Stealth-Mode Self-Hosting: Protecting My Home Lab with Pangolin, Tailscale, and CrowdSec

Anyone running a home lab eventually hits the same wall: you want to share stuff like Nextcloud or Immich with friends and family, but you absolutely do not want to expose your home IP address to the wild internet (or maybe your ISP won’t even let you).

Opening ports 80 and 443 on your home router is basically asking botnets to come knock on your door. And while Cloudflare tunnels are easy, routing everything through them means handing over your SSL decryption keys to a massive corporation.

I wanted a middle ground. I recently spent some time building a totally self-hosted, invisible, and locked-down bridge between the open internet and the server sitting in my living room. Here’s how I set up a bulletproof reverse proxy using a dirt-cheap VPS, Pangolin, Tailscale, and CrowdSec.

The Setup: A Cheap Public Face

The whole idea here is to keep the massive hard drives and heavy processing on my home network, while putting a cheap, expendable “gatekeeper” out on the public web.

I grabbed a budget-friendly VPS with just 1 core, 1.5GB of RAM, and a 10GB SSD. This tiny server is now the public face of my domain. When someone types jellyfin.mydomain.com into their browser, DNS points them to the VPS. My home IP stays completely hidden.

But how do I actually get the traffic from some random datacenter into my living room without opening router ports?

The Tunnel: Bridging the Gap with Tailscale

Enter Tailscale. I installed it on both the VPS and my home server, dropping them onto the same encrypted virtual network.

The real trick here was making sure they established a direct peer-to-peer connection. If Tailscale falls back to one of its global relay servers, your bandwidth tanks and latency goes through the roof. I just opened UDP port 41641 on the VPS firewall so the two machines could directly shake hands. Now, the VPS can securely pass traffic to my home server as if they were plugged into the same switch.

Routing the Traffic with Pangolin (and Geo-blocking)

Now that the servers could talk, I needed something on the VPS to catch incoming web traffic and route it through the tunnel.

I went with Pangolin. It’s an awesome, user-friendly reverse proxy built on top of Traefik. It grabs Let’s Encrypt SSL certificates automatically and gives you a nice UI to map subdomains. I basically just tell it, “If someone asks for Jellyfin, send them to my home server’s Tailscale IP.”

I also took advantage of Pangolin’s access controls to set up strict geo-blocking. I configured the proxy to only allow connections from specific countries (in my case, India and Sri Lanka). If a request comes from literally anywhere else in the world, it gets completely dropped. For the allowed traffic, Pangolin also has a built-in SSO portal, so I can force users to log in before they even touch my private services.

The Bouncer: Locking it Down with CrowdSec

This is where things get serious. The second you point a domain at a VPS, bots start hammering it—looking for exposed .env files, testing default admin passwords, and probing for SSH access.

To shut that down, I wired up CrowdSec. It’s an open-source intrusion detection system that actually reads your logs in real-time to spot malicious behavior and ban the IP. I set up a two-layered defense:

• The Web Shield: CrowdSec plugs right into Pangolin’s Traefik container. If a bot starts crawling for vulnerabilities, CrowdSec immediately hits them with a Captcha or a hard ban, keeping garbage traffic out of my Tailscale tunnel.
• The Host Shield: I also hooked CrowdSec up to the VPS’s Ubuntu firewall. If someone tries to brute-force my SSH port, CrowdSec blocks them at the OS level.

Plus, CrowdSec is collaborative. My server downloads community blocklists, meaning if an IP gets caught attacking someone else’s CrowdSec setup, my VPS blocks them before they even knock on my door.

Wrapping Up

Throwing a cheap VPS, Tailscale, Pangolin, and CrowdSec together honestly creates the ultimate self-hosted setup. My home IP is completely off the grid, my router is locked tight, and my services are safely accessible to the people who need them. And any bot or scanner that doesn’t belong gets dropped before they even know what hit them.