Sorry in advance for the long post; I’m just trying to be as specific and detailed as possible.
Due to the type of ISP I’m using I’m stuck behind CG-NAT with no standard way of accessing my home network from outside.
My current implementation (which isn’t ideal for my use-case) is using a VPS on Google Cloud Compute Engine that runs an OpenVPN server and using OpenVPN client apps on mobile devices as well as my Blue-Iris (security camera) server, and Emby Media Server.
This allows me access to those two servers (two separate machines), but makes it somewhat difficult to give access to my media server from certain devices - or for friends, family, etc.
I have a domain on Cloudflare that I currently use to access my media server, but it’s a bit of an annoyance to have to type in the port instead of just using something like “emby.example.com” and I’d ideally like to set it up to route to a self-hosted landing page on my home network that allows access to other services on my network - behind a username and password authentication page.
Right now my Cloudflare domain works as follows:
www.example.com -> Local IP of my Heimdall server (Temporary landing page, until I can get something more secure set up, with access from outside my LAN)
emby.example.com -> IP from my OpenVPN client on Emby Server (which I need to manually append the Emby port in order to access my Emby server)
Right now my Heimdall server just has links pointing to the local IP’s of services running on my network, so obviously that doesn’t work for accessing them from outside of my home network.
The current services I’m hoping to be able to access from outside my network are as follows:
- Emby Media Server (currently using my OpenVPN VPS for external access)
- qBittorrent and some ARR’s running on the same machine as Emby
- Blue Iris Server (currently using my OpenVPN VPS for access)
- Proxmox Server (currently no external access*)
- * I have Home Assistant running on a VM in Proxmox which I currently use Nabu Casa (Home Assistant Cloud Service) to access.
- Within Home Assistant I also have AdGuard Home and Unifi Controller addons (Containers) that I’d like access to; I have no problem moving them to my Docker LXC that’s running on the same Proxmox machine, if need be.
- Docker with Jellyseerr, Portainer and Heimdall running in containers on my Proxmox machine.
As with everyone that gets into self hosting, this list is bound to expand as my knowledge grows.
Right now I’m very much a “n00b” when it comes to these things, which is why I’d like to learn how to do it “properly”.
Yes I know the best way is to just not expose my network to the internet, but I’m sure there must be a way for me to do this safely (or at least as safe as reasonably possible).
TL;DR
My ideal scenario would be as follows:
- Head to “www.example.com” -> End up at self hosted authentication page asking for Username/Password.
- Skip authentication if being accessed from within local network (Need to have WAF or I’ll be in the doghouse…)
- Upon authentication be sent to self-hosted landing page (similar to Heimdall) with links to my local services.
- Clicking on said links would send you to different subdomains depending on service chosen (emby.example.com,* blueiris.example.com*,homeassistant.example.com, etc…)
In addition to that, what would be more than ideal (ie. perfect for me) would be to have a different landing page per user; allowing me to give only media server access to friends/family, rather than exposing all my services to everyone with a password to my server, while being able to have private access to all of my services for myself. (I can do this using auto-login links with Heimdall, but I’d still need an authentication page before this).
Apologies again for the long-winded post, I’m just really helping some of you more experienced self-hosters might be able to point me in the right direction to get me started on moving away from my current “workaround”, and toward my ideal end-goal for my home network setup.
Thanks in advance
EDIT:
I’ll also add (in-case it’s relevant) That I currently have my home network split into three separate networks within my Unifi Controller:
- One for my main network (with all of my PC’s, mobile devices and services running on it, running through AdGuard Home)
- An IOT network for all of my smart home devices, etc (it’s firewalled from my main network, and most devices are blocked from internet access - except for ones that need it, like Alexa, Harmony, etc.)
- A guest network (very basic rules, preventing access to my main network. Not running through AdGuard)
You could run the reverse proxy on your VPS, and keep your VPN as a tunnel between your VPS and your home network. Clients would connect without any extra software to the public reverse proxy, which then redirects them through the tunnel to your home network.
If you want to keep your VPS, that is the way i would do it.
If you want to get rid of your VPS and also dont use software on the clients to connect, then you would need to use something like Cloudflare tunnels, which would replace your own setup. Clients connect to Cloudflare, and they redirect through a tunnel to your home network.
This may be the way I need to do it, unfortunately (it seems a fair bit more complicated for someone with pretty limited knowledge on this kind of networking).
Ideally I’d like to use your second approach, with CF Tunnels (something I’ve looked into a bit in the past), but from what I understand, I’d run the risk of violating their TOS and being blocked if too much video passes through their server, which is fairly likely to happen when running a service like Emby through CF.