A surprising number of homelab guides start with opening ports, reverse proxies, HTTPS, and hardening. That's the assumed path. And when you’re through, you spend time securing everything you’ve just made public. When I first started self-hosting, I tried following the same path but couldn’t, even though I wanted to. CGNAT blocked me before I started. At first, I treated it as a roadblock until I realized not all my self-hosted services required public access. It was a turning point when I started using Tailscale, not because it provided a better security layer, but because it removed the need for public exposure entirely.

I was solving a problem I created myself

The internet didn't need to see my server

The homelab community follows the same pattern that every new tinkerer does. You build a new server, you install services, and you want those services outside the home? Open a port, set up a reverse proxy, configure HTTPS, add authentication, and you are done. This is the go-to guide for someone who has just entered the homelab. I was in the same shoes, trying to follow the pattern, but I got stuck at the very third step. I didn’t even have the option to open a port.

I live in the countryside, and that is my gift from the ISPs. I have two internet connections at home from two different ISPs, and unfortunately, both are behind CGNAT. Meaning no true static IP address to start with. One of the ISPs offered a static IP address, but it cost almost as much as the connection itself, so I passed. And because of the CGNAT, traditional port forwarding simply wasn’t for me. I started looking for workarounds to access my services from outside.

That's when I looked at my stack; most of the services didn’t even need public exposure — AdGuard Home, Portainer dashboard, Omada Controller, NAS management, monitoring dashboards, and system admin tools. I started questioning myself: who actually uses these? How often does anyone else need access to them? Why should they be reachable from the internet? The answer was just me, and I was already inside the network.

Public exposure meant SSL certificates, authentication, updates, reverse proxy rules, and security reviews for every single service. And I realized that none of these were necessary for admin panels and dashboards that I was the only one who ever touched. I wasn't solving a security problem. I was creating exposure and then trying to secure it. And security gets a lot simpler when there is nothing exposed to secure in the first place.

Tailscale moved the front door somewhere else

Only trusted devices can even knock

My assumption was that remote access required exposing a service, and if I wanted something accessible outside my home, a public route was mandatory. Then I came across private networks and secured access via trusted devices. It was simple: Trusted Device -> Private Network -> Application. Tailscale was the easiest solution for my case.

The setup was simple, and it resolved all the issues I had with my network — I created an account and got my private network called Tailnet. Then I installed the Tailscale client on all my devices under the same account, and everything landed on the same private network. I didn’t need to worry about CGNAT anymore.

And since they were part of the same network, services could stay private and accessible from anywhere. No public IP required. No port forwarding. No opening firewall rules for internet access. Yet all my services were still reachable — not by everyone, only by me. How did it bypass my CGNAT issues? NAT traversal. Tailscale handled direct connections between my devices whenever possible and relayed connections to servers when necessary. That was why it worked even when either side sat behind CGNAT.

Once Tailscale was fully configured on all my devices, random scans, login brute-force attempts, and bot crawling on public URLs disappeared as if they had never existed. Because every connection went through Tailscale's private network. The service didn't become invisible because it was hardened. It became invisible because it stopped being public.

I’m not claiming that Tailscale is magic, but I understand that reducing exposure is better than hardening every endpoint. In the end, I didn't stop accessing my services remotely, but I stopped making them visible to the entire internet.

Public access became the exception, not the default

Now I have to justify exposure

Tailscale had become my default from day one. I could remotely access my services from anywhere. CGNAT no longer mattered, and all the internet tools stayed private and accessible only via Tailnet. For a while, the setup covered everything I hosted. But as my homelab grew, my services split into two categories. Some were only used by me, such as system admin tools and monitoring dashboards, and others were used by my family, such as Jellyfin, Immich, and Nextcloud.

Installing Tailscale on every family member’s device didn’t make sense. And I couldn’t just forward a port and set up a reverse proxy either; CGNAT had me locked there. That pushed to other workarounds, and Cloudflare Tunnel was the first choice in the homelab community. Once I implemented it, I realized why it solved the problems elegantly. The implementation was simple enough to do in a couple of hours. Just a Docker container and a few config files pointing to my preferred domains for those services, and I was done; all those services were publicly accessible.

Over time, I wanted fewer dependencies on a single provider, and Cloudflare's ToS explicitly restricts hosting streaming services on Tunnel, and that was starting to bother me. So I started moving a few services to my self-hosted Pangolin instance. By moving a few services to Pangolin, I gained more control over the ingress path. Today, looking at my stack, I have more than 15 services hosted on my homelab, and the split is clean. Admin interfaces, monitoring dashboards, and internal tools never have a public URL and live privately behind Tailscale. And public-facing services like Jellyfin, Immich, and Nextcloud get an open URL either from Cloudflare Tunnel or Pangolin.

After all this, my perspective and my questions changed from “How do I expose this?", “Which port?" and “Which reverse proxy?” to “Does this actually need exposure?”, “Who needs access?" and “What breaks if it remains private?”

The internet didn't need to see everything

Tailscale didn’t make my homelab immune to all security risks, and it was never meant to. I still think good passwords, MFA, and software updates matter, but now I also think carefully about each service I deploy. The whole experiment didn’t change how I deploy a service; it changed my thinking around whether it needs public exposure at all. The biggest change wasn't choosing a different way to publish services. It was realizing that every service should have to earn its place on the public internet.