Ian O’Byrne
Overstory Writing

The Private Cloud: Building a Front Door for My Homelab

How I turned a pile of local services into a coherent private cloud with domain names, HTTPS, and a real front door.

Posted
Dec 18, 2025
Last revised
May 1, 2026
Author
Ian O’Byrne
Read
7 min
Topics
technology · ai · writing

This was the hardest part of my homelab. Not because of cables or ports, but because I didn’t yet understand the shape of the problem.

I replaced memorized IP addresses and ports with clean domain names, HTTPS, and a single entry point using Nginx Proxy Manager and TailScale. The result is a system that feels like a cloud service but runs entirely on hardware in my house.

Why This Part Was So Hard

Up until this point, everything in the homelab felt additive. Install Proxmox. Spin up a VM. Add a service. If something broke, it usually broke in isolation.

Networking was different.

I didn’t just lack knowledge. I lacked orientation. I hadn’t yet figured out what questions to ask.

I did what I always do when learning something new:

  • Watched dozens of YouTube videos
  • Read blog posts and Reddit threads
  • Used generative AI tools to guide setup and troubleshooting

The problem was that almost all of this guidance assumed a baseline I didn’t have.

The videos and blog posts I read described hardware and systems I didn’t have access to. Managed switches, VLANs, enterprise routers, or a pristine rack-mounted setup.

The AI tools were confident, but lacked context awareness. When things didn’t work, they repeated the same instructions and reassured me that it should “just work.”

Eventually, I realized I wasn’t failing to follow directions. I had reached the edge of what the instructions (human or AI) understood about my environment.

The breakthrough didn’t come from insight.

It came by accident.

The Problem I Needed to Solve

For a long time, my homelab worked, but only if I didn’t think too hard about it. By this point, my homelab had grown to around 20 services.

Each one lived at an address like:

192.168.86.100:8123
192.168.86.19:32400
192.168.86.35:443

Everything lived at an address made of numbers. I had to remember ports. My life became a mix of internet bookmarks and Post-It notes. Nothing was encrypted. My browser constantly warned me that connections weren’t private, and over time, I learned to click past those warnings without really reading them.

Each new service I added made the situation worse. Not because the services were bad, but because the system had no structure. I wasn’t building trust. I was eroding it.

The “Private Cloud” Idea

I realized I didn’t need more services. I had an access problem.

I set out to build what I consider a Private Cloud. It appears to be a cloud-based service, with clean web addresses, real HTTPS connections, and a consistent experience across every device, yet the data never leaves my house.

There are no open ports on my router. From the outside, my services simply don’t exist. And yet, from my perspective, it works exactly like a modern hosted service.

Instead of typing something like 192.168.86.110:32400 , I wanted to type: https://plex.heartpine.online

That change sounds small, but it completely changed how the system felt.

  • I don’t have to remember anything.
  • The address tells me what I’m accessing.
  • My browser recognizes it as legitimate.

This is the difference between a workaround and infrastructure.

The Blueprint: The “No-Migration” Workflow

Here’s the important part. I didn’t tear everything down or migrate all my apps. My media servers, automation tools, and background services stayed exactly where they were.

Everything else remains behind, doing what it always does. I needed to learn that many real systems work in this way. The application logic remains in place, while access and routing live at the edge. I simply layered a new Gateway VM on top as a “Front Door.”

In the real world, we don’t walk into buildings through random side doors. We use a front door. Someone checks who we are. The inside can change, but the entrance stays the same.

Nginx Proxy Manager (NPM) is the Front Desk Receptionist. People (internet traffic) walk into the hotel lobby from the street. They ask, “Where is the restaurant?” or “Where is the gym?” The Receptionist points them to the correct door. It handles strangers and directs them to the appropriate location.

Tailscale is a VIP Staff Keycard. You don’t walk through the lobby. You don’t talk to the receptionist. You use your card to open a side door that leads straight into the office or kitchen. The bonus is that it doesn’t matter if you are across the street or across the world. The keycard lets you in as if you were a resident. It is for you and your team only, bypassing the public entirely.

Together, they form a unified Ingress Gateway that manages all traffic entering my network.

  • One place where traffic enters.
  • One system that determines where requests are directed.
  • In this single Docker stack, Nginx Proxy Manager and Tailscale work together.

