Accessing home server / lab / network

I am trying to decide how to access home lab from outside.

I just discovered existence of cloudflare tunnel and tailscal / zerotier. So decision process start to be more complicated :slight_smile:

Here is my summary.

I could called it classic approach.
ask ISP for static public IP, forward http and https on my opnsense router to my local server where I running swag (linuxserver nginx reverse proxy) and allow only those services which I want to access from outside. Of course, point subdomain of my to that IP.

also, I can configure wireguard on opnsense router so I can get in local home network


  • everything is in my hands (well can be disadvantage if you do it wrong :slight_smile: )
  • using no any additional / third-party service
  • if I want to share some files (photos, videos, music) with friends or familly I just can point them to my nextcloud share links


  • not sure how to manage ddos attacks if those happen
  • better identifications by BIG tech because, I am browsing web from one IP, privacy issue

start using tailscale or zerotier (I think those are similar in functionality you get).


  • I dont know, because I understand those services like possibility build home network in cloud which can be accessible from anywhere, maybe only in case I am not able to get static public IP from ISP


  • if case I want to share some files with family or friends they need to install client and I need add them to network.
  • not sure how to access local services over my subdomain of my
  • if I am right, traffic is going truth their relays
  • it is free now but who knows …

cloudflare tunnel, I find this very interesting because when comparing with solution #1 it solve both negative points but brings few questions:

  • it is free now, what happen in future
  • it is third-party app running in my local net, yes, in case problem I can simply stop it.
  • for each service which I want to access I need to create “tunnel”

I think that christian in this video is right You should NOT use Cloudflare Tunnel (if you do this...) - Invidious

thanks for your comments, hints
maybe I did understand something not correctly so thanks for corrections :slight_smile:

If you want to dial back home, why don’t you just use OpenVPN with DDNS. Is secure, robust and works on almost everything.

Too late to be worried about big tech, unless you are using vanilla windows or mac, you are probably more uniquely identifiable than you realise. For instance I’m running Linux Mint in a vmware virtual machine on a Lenovo with an array of ad-blockers and firefox add-ons, in my effort to try to have a resilient setup I have in-fact become more unique so my fingerprints are easier to detect over the internet. So big tech have me through my very actions of trying to avoid them !

well, my ISP is not getting me dynamic public IP, I am behind IPS nat.
I already ask, they offer paid public static IP.

I already have working wireguard on opnsense router { I did test it inside ISP network, they are not isolating clients, so I went to neighbour for testing :wink: }

I am linux user, I did also install linux to my wife and childrends laptops :wink:
yes, I know that big tech is working hard but I dont want to help them …

as I did write, I discovered couldflare tunnel which very interesting but I am not sure If I want to do that.
tailscale or zerotier are also interesting look bit complicated for me now. I will have new IPs how do I will access local services over my domain?

Ah ok your main problem is double NAT than, I don’t have that situation but I’m sure there are others in the forum who have solved that problem.

I literally was coming to this site today to ask the very same question, though I hadn’t summarized it so well. I’m very much just getting started with networking. I’ve watched/read a lot of pieces on the subject and I have no idea what the safest way to access a media server, for example, from outside my network, say on my phone. Tom’s video on Cloudflare almost had me convinced in that direction, but then I read some other pieces about it that gave me pause. Do I need to expose ports, would it be best to obtain a domain or a static IP. I have to be careful with my privacy because I once got a nastygram from my ISP for downloading a Linux ISO via torrent. (No, not THAT kind of Linux ISO, but an actual Linux ISO). Seems they didn’t like the site I was getting it from and threatened to boot me. It’s made me pretty paranoid, since I can’t lose my ability to work from home.

I did install TS client on laptop, android phone, and server.
It was working well but accessing services over my subdomain was problematic.
I did add my DNS server {using unbound on opnsense router} in tailscale portal so it was populated to machines and works ok, I could resolve local IP but I was not able to access LAN.
I did install TS on opnsense router. Plan was that I will setup subnet on that node to be able to access LAN. Installation take long time because it was compiling from source. Configuration was bit strange. Router did connect to tailnet but I was not able to ping it in tail net from other machines, I did add firewall rules for TS but that did not help. I did spend few hours to make it works but without success :frowning:

I feel for you. And I’m not nearly as far along as you are. I’ll be interested to see what you or the forum comes up with.

next stop > zerotier

Installation process on all devices (opnsense router, linux desktop, linux server, android phone) without problems.
It is working well but accessing services over my subdomain is bit tricky.

Instead running zerotier on server I decide to run it only on router which will route between LAN and ZT devices and also provide DNS resolving for my local

Installing on opnsense router is easy. I did enable ZT and add network id, then authorized router in ZT controller web and check “Do Not Auto-Assign IPs”, controller is still showing IP for that device which I did used in configuration later. Next step is to create interface by assign port to new interface. After that I did enable and lock new ZT interface and configure with static IP which I take from controller web. In firewall → rules → ZT interface I did enable ICMP from ZT network and enable everything from ZT net to LAN net. Then you need to add route for you LAN in ZT controller, for example is your LAN net and is ZT IP of your router {same as I used for configuration}. After you add that in web controller it will propagate to all devices.

Now I can access all devices in LAN but only over IP.
I did not find way how ZT could propagate DNS resolver to devices. I did manually change /etc/resolv.conf on my laptop and used IP of my router so all DNS queries was resolving by my home router and I was able to access local services by name instead IP.

I think that tailscale is bit better, they can propagate DNS resolver to clients but installing and configuration on opnsense is hard, I was not able to done it.

Were you able to get anything working. I’m looking at Headscale, but if anything, it’s harder to install than Tailscale.

I have been busy with other things …
But I did try to register at cloudflare and create tunnel. Well it was quite compolicated and when it ask me for credit card to pay zero I did stop the process and delete account.

I did ask my ISP for static IP and already have it. At this moment I am using only wireguard VPN to access my local LAN, home server. Plan is to access some services over public domain and some over VPN.