There are several ways to access self-hosted services from outside your LAN.
The right option depends on who needs access:
- only your own devices
- friends or family
- anonymous public internet users
- webhooks from third-party services
- federated services like Matrix
This page is a decision map. Use the linked guides for full deployment steps.
Quick Choice
| Goal | Good starting point |
|---|---|
| Access private services from your own devices | Tailscale |
| Expose a public web app without opening router ports | Cloudflare Tunnel |
| Self-host the tunnel control plane through a VPS | Pangolin |
| Expose services with HTTPS on your own public IP | Nginx Proxy Manager |
| Accept inbound federation or special protocols | Reverse proxy plus correct ports/DNS |
| Avoid exposing anything publicly | Mesh VPN only |
Tailscale
Tailscale is usually the easiest answer when the service is only for you or trusted devices.
It gives you a private WireGuard-based mesh network. You do not need to publish the service to the internet.
Use it for:
- admin panels
- dashboards
- private note apps
- HomeLab maintenance
- SSH access
- services that should not be indexed or publicly reachable
Useful link:
Cloudflare Tunnel
Cloudflare Tunnel is useful when you want a public HTTPS URL without opening router ports or exposing your home IP.
It works well for web apps, webhooks, and services that fit HTTP routing.
Use it for:
- public demos
- webhook endpoints
- dashboards with strong authentication
- web apps behind Cloudflare Access
Useful link:
Pangolin
Pangolin follows a similar outbound-tunnel idea, but with a self-hosted control plane.
It is useful when you like the tunnel model but want more of the infrastructure under your own control, usually with a small VPS involved.
Useful links:
Nginx Proxy Manager
Nginx Proxy Manager is a good fit when you have inbound connectivity and want a friendly UI for reverse proxy hosts and Let’s Encrypt certificates.
Use it when:
- you control DNS
- your network can accept inbound traffic
- you want HTTPS certificates
- you want multiple services behind one reverse proxy
Useful link:
Port Forwarding
Port forwarding is the direct route.
It can work, but it has the largest exposure surface:
- your home IP is public
- router/firewall mistakes matter
- every exposed service must be hardened
- CGNAT can make it impossible
If you use port forwarding, put services behind HTTPS, keep them updated, and expose only what must be public.
What Not to Expose Directly
Avoid public exposure for:
- Docker management UIs
- databases
- qBittorrent or Transmission web UIs
- internal admin dashboards
- anything without authentication
- anything with default credentials
Prefer Tailscale or another private network for those.
Decision Table
| Option | Best for | Tradeoff |
|---|---|---|
| Tailscale | Private device-to-device access | Not a public website publishing path |
| Cloudflare Tunnel | Public HTTPS without router ports | Traffic and access path depend on Cloudflare |
| Pangolin | Self-hosted tunnel pattern | Needs a VPS/control plane |
| Nginx Proxy Manager | Public HTTPS on your own ingress | Needs inbound network access |
| Port forwarding | Simple direct exposure | Highest operational risk |
Comments