That’s what I needed to build. Here is exactly how I set it up:

Step 1: The Identity (Cloudflare & Domains)

I started by buying a domain and managing the DNS records in Cloudflare.

  • The Trick: I created a wildcard record (*.heartpine.online) that points to the internal LAN IP of my new Gateway VM (e.g., 192.168.86.10).
  • Why this works: If a stranger on the internet types in my URL, their computer attempts to access 192.168.86.10, which is a private IP address on their network. It leads nowhere. It only works for me because I am on my network (physically or virtually).

Step 2: The Router (Tailscale)

Since I didn’t want to install Tailscale on every single container I own, I installed it once on the Gateway VM and configured it as a Subnet Router. A subnet router is like having a dedicated concierge in my hotel. Instead of giving every guest room its own private phone line to the outside world, I just call the concierge. They know every room’s extension and can relay messages back and forth for me. This allows me to connect securely to all my services and tools using their private room numbers (local IP addresses), even when I’m far away from the hotel.

  • Command: sudo tailscale up -advertise-routes=192.168.86.0/24
  • The Result: When I am on my phone at a coffee shop and turn on Tailscale, I can instantly ping every device on my home network. The Gateway VM acts as a bridge. My existing LXCs don’t even know Tailscale exists. They just see traffic coming from the Gateway.

Step 3: The Proxy (Nginx Proxy Manager)

Inside the Gateway VM, I also run Nginx Proxy Manager (NPM) in Docker. This is the front desk receptionist.

When I configure a host in NPM, it looks like this:

  • Domain Name: plex.heartpine.online
  • Forward Host: 192.168.86.100 (The existing IP of my SABnzbd LXC)
  • Forward Port: 32400

Nginx bridges the gap. Traffic hits the Gateway, Nginx checks the ID, and forwards it to the old LXC running in the background.

A Note on Privacy and VPNs

One common question that pops up as I do this work is, “Where does the VPN go?”

I designed this system to prioritize simplicity where possible. Because the services I run utilize standard SSL encryption (similar to how HTTPS works), the traffic between my home and the provider is already secure. I don’t need to wrap those containers in a permanent VPN tunnel just to keep the connection private.

What about Peer-to-Peer (P2P)? I don’t currently use P2P services (like BitTorrent) that would expose my home IP address to a swarm of other users. That changes the risk profile completely.

If I did plan to use P2P protocols in the future, I wouldn’t try to shoehorn a VPN into my existing LXC containers. Instead, I would spin up a dedicated container on this Gateway VM that routes strictly through a commercial VPN. That way, the high-risk traffic is isolated from the rest of the application logic.

The “Green Lock” (Why HTTPS Matters Here)

Before this, none of my internal services were encrypted. That meant browser warnings everywhere and normalizing “this connection is not private” alerts.

Once everything ran through a single front door, I could enable encryption once, and it would apply everywhere.

  • Every service uses HTTPS.
  • The warnings are gone.
  • When I do see a warning, it means something is actually wrong.

That change alone made the system safer. Not because it’s perfect, but because it restored signal integrity.

How It Works: The Tailscale Factor

At this point, the system started behaving like a cloud service. When I’m home, everything works as it should. When I’m away, I use Tailscale.

Turning Tailscale on is like virtually plugging my laptop or phone into my home network. Once connected, the system behaves exactly the same as if I were sitting on the couch.

If Tailscale is off, nothing loads. That’s not a failure. It’s the security model.

Why This Was the Breakthrough

This was the moment the homelab stopped feeling like a pile of experiments and started feeling like a system.

  • One front door
  • One security posture
  • One mental model

I could add new services without increasing chaos, because the structure stayed the same.

What This Post Is (and Isn’t)

This post is about access and clarity.

It’s not about internal network isolation, VLANs, or building a fortress. Those questions matter, but they pertain to a different layer of security. I’ll unpack those trade-offs next, because choosing a front door over internal walls was a deliberate choice with real consequences.

Closing Thought

My network isn’t defined by cables anymore.

It’s defined by trust. Clear addresses, consistent security signals, and a front door that behaves the same whether I’m at home or halfway across town.

Coming up Next:

  • ➡️ Homelab Journey, Part 4b: Slicing Traffic vs Slicing Cables
  • ➡️ Director’s Cut: When the AI Forgets Context