Sorry in advance for the long post; I’m just trying to be as specific and detailed as possible.
Due to the type of ISP I’m using I’m stuck behind CG-NAT with no standard way of accessing my home network from outside.
My current implementation (which isn’t ideal for my use-case) is using a VPS on Google Cloud Compute Engine that runs an OpenVPN server and using OpenVPN client apps on mobile devices as well as my Blue-Iris (security camera) server, and Emby Media Server.
This allows me access to those two servers (two separate machines), but makes it somewhat difficult to give access to my media server from certain devices - or for friends, family, etc.
I have a domain on Cloudflare that I currently use to access my media server, but it’s a bit of an annoyance to have to type in the port instead of just using something like “emby.example.com” and I’d ideally like to set it up to route to a self-hosted landing page on my home network that allows access to other services on my network - behind a username and password authentication page.
Right now my Cloudflare domain works as follows:
www.example.com -> Local IP of my Heimdall server (Temporary landing page, until I can get something more secure set up, with access from outside my LAN)
emby.example.com -> IP from my OpenVPN client on Emby Server (which I need to manually append the Emby port in order to access my Emby server)
Right now my Heimdall server just has links pointing to the local IP’s of services running on my network, so obviously that doesn’t work for accessing them from outside of my home network.
The current services I’m hoping to be able to access from outside my network are as follows:
- Emby Media Server (currently using my OpenVPN VPS for external access)
- qBittorrent and some ARR’s running on the same machine as Emby
- Blue Iris Server (currently using my OpenVPN VPS for access)
- Proxmox Server (currently no external access*)
- * I have Home Assistant running on a VM in Proxmox which I currently use Nabu Casa (Home Assistant Cloud Service) to access.
- Within Home Assistant I also have AdGuard Home and Unifi Controller addons (Containers) that I’d like access to; I have no problem moving them to my Docker LXC that’s running on the same Proxmox machine, if need be.
- Docker with Jellyseerr, Portainer and Heimdall running in containers on my Proxmox machine.
As with everyone that gets into self hosting, this list is bound to expand as my knowledge grows.
Right now I’m very much a “n00b” when it comes to these things, which is why I’d like to learn how to do it “properly”.
Yes I know the best way is to just not expose my network to the internet, but I’m sure there must be a way for me to do this safely (or at least as safe as reasonably possible).
TL;DR
My ideal scenario would be as follows:
- Head to “www.example.com” -> End up at self hosted authentication page asking for Username/Password.
- Skip authentication if being accessed from within local network (Need to have WAF or I’ll be in the doghouse…)
- Upon authentication be sent to self-hosted landing page (similar to Heimdall) with links to my local services.
- Clicking on said links would send you to different subdomains depending on service chosen (emby.example.com,* blueiris.example.com*,homeassistant.example.com, etc…)
In addition to that, what would be more than ideal (ie. perfect for me) would be to have a different landing page per user; allowing me to give only media server access to friends/family, rather than exposing all my services to everyone with a password to my server, while being able to have private access to all of my services for myself. (I can do this using auto-login links with Heimdall, but I’d still need an authentication page before this).
Apologies again for the long-winded post, I’m just really helping some of you more experienced self-hosters might be able to point me in the right direction to get me started on moving away from my current “workaround”, and toward my ideal end-goal for my home network setup.
Thanks in advance
EDIT:
I’ll also add (in-case it’s relevant) That I currently have my home network split into three separate networks within my Unifi Controller:
- One for my main network (with all of my PC’s, mobile devices and services running on it, running through AdGuard Home)
- An IOT network for all of my smart home devices, etc (it’s firewalled from my main network, and most devices are blocked from internet access - except for ones that need it, like Alexa, Harmony, etc.)
- A guest network (very basic rules, preventing access to my main network. Not running through AdGuard)
- Head to “www.example.com” -> End up at self hosted authentication page asking for Username/Password.
You can do that easily with Authelia for example. The question is tho, how people end up at that prompt initially. If you want to fully selfhost, you either need some outside node on a VPS for example which redirects through a tunnel to your actual home network. Or you use a third party service like Cloudflare.
- Skip authentication if being accessed from within local network (Need to have WAF or I’ll be in the doghouse…)
Again, Authelia can do that.
- Upon authentication be sent to self-hosted landing page (similar to Heimdall) with links to my local services.
If you combine Authelia with a reverse proxy, you can redirect after auth to wherever you want, for example exactly Heimdall, or Homarr or whatever.
- Clicking on said links would send you to different subdomains depending on service chosen (emby.example.com, blueiris.example.com, homeassistant.example.com, etc…)
Again, a reverse proxy, ideally combined with a local DNS like Pihole for example, would do that easily for you. And you could use Lets Encrypt certs for valid SSL to use
https://emby.example.com
instead ofhttp://emby.example.com:8096
orhttp://192.168.50.120:8096
. You do not need to purchase a public domain for that, but LE requires a public domain which could be a free subdomain for example from a provider like Duckdns.org or Dedyn.io Many reverse proxies have support for LE dns01-challenge with a lot of providers, so you dont even need to open any ports for that part.Thanks! Those are great tips, and definitely sound like the type of thing I’m looking for, and I’m sure I’d have no problem setting them up, aside from one issue:
My main concern, is using these services while behind CG-NAT; currently the only way I know how to access my network from outside at all is to go through my VPS using OpenVPN clients, since I don’t have a public IP.
I’d ideally like to do away with the VPN entirely, so I don’t need to set up client apps to give new devices access, but adding the extra layer of CG-NAT on top of those services makes this all more confusing for me, since most of the information I’ve found online doesn’t involve CG-NAT.
I’d ideally like to do away with the VPN entirely, so I don’t need to set up client apps to give new devices access, but adding the extra layer of CG-NAT on top of those services makes this all more confusing for me, since most of the information I’ve found online doesn’t involve CG-NAT.
You could run the reverse proxy on your VPS, and keep your VPN as a tunnel between your VPS and your home network. Clients would connect without any extra software to the public reverse proxy, which then redirects them through the tunnel to your home network.
If you want to keep your VPS, that is the way i would do it.
If you want to get rid of your VPS and also dont use software on the clients to connect, then you would need to use something like Cloudflare tunnels, which would replace your own setup. Clients connect to Cloudflare, and they redirect through a tunnel to your home network.
You could run the reverse proxy on your VPS
This may be the way I need to do it, unfortunately (it seems a fair bit more complicated for someone with pretty limited knowledge on this kind of networking).
Ideally I’d like to use your second approach, with CF Tunnels (something I’ve looked into a bit in the past), but from what I understand, I’d run the risk of violating their TOS and being blocked if too much video passes through their server, which is fairly likely to happen when running a service like Emby through CF.