and server to anyone familiar with the starting point, which could be your domain. Also, to set up a VPN, you need to acquire a domain subscription. The key is to seek the right balance based on your needs. I personally use Reverse Proxy for services that require high speed, like Jellyfin, where I’m constantly caching images on my proxy.

The tool I recommend for this is Nginx Proxy Manager, which offers a very user-friendly and practical interface.

Proxy Tunneling

Proxy Tunneling is somewhat similar to VPNs but differs by redirecting traffic through a gateway that maintains a constant connection with a server. Here, it should be noted that unlike VPNs, Proxy Tunneling does not encrypt data, making it a faster and more cost-effective alternative.

Currently, free tunneling services are available, provided you pay attention to the legal limits of each. This approach, which is the one I use most, not only eases access to services I use personally but also offers a simple way for friends and family to access Jellyfin.

One of the main benefits of this technique is its easy configuration. Generally, you will only need to create an account with a service and run an application on the server that will be the destination for the data. If you choose to use a service like Cloudflare Tunnel, you’ll have added protection against DDoS attacks and can implement Zero Trust approaches. Thus, you specify which emails have access to the service, and Cloudflare takes care of the rest without needing to modify anything in the application serving.

However, it’s worth noting that the traffic can be monitored by the provider that offers the tunneling service, and relying on third parties always carries risks. Furthermore, depending on the service, the terms of use may be restrictive. For example, Cloudflare does not allow file streaming, and if you exceed the allowed limit, you could end up being banned.

Thus, Proxy Tunneling emerges as one of the most viable options, combining ease of use and a good cost-benefit ratio with the necessary security.

HTTPS

Amidst this entire process, we cannot overlook the importance of HTTPS, a concern often neglected by those starting to expose services to remote access. A website without an SSL certificate is like leaving the windows of your house open to possible invaders. With a bit of knowledge, someone could easily intercept your packets and access sensitive information like passwords.

Therefore, when exposing a service, prefer to use a digital certificate. If you choose to use Cloudflare Tunnel, it offers a free digital certificate that ensures secure communication between the client and the gateway. The Nginx Proxy Manager also automatically configures a certificate through Let's Encrypt, a free certificate provider.

My advice is simple: avoid self-signed certificates, always opting for an external certificate service to ensure maximum security.

Legal Considerations

Before we conclude our journey in search of remote access, it's crucial to observe some legal matters. For instance, your internet provider may have restrictions and terms of use regarding file uploads. Although this is rare, it can create complications if not considered. In such circumstances, a VPN could serve as a communication channel that helps navigate specific limits.

Additionally, it's essential to be aware that services like Cloudflare also have restrictions in their terms of service, such as prohibiting streaming. Such issues are not easy to circumvent unless you choose a service that does not impose these limitations or resort to a VPS to create your own tunneling.

Overall, it is necessary to explore the service terms of all parties involved in the process to have a clear understanding of limitations and risks. This way, you can decide if these risks are worth taking.

Next Steps

With all this knowledge in hand, you now have a great context on how to implement external access for your local applications. The options are varied and diverse, and what’s left is choosing the one that best fits your needs.

To take the next step, I have three articles that may be helpful:

The first is about configuring tunneling using Cloudflare Tunnel, a service we mentioned throughout the text. You can access this article by clicking here.

The second relates to Twingate, an alternative to tunneling that resembles a VPN, allowing access to applications without complicated setups. Click here to learn more.

Finally, if you are considering setting up a Reverse Proxy using Nginx, we also have an article dedicated to this approach that will be useful. Check it out here.

I hope the content of this article has illuminated your mind and provided new alternatives to implement in your homelab. Whether to facilitate access for others or for yourself when on the go, don’t hesitate to explore options until you find the one that suits your style best.

Thank you for following along, and see you in the next article!