Wi-Fi & Network

Reach home services from outside safely

There are four ways to reach home services from outside, in increasing safety: port-forward, reverse proxy, tunnel, and mesh VPN. This page is the decision spine — it helps you pick the right rung, then sends you to the deep how-to for it.

Who this is for

Home operators who want to reach their NAS, dashboards, cameras, or a service they self-host from outside the house, and want to choose the right method — port-forward, reverse proxy, Cloudflare Tunnel, or mesh VPN — instead of defaulting to the riskiest one.

Outcome

A clear decision: the right rung of the ladder for your situation (personal vs public, behind CGNAT or not, need a public URL or just LAN reach, streaming or not), and a pointer to the deep how-to for that rung — with the current first-party limits that matter (Cloudflare Tunnel 100MB cap, Tailscale free-tier scope).

Required inputs

What you're trying to reach and who needs it: just you/your family, or the general public.
Whether you're behind CGNAT (router WAN IP in 100.64.0.0/10 or different from whatismyip.com).
Whether you need a clean public URL to share, or just to reach the LAN privately from your own devices.
Whether large media/uploads are involved (which rules out the Cloudflare Tunnel 100MB cap path).

GuideFollow in order

Step-by-step procedure

Answer the four routing questions

Do: Decide: (1) personal/family or public? (2) behind CGNAT? (3) need a public URL or just reach the LAN? (4) streaming/large uploads? These four answers pick the rung — you rarely need more than one.

Expected result: You can state your situation in one line (e.g. 'just my family, behind CGNAT, just need to reach the NAS, some large files').

If not: If you can't answer 'behind CGNAT?', check the router WAN IP against whatismyip first — it changes everything downstream.

If it's only for you/your devices → mesh VPN

Do: Use Tailscale or WireGuard. Nothing is exposed to the internet, it works behind CGNAT, and your own devices reach the whole LAN. This is the safest default for admin access (NAS, dashboards, SSH, cameras).

Expected result: Your devices reach home services with no open inbound ports.

If not: If you also need to share with people who can't install a client, that part needs a tunnel/Funnel instead — see the next step.

If the public needs a URL → Cloudflare Tunnel

Do: Use a Cloudflare Tunnel (cloudflared) to publish a service on a clean HTTPS URL with no open ports, even behind CGNAT. Plan around the 100MB request-body cap (Free and Pro) and don't enable CDN caching for video.

Expected result: A shareable public URL reaches your service without exposing your IP or opening ports.

If not: If uploads >100MB fail with HTTP 413, that's the cap — route bulk media over a mesh VPN instead.

If you genuinely have a public IP and a hardened service → port-forward (+ reverse proxy)

Do: Only with a real public IPv4 (not CGNAT) and a deliberately-public, hardened service, forward the port — and put a reverse proxy (NPM/Caddy/Traefik) in front for TLS and hostname routing across multiple services.

Expected result: The public service is reachable with TLS and sensible routing.

If not: If the forward fails, work port forwarding isn't working; if you're behind CGNAT, abandon this rung for a tunnel/VPN.

Verify the current limits before committing

Do: Confirm the live numbers: Cloudflare Tunnel 100MB request-body cap (Free=Pro); Tailscale free Personal supports up to 6 users / 100 devices with exit nodes and subnet routers not plan-gated (Tailscale is consolidating Personal Plus into Personal — check the pricing page, which was mid-transition in 2026); Tailscale Funnel is ports 443/8443/10000, TLS-only, ts.net names only.

Expected result: Your choice still fits the provider's current free-tier/limits.

If not: If a limit moved, re-check the first-party pricing/limits page before building — these change.

Go deep on the chosen rung

Do: Follow the dedicated guide: Tailscale vs Cloudflare Tunnel for VPN/tunnel, the reverse-proxy guide for multi-service routing, or the CGNAT/port-forwarding diagnostics if a forward won't work.

Expected result: You implement one rung end to end using its dedicated how-to.

If not: If you find yourself needing two rungs, that's normal (e.g. reverse proxy behind a tunnel) — layer them deliberately.

Commands and settings paths

Am I behind CGNAT? (decides the rung)

Router admin WAN IP vs whatismyip.com (CGNAT if WAN IP is 100.64.x or differs)

Where: Router admin UI and a browser.

Expected: A public, matching WAN IP means port-forwarding is even an option; CGNAT means skip it.

