Converted from notes and materials to my talk given at Warsaw Ruby Meetup in September 2024. You can find the slides here and the recording here.
My talk is titled “homelab networking in 2024” and I will focus on the networking tools. All based on personal experience and tools I actually use.
However one of the most important questions when giving or listening to a talk is “what it is and why should I care”, so I’m going to do a brief introduction on what a Homelab is and then why it’s a good idea to run one. From a Ruby- and web-developer perspective, but also from a general technical perspective.
Too long, didn’t watch. For people with short attention span or in case you’ll get an interruption: this talk will focus on two tools that are not only for Homelab, it’s just that there’s nothing better for a Homelab. One is Tailscale. The other is Cloudflare Tunnels. Together they make using a Homelab with the wide internet easy and hasslefree.
Why “lab”? A laboratory is a place where you can safely do experiments. When you work in IT or a related field, playing with production equipment is a big no-no. So we build an environment for experiments, that becomes our lab. Homelab a name given to a home server, or a multitude of servers that you run personally at home and not in a datacenter.
Why is Homelab so popular nowadays and why it seems a lot of people and articles talk about it? Because for most people there is a zero or a very low barrier of entry into running own server.
- Quiet, small and discreet MiniPCs are cheap, widely available and very powerful. Running a home server is no longer an inconvenience for everyone in the household - it can be tiny a device hidden near a router.
- Many people own a NAS - and so should you, if you don’t yet. Cloud storage is awesome and totally worth using, but it should never be the only copy of the data you care about: your account can be hacked, your account or entire service can be closed due to multiple reasons, it can be slow, its terms might not be compatible with your data and usage. And if you own a NAS - you have up-and-running a very competent home server hardware.
- It’s a good use for that Raspberry Pi you have lying around with no idea what to use for, even if Raspberry Pi is not the best device for a home server.
Above: There’re many mini PCs to choose from. For beginners I recommend something based on Intel N100 for the price-performance factor.
Any more reasons to run a Homelab as web developer? Yes!
- It will force you to learn basic Linux, including networking and Docker. Most self-hosted apps are now distributed as ready-to-use containers.
- It’s the best controlled environment for learning operations, deployment and dealing with any project, in any technology, using any deployment strategy.
- There are a lot of awesome self-hosted applications. There’s even a curated list aptly called Awesome Selfhosted.
Now let’s talk networking. A server-running application is not very useful if you can’t access it from outside a local network. You usually need two things and while they overlap a bit, I’m going to cover them separately for reasons explained later on.
First and foremost, you need a way to privately access your Homelab devices when you’re out of home. This is especially true if you have a NAS and want to download or upload some files from/to it. We usually used a VPN for that: this means a very tightly controlled set of peers (key pairs), requiring some tech-saviness and specialized software to use it as client. I’ve used Wireguard and it’s great.
The second need is exposing one or more web sites or applications running on your home server to the entire internet, so that anyone can use it without specialized networking software. Since our home internet usually had a public but dynamic IPv4, to achieve that we used one of the Dynamic DNS services with some port forwarding on our home router. I’ve used DuckDNS but there are many services like this.
But it’s 2024. The IPv4 pool has been depleted a few years ago and those addresses are becoming scarce. More and more providers put your home router behind their own NAT, called CG (carrier-grade) NAT. This means that in your basic internet service you no longer have a public IPv4, dynamic or not, so self-hosting suddenly becomes very difficult. Your machines cannot be directly accessed by other machines behind other NATs. If you studied some networking you know that in such “NAT on both ends” situation you’ll need a server in a regular datacenter with public IPv4 to proxy the traffic through to circumvent both NATs.
Fortunately there are tools to work around this. They use NAT traversal techniques popular since peer-to-peer video calls became popular and using WebRTC. And in the process they made everything actually easier than it was before. You can still use those tools with a public IPv4, too!
The first tool, for the first need, is Tailscale. At basic level, it replaces your Wireguard or any other VPN: it allows your configured client machine to act as if it was in the same local network as your home server. But it’s even more than that: it creates a quasi-local virtual network with all your Tailscale-enabled machines, regardless of what “physical” networks (plural!) they’re at. It’s actually built on the Wireguard protocol with a lot of extra features thrown in. It’s a commercial product but it’s free for Homelab needs and a lot of it is open-source: github/tailscale.
Tailscale uses a very smart approach where a “relay” server is used for both ends to start communicating, but as soon as possible they both switch to talking directly. This way you can get connection speeds as high as both machines’ networks allow, without having to pull data through the relay server. You can even see in the Tailscale client app what machines you have a direct connection with at the moment. They describe everything about this topic in their big article, How NAT Traversal works.
The second tool, for the second need, is Cloudflare Tunnel, the most convenient way to expose your behind-(CG)NAT services under a domain you own. You run a daemon on the server machine, configure Cloudflare Tunnel with domain name, server’s local IP and port and CF takes care of the rest. My personal tomash.eu site is hosted from my personal Atomic Pi SBC sitting in a house near Warsaw, exposed via Cloudflare Tunnel. It doesn’t need to be TCP/IP for HTTP(S) – you can expose any service, like SSH or anything, so in theory you could skip using Tailscale. I still prefer Tailscale for SSH, though, as extra layer of security and access control, and you should too. Cloudflare Tunnels have some reasonable limitations in their Terms of Use, like you can’t do a single file upload over 100MB or you shouldn’t stream movies via the tunnel since in this case all the traffic goes through CF’s relay servers. Still, for hosting some apps it’s a very good one, with a lot of added convenience like automatic SSL certificates (so you don’t need to wrestle with challenges on your homelab server).
I hope this talk gave you the inspiration, courage and pointers to start your own homelab!
There are a few extra topics for Advanced Players. Mostly: how to set up your own relay server (a publicly available machine to proxy traffic through), so that you don’t need to rely on Tailscale and Cloudflare providing those services (and for free), while still making it convenient to run? Here are some pointers:
- VPS + Wireguard + Nginx Proxy Manager]
- Rathole - github.com/rapiz1/rathole
- FRP - github.com/fatedier/frp
- More at anderspitman/awesome-tunneling