Securing Your Homelab: The Smart Way to Expose Services Without Exposing Yourself
So you've built your homelab. You've got Jellyfin streaming your media, maybe some Docker containers running useful services, and everything works perfectly, when you're home. But the moment you leave your network, you're locked out. The temptation to just open port 80 and 443 to the world is real, but trust me, that's like leaving your front door wide open with a "welcome hackers" mat.
After running my own homelab for years and making plenty of mistakes along the way, I've learned there are two solid approaches to securely accessing your services remotely: VPN solutions like Tailscale and reverse proxies with Nginx. Let's dive into both, because choosing the right one depends on your specific needs.
The Two Paths Forward:
Option 1: VPN/Tailscale
Tailscale is a modern VPN built on WireGuard that creates a mesh network between your devices. Instead of exposing anything to the internet, you create a private encrypted tunnel that only your authenticated devices can access.
Pros:
- No port forwarding required - Works through NAT and firewalls automatically
- Zero-trust security - Services never touch the public internet
- Simple setup - Literally minutes to get running
- Works behind CGNAT - Perfect if your ISP doesn't give you a real public IP
- Free for personal use - Up to 100 devices on the personal plan
- Subnet routing - Access your entire network without installing Tailscale on every device
Cons:
- Requires client installation - You need the Tailscale app on devices accessing your services
- Less convenient for sharing - Can't easily share services with friends/family who won't install software
- Dependency on Tailscale's infrastructure - Though coordination servers can be self-hosted with Headscale
- Not ideal for public-facing services - If you want to share something publicly, this isn't the solution
Option 2: Nginx Reverse Proxy
Nginx sits in front of your services and routes requests based on domain names, while handling SSL termination and security headers.
Pros:
- Complete control - You manage everything from SSL certificates to access rules
- No client software needed - Anyone can access via standard web browser
- Flexible routing - Handle complex setups with multiple subdomains and paths
- Public sharing friendly - Easy to share services with anyone
- Performance optimization - Built-in caching and compression
- Free SSL certificates - Let's Encrypt integration makes HTTPS trivial
Cons:
- Requires port forwarding - Ports 80 and 443 must be exposed to the internet
- Larger attack surface - Your services are potentially visible to the world
- More complex setup - DNS configuration, SSL management, firewall rules
- Ongoing maintenance - Regular updates and security monitoring essential
- Doesn't work with CGNAT - You need a real public IP address
Option 1: Setting Up Tailscale (The Easy Win)
Step 1: Install Tailscale
On your homelab server (Linux):
curl -fsSL https://tailscale.com/install.sh | shOn other devices: Download from tailscale.com for Windows, macOS, iOS, or Android.
Step 2: Authenticate and Connect
sudo tailscale upThis will give you a URL to authenticate with your Tailscale account. Once connected, each device gets a persistent Tailscale IP (in the 100.x.x.x range).
Step 3: Set Up Subnet Routing (Optional but useful)
This lets you access your entire home network through one Tailscale device without installing Tailscale on everything.
Enable IP forwarding:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -pAdvertise your subnet (replace with your actual network range):
sudo tailscale up --advertise-routes=192.168.1.0/24Step 4: Approve Routes
Go to the Tailscale admin console, find your subnet router, click the three-dot menu, select "Edit route settings" and enable the advertised routes.
Step 5: Enable Subnet Usage on Client Devices
On each client device, go to Tailscale settings and enable "Use Tailscale subnets". Now you can access any device on your home network using its local IP address!
That's it. You can now access http://100.x.x.x:8096 (your Tailscale IP) for Jellyfin from anywhere, with zero ports exposed to the internet.
Setting Up Nginx Reverse Proxy with SSL
Option 2: Exposing services via Nginx
This approach requires a domain name (you can get one cheap from Cloudflare, Namecheap, etc.) and a public IP address.
Step 1: Install Nginx Proxy Manager (Docker)
Create a docker-compose.yml file:
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
environment:
TZ: "Australia/Brisbane"
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencryptDeploy it:
docker-compose up -dStep 2: Initial Configuration
Access the admin interface at http://your-server-ip:81.
Default credentials:
Email: [email protected]
Password: changemeChange these immediately after first login.
Step 3: Configure DNS
Point your domain (or subdomains) to your public IP address. For example:
jellyfin.yourdomain.com → Your public IP
nextcloud.yourdomain.com → Your public IPStep 4: Port Forwarding
On your router/firewall, forward ports 80 and 443 to your Nginx Proxy Manager server.
Step 5: Create SSL Certificate
In Nginx Proxy Manager:
Go to "Certificates" → "Add Certificate"
Select "Let's Encrypt via DNS"
Enter your domain name (e.g., jellyfin.yourdomain.com)
Choose your provider/registrar (for me it's Cloudflare)
Add additional info (an API key in my case)
Click "Save"
Step 6: Create Proxy Host (Jellyfin example)
Go to "Hosts" → "Proxy Hosts" → "Add Proxy Host"
Domain Names: jellyfin.yourdomain.com
Scheme: http
Forward Hostname/IP: Your Jellyfin server's local IP (e.g., 192.168.1.100)
Forward Port: 8096 (Jellyfin's port)
Under "SSL" tab: Select your Let's Encrypt certificate
Enable "Force SSL," "HTTP/2 Support," "HSTS Enabled" and "HSTS Sub-domains"
SaveDone! Your service is now accessible at https://jellyfin.yourdomain.com with automatic SSL.
Hardening Best Practices (Use With Either Method)
Regardless of which approach you choose, implement these security fundamentals:
- SSH key authentication only - Disable password login, and if possible root login via SSH
- Firewall everything - Use UFW, iptables, or a separate firewall appliance like OPNsense
- Fail2ban - Block brute-force attempts automatically (possibly with custom jails based on the services you're hosting)
- Regular updates - Set up automated security patches
- Network segmentation - Use VLANs to isolate your homelab from personal devices
- Strong passwords/2FA - Use a password manager and enable two-factor authentication everywhere
- Monitor and log - Set up Uptime Kuma or similar to know when things break*
- Backup religiously - The 3-2-1 rule: 3 copies, 2 different media, 1 offsite
*funny thing, if you're hosting Uptime Kuma in your homelab, it'll never report you server-wide issues because it'll probably hosted on the same machine having that issue. The ideal way should be to host it outside and make it ping the services if possible
My Recommendation: Why Not Both?
Here's the approach I use: Tailscale for admin access and personal services, Nginx for anything I might share publicly:
- Use Tailscale to access your infrastructure, SSH, databases, and internal tools—things that should never be public
- Use Nginx reverse proxy only for services you genuinely want accessible from any browser, like a personal blog or photo gallery you share with family
This hybrid approach gives you the security of VPN for sensitive stuff and the convenience of direct access for appropriate services.
Final Thoughts
The "best" solution depends on your threat model and use case. If you're just accessing services yourself and maybe immediate family, Tailscale is the no-brainer choice—it's more secure and easier to maintain. If you need to share services with people who won't install software, or you're hosting something truly public-facing, Nginx reverse proxy is your friend.
Whatever you choose, never just port forward random ports directly to your services without proper security measures. Your future self (and your network) will thank you.
Stay secure out there, and happy homelabbing!