Failure means: A 100.64.x or mismatched WAN IP rules out port-forwarding entirely.

Safe next step: Behind CGNAT → choose Cloudflare Tunnel (public URL) or mesh VPN (private reach).

Will the Cloudflare Tunnel cap bite me?

Estimate your largest upload/request size vs the 100MB cap

Where: Planning step (Cloudflare Tunnel limits docs).

Expected: Your largest request is under 100MB, or you accept routing big transfers another way.

Failure means: Uploads over 100MB will fail with HTTP 413 through the tunnel on Free/Pro.

Safe next step: Use a mesh VPN for the large-file path; keep the tunnel for the public URL.

Evidence to record

Your one-line situation (personal/public, CGNAT yes/no, URL vs LAN, streaming yes/no) and the rung it selected.
Whether the router WAN IP indicates CGNAT (100.64.0.0/10 or ≠ whatismyip).
The current limits you verified (Cloudflare 100MB cap; Tailscale free user/device scope).
Which deep-dive guide you followed for the chosen rung.

Common mistakes

Defaulting to port-forwarding because it's familiar — it's the riskiest rung and silently fails behind CGNAT.
Trying to stream a media library through a Cloudflare Tunnel — the 100MB cap and the don't-cache-video TOS grey area make a mesh VPN the better path.
Assuming a reverse proxy alone solves remote access — it routes/secures traffic but still needs an entry path (public IP or tunnel).
Citing stale Tailscale free-tier numbers — the plan was consolidating Personal Plus into Personal in 2026; verify on the pricing page.

Stop points

Stop before exposing a service via port-forward unless it's deliberately public and hardened — prefer a tunnel or VPN otherwise.
Stop and re-verify the provider's current limits/pricing before building if your plan depends on a specific free-tier number.

Last reviewed

2026-06-02

Source-backed checks

HomeTechOps turns official docs and conservative safety rules into a shorter runbook. These links are the source trail for the page direction.

Tailscale: Pricing v4 (April 8, 2026)Used for the April 2026 Tailscale pricing change: free Personal plan = 6 users + unlimited user devices, 50 tagged resources, exit nodes free on all tiers.Tailscale: FunnelUsed for the free option to expose a service publicly via Tailscale relay, and its rate/bandwidth caveats.Cloudflare One: account limits (Tunnel free-tier caps)Used for Cloudflare Tunnel free-tier reality: 100 MB file-upload cap; WARP personal is unlimited bandwidth free; custom domain needed for persistent URLs.Cloudflare: Cloudflare TunnelUsed for cloudflared install, Public Hostnames + Access policies, account limits (1000 tunnels, 100 MB upload cap on free/Pro), and SMB-over-Tunnel limitations.

Related tools

Device setup troubleshooter

FAQ

What's the safest default for reaching my NAS and dashboards from anywhere?

A mesh VPN (Tailscale or WireGuard). It exposes nothing to the public internet, works behind CGNAT, and lets your own devices reach the whole LAN — ideal for NAS, admin dashboards, SSH, and cameras you don't want public. The trade-off is that each accessing device needs the client installed, so it's not for sharing with the general public. For that, use Cloudflare Tunnel (or Tailscale Funnel). See Tailscale vs Cloudflare Tunnel.

Why not just forward a port? It's the simplest.

Because it's the riskiest and often doesn't work in 2026. It exposes the host directly to internet scanning/brute-force, it silently fails behind CGNAT (T-Mobile Home, Starlink, much fiber/cable), and ISPs frequently block inbound 80/443 on residential plans. If a forward is failing, see port forwarding isn't working. For anything but a deliberately-public, hardened service, a tunnel or mesh VPN is safer.

Is the free Tailscale plan enough for a household?

Usually yes. Tailscale's free Personal plan supports up to 6 users and 100 devices (Tailscale is consolidating the old Personal Plus into Personal — check the current pricing page, as the table was mid-transition in mid-2026), and exit nodes and subnet routers are not plan-gated. That covers a family reaching home services from their own phones and laptops.

Can I use Cloudflare Tunnel to stream my media library?

It works, but with caveats: the 100MB request-body cap applies on Free and Pro (it breaks large uploads, and returns HTTP 413), and serving/caching large video is a TOS grey area — don't enable CDN caching for video. For personal media streaming, a mesh VPN avoids both issues. Use Cloudflare Tunnel when you need a clean public URL to share, not for bulk media.