Accessing the homelab externally

May 23, 2026

Not a sponsored post or endorsement of any services mentioned, just my opinions as a homelabber.

Remote access wasn’t something I had in the homelab early on, but when travelling out of town its nice to be able to work on projects involving the homelab. Since I don’t want to expose services using my public IP, I had to find a different method.

I ran Netmaker self-hosted Community Edition for remote access to the homelab starting around 2022, which meant maintaining a server installation on a VPS. I replaced the entire setup with Tailscale in January 2025. I tend to avoid adding more SaaS into the mix without it being necessary, but I made an exception here. If I ever want to get out there’s Headscale, which I recently learned is maintained part-time by an employee at Tailscale.

I thought about putting every device in the homelab into the mesh network, but that includes more maintenance and a larger set of changes if I ever want to switch tools or services down the line. This lead me to Egress Gateway and it seemed to fit perfectly for my use case:

graph BT
  vpn_vlan-->|Firewall opening|k3s_ingress_controller_vip[K3s Ingresscontroller VIP]
  vpn_vlan-->|Firewall opening|proxmox_vlan[Proxmox VLAN]
  
  subgraph homelab[Homelab]
    subgraph vpn_vlan[VPN VLAN]
      gateway
    end
    k3s_ingress_controller_vip
    proxmox_vlan
  end
  
  client[Netmaker Client]<-->|Key exchange, etc|service[Netmaker server]
  client<-->|Route traffic|gateway[Netmaker Egress Gateway VM]

I later implemented the same setup with Tailscale, using Subnet Router to achieve the same functionality:

graph BT
  vpn_vlan-->|Firewall opening|k3s_ingress_controller_vip[K3s Ingresscontroller VIP]
  vpn_vlan-->|Firewall opening|proxmox_vlan[Proxmox VLAN]
  
  subgraph homelab[Homelab]
    subgraph vpn_vlan[VPN VLAN]
      gateway
    end
    k3s_ingress_controller_vip
    proxmox_vlan
  end
  
  client[Tailscale Client]<-->|Key exchange, etc|service[Tailscale control server]
  client<-->|Route traffic|gateway[Tailscale Subnet Router VM]

This approach has worked for around 4 years at this point, with little maintenance required on my end. My external devices get remote access, and the VPN VLAN is locked down to specific parts of the homelab with firewall rules. Loading my external devices with the homelab CA root certificate also gives me TLS and no browser warnings when accessing services such as Grafana, ArgoCD or Proxmox on the go.