I bought an M1 Mac Mini (configured with additional RAM), and figured that it would be a great homelab for occasional use and tinkering. It would also open me up to enabling a primarily local instead of cloud-based smart home using Home Assistant.

My homelab has been great at allowing me to remove subscriptions for seldom-used cloud services. (Image by ChatGPT 4o)

I also wanted it to be the main place where compute happens for hobby projects, whether I am using my iPad, Chromebook, or any other device. 1

One of the key decisions was how to enable secure connections from the outside when I need to do compute from my iPad while outside my home. I added a way to access the desktop remotely and development tools accessible via a browser, such as VS Code and RStudio.

Requirements for connection methods

I needed the solution to fulfil the following requirements:

  • allows access from anywhere in the world
  • adds a layer of authentication via consumer-grade SSO such as Google or GitHub on top of the web applications
  • trusted and reliable; the tool has a track record of delivering secure access over a decently long amount of time.

as well as are some negative requirements:

  • does not expose any ports to the open internet: there must always be a trusted proxy service that not just I maintain
  • no open-source or hand rolled authentication mechanisms that could degrade security if I don’t keep up with vulnerabilities
  • does not require a static IP; my internet provider charges extra

In my search, I’ve found a few solutions that fit the bill.

VS Code Tunnels

VS Code has a great feature where you could connect to an instance of VS Code running on the homelab via vscode.dev. The experience is virtually identical to a local instance of VS Code — extensions, settings, and other customisations all work quite well.

Although the established SSH tunnel between your remote machine and homelab is end-to-end encrypted, your traffic is routed through an Azure service2. You’ll need to trust that Microsoft has put in place security measures to prevent that from being misused3.

The main limitation of this approach is that you are confined to using VS Code — although that may not really be a dealbreaker as everything you need to develop is already inside the tool.

Tailscale

Tailscale is a “mesh VPN” that allows you to connect all kinds of devices to each other by simply using the same shared credentials. It works by having a “coordination server” to allow your devices to discover each other and connect directly to each other. Your actual data flow is handled peer-to-peer, and Tailscale itself isn’t privy to this traffic.

One limitation of Tailscale is that it cannot usually work with another VPN, and this is true on my iPad as there is a system limitation of 1 only VPN connected at a time. As far as I can tell, you can’t have both IP anonymisation and access to local homelab networks.

Cloudflare Tunnels

Cloudflare is a lot of things, but one product that they offer is Cloudflare Tunnels. You run the tunnel on your homelab, and then it connects to the cloudflare network without creating a publicly accessible IP address. You can then access these services using a specially created domain, or if you already use Cloudflare as a DNS, domains or subdomains that you won. In addition to that, you can layer on Cloudflare Zero Trust to add authentication on top of your applications running behind the tunnel.

When you create a Cloudflare Tunnel, you connect your host to CloudFlare’s edge network. This means that you’ll inherently be trusting that they will protect access to your network and not use it for any nefarious purposes themselves.

Which to pick?

You’ll have to consider your needs, but I think I’ve boiled down the distinction to the following.

  • If you require both IP anonymisation and access to HomeLab at the same time, or want to expose some homelab services to the internet with or without authentication, then Cloudflare Tunnels is a good choice.
  • If you aren’t comfortable trusting a third-party service with your traffic, then Tailscale’s mesh VPN will keep your traffic between your devices only.
  • If you are only interested in coding via VS Code from a Chromebook or iPad, then VS Code Tunnels is the easiest way to go.

I ended up going with Cloudflare Tunnel for the following reasons:

  • I was already trusting Cloudflare as my DNS provider and proxy, so I felt that using Cloudflare Tunnels had plenty of good ecosystem effects with minimal marginal risk.
  • Most of my computing time is spent on iOS devices, so I’d need a solution that offered IP anonymisation and a connection to my homelab, so I could not use Tailscale.
  • Based on an unscientific test of connecting from different places, it offered the best performance.

  1. I really only use an iPad in conjunction with my Mac Mini server, when I used to also have a Macbook Air and a Chromebook in the past. I find that the Mac Mini on a desktop enforces discipline when doing “real work”. ↩︎

  2. VS Code Tunnels - How are tunnels secured ↩︎

  3. VS Code Dev Tunnels Security ↩︎