Expose Home Services
Route Jellyfin, Home Assistant, Nextcloud, and more through your VPS with automatic SSL and subdomain routing.
Completed Part 2, running services on home LAN
~30–45 min per service
Jellyfin, Home Assistant, and Nextcloud exposed via Pangolin
Related Deployment Guides
Need to set up these services first? Check out our standalone guides:
With your Pangolin tunnel established (Part 1) and identity-aware access configured (Part 2), it's time for the payoff: securely exposing your actual homelab services to the internet.
The general workflow for exposing any service through Pangolin is the same: create a resource in the dashboard, point it to the service's LAN address and port, assign a subdomain, and set your authentication policy. But each application has its own quirks around headers, WebSocket support, and trusted proxy configuration that we'll address.
How Pangolin Resources Work
A resource in Pangolin maps a public subdomain to a private service on your home network. When you create a resource, you specify:
- • Name: A human-readable label (e.g., "Jellyfin").
- • Site: Which Newt tunnel site has LAN access to the service.
- • Subdomain: The public-facing URL (e.g.,
jellyfin.tunnel.yourdomain.com). - • Target: The internal IP and port of the service (e.g.,
192.168.1.50:8096). - • SSL: Whether to use HTTPS between Traefik and the backend (usually left off for local services).
- • Auth Policy: Platform SSO, Public, or Shareable Link.
Service 1: Jellyfin (Media Streaming)
Jellyfin is the most popular open-source media server in the homelab community. Exposing it through Pangolin gives you Netflix-like access to your media library from anywhere.
Create the Resource
- In the Pangolin dashboard, navigate to Resources → Add Resource.
- Name: Jellyfin
- Site: Select your Home Lab site.
- Domain:
jellyfin.tunnel.yourdomain.com - Target:
http://192.168.1.50:8096(replace with your Jellyfin server's LAN IP and port). - SSL to backend: Off (Jellyfin runs HTTP locally).
- Authentication: Platform SSO – All Members
Configure Jellyfin for Reverse Proxy
Jellyfin needs to know it's behind a reverse proxy to generate correct URLs. In Jellyfin's admin dashboard:
- Go to Administration → Networking.
- Set Base URL to empty (leave blank).
- Under Known Proxies, add the IP of your Newt container or the Docker bridge gateway (typically
172.17.0.1). - Ensure Allow remote connections is enabled.
Mobile Apps
Jellyfin's mobile apps work through Pangolin's tunnel. In the app's server connection settings, enter https://jellyfin.tunnel.yourdomain.com. If you have Pangolin SSO enabled, you'll authenticate through the browser first, then the app will use the session. Alternatively, create a shareable link with no expiry for the mobile app.
Service 2: Home Assistant (Smart Home Control)
Home Assistant controls your entire smart home, which makes it both incredibly useful to access remotely and critically important to secure. Pangolin's identity-aware proxy is a natural fit.
Create the Resource
- Name: Home Assistant
- Domain:
ha.tunnel.yourdomain.com - Target:
http://192.168.1.60:8123 - Authentication: Platform SSO – Admin Only
Critical: WebSocket Support
Home Assistant relies heavily on WebSocket connections for its real-time dashboard. Pangolin and Traefik handle WebSocket upgrades automatically, so no additional configuration is needed on the Pangolin side. However, you must verify that Home Assistant's configuration.yaml trusts the proxy:
# In Home Assistant's configuration.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.17.0.0/16 # Docker bridge network
- 10.0.0.0/8 # WireGuard tunnel range
- 192.168.1.0/24 # Local LANRestart Home Assistant after making this change. Without trusted_proxies, Home Assistant will reject forwarded requests and you'll see 400 Bad Request errors.
Security Note: Defense in Depth
Home Assistant has its own authentication system. With Pangolin SSO enabled, users authenticate twice: once at the Pangolin layer and once at Home Assistant's login. This is actually desirable for defense in depth — even if Pangolin's auth is bypassed somehow, Home Assistant's own auth still protects you.
