This has been on my bucket list for a long time, and I’m finally in a place where things are stable. I’ve been using this setup consistently for over three months now. A fair warning to the uninitiated, this is a rabbit hole. Once you go down this path, it’s extremely likely you’ll start spending money on hardware, encrypted storage solutions, virtual private servers, and home lab upgrades you didn’t know you “needed.”
Initially, all I wanted was a way to store my photos outside of Google Photos and iCloud because I was running out of storage. I started looking at open-source options, and Immich came up again and again. But before jumping into a photo stack, I wanted a solid foundation. I wanted to architect a reliable way to run applications at home and access them securely from anywhere.
Accessing my home lab remotely
Reddit and Discord are gold mines of useful information. I've been a long time member of the r/selfhosted subreddit and I'm also a part of several open source Discord groups. After having tried all these approaches, here are some of the most common ways to access a home lab remotely, each with their trade-offs.
Mesh VPNs (Tailscale / NetBird)
This is probably the easiest way to access your home lab remotely. The learning curve is also much shorter and most of it can be done through a GUI. You install a client on the devices you want to access your services from, and they can connect to your home network as if they were local. Both have generous free tiers. NetBird supports self-hosting, and if you want a self-managed control plane for Tailscale clients, Headscale is a popular open-source option (third-party, not maintained by Tailscale). In my case, backups to my home server depended on my client devices being connected to the VPN, which nudged me toward alternatives.
Cloudflare Tunnels
Cloudflare Tunnels can expose services without opening inbound ports at home, and you benefit from Cloudflare’s edge network and protections. The trade-off is dependency. Your traffic flows through Cloudflare, and if Cloudflare has an outage, access to your stack can be affected. Plenty of home lab users (and businesses) are comfortable with that, but I wanted a setup that didn’t hinge on a single external provider.
A VPS reverse proxy + encrypted tunnel back home
This is the path I ended up choosing. I have a small VPS as the public entry point that connects back to my home server via an encrypted tunnel. Pangolin has become a popular option in the home lab space for packaging this pattern into a relatively streamlined workflow. In my setup, it pairs a WireGuard-based encrypted tunnel with Traefik as the reverse proxy. Traefik handles TLS certificates via Let’s Encrypt, and the VPS-to-home link stays encrypted. Pangolin also relies on a companion component called Newt running on the home server so it can maintain the connection between the VPS and my internal services. The downside to this is probably the learning curve as it relies on configuring your VPS, opening some ports required by Pangolin, etc. Since I was already familiar with these, it wasn't that complicated. They also have very comprehensive documentation that's super useful.
My setup
I started with a VPS at Hostinger because their pricing was hard to beat, but I ran into issues quickly. I later moved to Webdock, and it’s been a better fit for me: good performance for the price, servers in Europe, useful tools, and a dashboard that makes it easy to keep an eye on things (the mobile apps are a nice bonus, too).
On the VPS, I installed Debian and did some basic hardening:
configured SSH
moved SSH off the default port (22)
disabled password logins
installed UFW (Uncomplicated Firewall) and denied inbound traffic by default, only allowing the ports needed for my setup
After that, I installed Docker and Docker Compose and deployed Pangolin following their documentation. Once the tunnel and reverse proxy were working, I finally felt like I had a solid base to build on. There’s also an option to add CrowdSec for extra protection (it helps identify and block abusive traffic using shared threat intelligence). My home server is a Beelink mini PC with 32GB of RAM, a 512GB SSD, and a 13th-gen i5 CPU. For the services I’m planning to run, starting with photos and expanding from there, it’s been more than capable so far.
What’s next
In the next parts, I’ll share more about Pangolin, the services I’m running, and how I’ve managed authentication/authorization. Until the next monthly log—happy writing.