Introduction

Home Lab Remote Access and share resources is crucial these days. Have you ever wanted to have that? I already know the answer: YES!

I know you have resources like Home Assistant, NextCloud, Synology NAS, or anything web-related. You also tried multiple solutions like dynamic DNS, port forwarding, Cloudflare, proprietary solutions like NabuCasa for Home Assistant, and Quick Connect for Synology.

But, what if I say that there is a better Home Lab Remote Access in terms of costs, flexibility, and security?

I talk about making a reverse proxy through a secure tunnel.

The key benefits: 

  1. Access (and share) your local resource thanks to a VPN and a cloud instance;
  2. Clients don’t need to be in a VPN;
  3. No need to open ports in your firewall;
  4. Costs (for an application running 7/24): 130 USD/year max.
  5. Limitations: virtually unlimited local resources accessible.

So, in this guide, you will learn:

  1. What a reverse proxy is;
  2. How to design the infrastructure, what are the needed elements, and the related costs;
  3. What are the benefits of this solution compared to the most common alternatives;
  4. How to build this solution.

Before digging into the article, let me explain who I am and why I wrote this article.

I am Fabio Fusco, Partner and CIO at Strutture Energia srl, company focused on energy savings. My goal is to develop an IoT system for energy savings. In particular, I use Home Assistant as the backbone of our domotic system (along with other open-source tools).

I write this article because I want to show you a typical example of a task that daily I accomplish as we are looking for collaborations with developers in this field. For example, we have an open position for a front-end developer. So please, check out my LinkedIn account, where you can find the job posting (I know, it is in Italian; Google Translate is your friend). In addition, follow me on LinkedIn so that you will be notified of future open positions.

What a reverse proxy is

Very simple: it is an application that can receive a request and forward it to the target resource. The target can reside in the same server where the reverse proxy is or in a different one. You can see it as an entry point for your requests.

Similar reverse proxy will be used for our Home Lab Remote Access
Similar reverse proxy will be used for our Home Lab Remote Access

The design of the infrastructure, elements needed, and costs

So, what we are trying to achieve is the following: access (from anywhere in the world) resources located in your home lab. Of course, doing so allows you to share these resources with other people.

High level view of the Home Lab Remote Access
High level view of the Home Lab Remote Access without VPN

In the scheme above, there is one small problem: the firewall. The firewall won’t let the traffic pass unless you open a port (which you do in port forwarding).

So, to let the traffic pass, we need to add a way to connect the reverse proxy with our home lab. The answer is VPN!

So, here is what we are going to build.

High level view of the Home Lab Remote Access with VPN
High level view of the Home Lab Remote Access with VPN

So, here is how it works:

  1. You connect to anything.example.com;
  2. Thanks to a record DNS, this request is “forwarded” to an online server that you own, where you installed a reverse proxy and a VPN;
  3. The reverse proxy forwards the connection to the designated server in your home lab, which you configured previously to join your VPN;

Some things to take into consideration:

  1. The connection between the reverse proxy and the web server in your home lab is private by design (you are in a secure tunnel thanks to the VPN);
  2. The connection between the client and the reverse proxy is not private by design, but you can install on the reverse proxy an SSL certificate. In this blog, I simplify things, hence I won’t install the SSL certificate. If you want, I can share a very cool way to make auto-magically signed certificates without the hassle of managing Let’s Encrypt certificates. But for this topic, I need a different blog post.

The elements needed:

ServiceTool usedCostComments
VPNTailScaleFreeYou can choose many different options. I chose this becauseIt has a free tier;It is effortless to install;It is very secure since it takes care of the key rotation;It has a handy feature called Magic DNS, which allows us to forget about the private DNS (every new VPN client is automatically recognized and automatically accessible remotely);It is very fast.
DNSDigitalOceanFreeYou can use anything you want. There are plenty of free tools. I use DigitalOcean because it is effortless to manage the wildcard sub-domain.
Domain NameAWS10 USD/yearThis cost depends greatly on the top-level domain chosen (.com, .it, ..). You can even find some domains available for free. Let’s assume I use example.com here.
Reverse proxyVM with NGINXMax 10 USD/monthI use DigitalOcean, but you can use any provider. 2 GB of RAM is more than it needs.

So, the maximum cost is 130 USD/year. You can save money shutting on and off the VM automatically, but this is another story (again).

Why use this Home Lab Remote Access compared to others?

ServiceCostWhy the proposed Home Lab Remote Access solution is better?
Port forwardingFreeStatic IP needed;Need to configure your firewall, which is a horrible security issue, and in some cases, it is even not an option since your modem could be managed by your ISP;You post your private IP address into the internet; you don’t want it, trust me.
Dynamic DNSCould be freeIt is very similar to the port forwarding service, except that you don’t need a static IP. The other issues are the same.
VPNCould be freeIt is needed that the clients are into the VPN as well.

Our solution instead:

Reverse proxy130 USD / year MAXNo port forwarding;Easy to install;Scale as you wish;Use the domain you like the most;Flexibility.

How to build this Home Lab Remote Access solution?

Tip: follow first the whole guide before visiting your resource.

  1. Install TailScale on your local machine; follow the official guide: https://tailscale.com/kb/1029/install-files/
  2. Set up a “device name” as you wish; you will use it as a subdomain to reach it; you can change it whenever you want. I will use machine-1;
  3. Enable Magic DNS on TailScale console following the official guide https://tailscale.com/kb/1054/dns/ . Once done, you will see a private resolver called <account-name>.beta.tailscale.net/ ; in my case, fabio-fusco.beta.tailscale.net ;
  4. Sign-up in DigitalOcean (https://m.do.co/c/6dd2caef1f1f once you sign-up they give you 100 USD credit to spend);
  5. Launch an ubuntu 20.04 VM
    1. Choose Shared-CPU, Regular Intel with SSD, with 2GB of RAM;
    2. Choose the location closest to you to reduce the latency.
  6. Choose a Domain Name in your registrar.
  7. Add the into DigitalOcean DNS console; follow the official guide: https://docs.digitalocean.com/products/networking/dns/how-to/add-domains/
  8. Add the A record with wildcard (ignore all the other records), linking it to the VM that you just created; follow the official guide https://docs.digitalocean.com/products/networking/dns/how-to/manage-records/
  9. Install NGINX following the official guide https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
  10. Once everything is working, replace the “server” section that you set following the guide on NGINX with the following configuration:
server {
        listen 80;
# Regex in order to get the subdomain
        server_name  ~^(?<subdomain>.+)\.example\.com$;
location / {
# needed to resolve the private address
                resolver 100.100.100.100 [::1];
#Private address. It is dynamic thanks to the subdomain variable
                proxy_pass http://$subdomain.fabio-fusco.it.beta.tailscale.net:8123;
        }
}
  1. In case you need to reach home assistant, you need to trust the connection. So add the following to the configuration.yaml:
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - <pubblic IP of the reverse proxy>
  ip_ban_enabled: true
  login_attempts_threshold: 5
  1. In case you receive any error like 504 or 400, remember:
    1. the cookies are your enemies (unless they have chocolate in them);
    2. Caches are a form of lie.

 So, clear any cookies and caches, and be prepared to wait for some minute.

With that this Home Lab Remote Access and share resources How To concludes. Let me know in case you have any feedback (or question) on LinkedIn. Subscribe for Peyanski’s newsletter for more articles like this.


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.