Service 3: Nextcloud (File Sync and Collaboration)
Nextcloud is a comprehensive file hosting, calendar, contacts, and collaboration platform. It's the most configuration-sensitive of our three services because it strictly validates the domains it will respond to.
Create the Resource
- Name: Nextcloud
- Domain:
cloud.tunnel.yourdomain.com - Target:
http://192.168.1.70:8080 - Authentication: Platform SSO – All Members
Configure Nextcloud Trusted Domains and Proxy
Nextcloud will refuse to serve pages if the incoming hostname isn't in its trusted_domains list.
// In Nextcloud's config/config.php
'trusted_domains' => array(
0 => '192.168.1.70:8080',
1 => 'cloud.tunnel.yourdomain.com',
),
'trusted_proxies' => array(
0 => '172.17.0.0/16',
1 => '10.0.0.0/8',
),
'overwriteprotocol' => 'https',
'overwritehost' => 'cloud.tunnel.yourdomain.com',
'overwrite.cli.url' => 'https://cloud.tunnel.yourdomain.com',The overwriteprotocol and overwritehost settings ensure Nextcloud generates correct HTTPS URLs even though it receives plain HTTP from the tunnel. Without these, you'll get mixed content warnings and broken redirects.
Desktop and Mobile Sync Clients
Nextcloud's desktop and mobile sync clients work through Pangolin. Point the client at https://cloud.tunnel.yourdomain.com and authenticate normally. If Pangolin SSO is enabled, the client will open a browser window for the Pangolin login before completing the Nextcloud authentication flow.
Adding More Services
The pattern is the same for any service you want to expose. Here are quick-reference configurations for other popular homelab applications:
| Service | Port | Special Considerations |
|---|---|---|
| Immich | 2283 | Works with header tokens via shareable links for mobile app background uploads |
| Vaultwarden | 8080 | Admin-only access; consider relying on Vaultwarden's own strong auth |
| Gitea / Forgejo | 3000 | Standard reverse proxy setup; add the public URL to Gitea's ROOT_URL setting |
| Grafana | 3000 | Set GF_SERVER_ROOT_URL to the public domain; WebSocket works automatically |
| Paperless-ngx | 8000 | Set PAPERLESS_URL to the public domain for correct redirect behavior |
| Uptime Kuma | 3001 | WebSocket-based; works out of the box with Pangolin |
Wildcard Domains and Automatic Routing
If you set up the wildcard DNS record (*.tunnel.yourdomain.com) in Part 1, adding new services is frictionless. Just create a resource in Pangolin with any subdomain and it immediately resolves and gets an SSL certificate via Let's Encrypt. No DNS changes needed.
Pangolin and Traefik handle certificate issuance and renewal automatically. Certificates are stored in the letsencrypt/acme.json file and renewed before expiration with no manual intervention.
Performance Considerations
Running all traffic through a VPS adds latency compared to direct LAN access. Here are some tips to minimize the impact:
Choose a close datacenter
RamNode offers multiple locations. Pick the one closest to your home for the lowest round-trip time.
Transcode locally for Jellyfin
Hardware transcoding (Intel QSV, NVIDIA NVENC) happens on your home server. Only the final stream passes through the tunnel, so bandwidth matters more than VPS CPU.
Monitor bandwidth
Pangolin's dashboard shows data throughput per site. The $5/month RamNode plan includes generous bandwidth, but keep an eye on usage if you stream heavily.
Enable HTTP/2
Traefik enables HTTP/2 by default, which multiplexes requests and reduces connection overhead for services with many assets like Nextcloud's web interface.
What's Next
In Part 4 of this series, we'll cover hardening and monitoring — deploying CrowdSec and Fail2ban for threat detection, setting up Beszel for lightweight server monitoring, and configuring access logs for full audit trails.
Don't have a VPS yet? RamNode offers KVM VPS plans starting at $4/month — the perfect entry point for your Pangolin deployment.