The Homelab needs to be accessible from home (obviously), and sometimes from away (for certain services).
I want TLS termination on everything --- mostly to avoid browser warnings (client "accepts the risk") but also as best security practice.
This section documents the infrastructure choices I've made to support these requirements, things I'd like to improve, etc.
I'm rocking rileys.house for everything Homelab so far. Makes sense to me, since it's all "at my house", e.g. frigate.rileys.house is the Frigate NVR instance running "at Riley's house." I am very clever.
All services should be resolved from this
rileys.houseroot domain.
Services (not necessarily all) should be accesible from outside of the home LAN. Options to achieve this include:
The pros and cons of these are briefly listed here:
This is probably the most simple solution to the problem, but is also the least secure. Especially since my home internet is pretty shit, opening up ports to the WAN is risky from a DDOS perspective.
However unlikely such an attack on little-old-me might be, a mantra I've seen repeated in various cybersecurity spaces is that "your attacker's pipe is always bigger than yours." Especially when my pipe is like 25Mbps wide...
I think that DDOS attacks and having my public IP "out there" are the only real concerning aspects of this option. I'd like to believe that I'd be able to set up firewalls, authentication, and solutions like fail2ban and CrowdSec to otherwise protect my services. But at the end of the day, these are all "post-pipe" solutions. My ISP is my bottleneck.
Using a VPN like this is probably the most secure option, but the least convenient. I am sometimes sharing services with friends, family, or housemates who may not be particularly tech-literate.
It's inconvenient to have to open up a Wiregaurd VPN client on your phone if you just want to check if the package has arrived on the front stoop. It also might have some implications for connections the other way around, such as push notifications from Home Assistant.
Unless I ask of all of my clients that they install VPN clients on their devices (and leave them "always on" for push notifications -- not to mention the implications on home ISP bandwidth), this is not an ideal solution.
VPNs are still a viable and currently-implemented option for services which must be highly secure, such as routers, firewalls, etc. Just not ideal for the less-important "shared" services.
This seems to be the most popular option I've seen in the Homelab community. Cloudflare is very user-friendly, cheap (if not free), and mature in terms of security practices, anti-DDOS, anti-bot, etc.
My only real gripes here are that:
Cloudflare is massive and trusted by many huge companies with way more to lose than I do. No tin-foil hats required for this section. Mostly, I just like the idea of owning my whole stack.
I may move to Cloudflare at some point -- particularly if security appears to be a concern.
Here's the solution that I've ultimately selected. I "own" the full stack infrastructure (insofar as I "own" the VPS running my tunnel + proxy).
I've chosen OVHCloud to host a tiny VPS in Sydney running the Pangolin stack.
More info on this to come on another page