Why I Don't Open Ports on My Router Anymore
Port forwarding used to be the standard way to access homelab services remotely. Here's why I stopped doing it and what I run instead.
For years, accessing homelab services from outside my network meant port forwarding: log into the router, forward port 8096 to my server, and access Jellyfin from anywhere. Simple enough, and it works.
It also means that port 8096 is now open to the entire internet. Anyone scanning for open ports — and people do, constantly — can attempt to connect to Jellyfin. If Jellyfin has a vulnerability, they’re one step from my server.
I stopped doing this about 18 months ago. Here’s what changed.
What port forwarding actually does
Your home router has a public IP address that faces the internet. By default, unsolicited incoming traffic is dropped — the router has no idea what to do with it, so it ignores it.
Port forwarding punches a hole. “Incoming traffic on port 8096 goes to 192.168.1.10:8096.” Now any machine on the internet can knock on that port and talk to whatever is listening.
For a service that’s well-secured (strong auth, HTTPS, no known vulnerabilities), this is manageable risk. The problem is:
- Web applications have vulnerabilities. Keeping everything patched, all the time, is work.
- Some homelab software is not security-hardened. It’s designed for trusted local network use.
- The risk surface scales with the number of forwarded ports. One service is one bet. Ten services is ten bets.
- ISPs sometimes change your public IP. Dynamic DNS (DynDNS, etc.) exists but is another thing to manage.
None of this is hypothetical. Unprotected Plex servers, NAS devices, and routers get probed constantly. The honeypot data from organizations like Shodan makes this visible if you want to look at it.
What I run instead
Tailscale. No open ports. No public IP exposure. Zero router configuration.
Tailscale creates a private encrypted network between your devices. Your laptop, your phone, and your homelab server are on the same virtual network regardless of physical location. When I’m in a hotel, my laptop reaches my home server the same way it does when I’m at home.
The difference: there’s nothing on my router pointing to my server. No way for someone scanning the internet to reach my homelab services. The Tailscale traffic goes through Tailscale’s infrastructure or directly between devices via encrypted tunnels — not through an open port.
Setup is about 20 minutes. The full Tailscale guide covers it in detail.
What about services that need to be public?
Some things genuinely need to be publicly accessible — a website, a public API, something you’re sharing with people outside your network. Tailscale isn’t the answer for those.
For public-facing services, I use Cloudflare Tunnel. It works by creating an outbound connection from your server to Cloudflare’s edge network — no inbound ports required. Your server reaches out to Cloudflare, Cloudflare routes public requests through that tunnel. The server never opens an inbound port.
For everything else (personal services, homelab management, private access), Tailscale handles it.
The HTTPS question
When you’re on Tailscale, you’re accessing services by their Tailscale IP (100.x.x.x) or local IP. You lose the clean hostnames and HTTPS that port forwarding + a reverse proxy gave you.
The fix is split DNS. Configure your internal DNS server (I use Technitium) to resolve your service hostnames to internal IPs. Configure Tailscale to use that DNS server. Now paperless.homelab.lan resolves to 192.168.1.100 when you’re on Tailscale, and NPM serves it with a valid SSL certificate via the Cloudflare DNS challenge.
The end result: clean hostnames, HTTPS, no ports open, works anywhere. The split DNS setup covers this.
The trade-offs
The honest caveats:
Tailscale requires every device to have the Tailscale client. If you want to share a service with someone outside your network who doesn’t use Tailscale, you need a different approach (share a Cloudflare Tunnel URL, set up a guest account, etc.).
Tailscale is a commercial service. The free tier is generous, but you’re trusting them. Headscale exists as a self-hosted coordination server if you want full independence.
Slightly more complex initial setup. Port forwarding is two settings in a router UI. Tailscale with subnet routing and split DNS is an afternoon project the first time. The ongoing maintenance is lower, but the setup is higher.
For a personal homelab you’re not sharing widely, the trade-offs land clearly in Tailscale’s favor. For a household where you need to share services with family members who won’t install a VPN client, you’ll need at least some public exposure.
The Tailscale setup guide covers the full configuration including subnet routing for whole-network access.