The Lab · Ingress

Ingress

Personal access through Tailscale, the apps over their vendor clouds, almost nothing else exposed on purpose.

Almost nothing is publicly exposed, on purpose. The cloud-tied apps (Hue, Tapo, Tuya/Smart Life, Plex) keep their own remote channels alive on their terms, which is fine for what they do. Personal access goes through Tailscale: I tail in from wherever, and when I am travelling I route my own outbound traffic through home as an exit node, so the cafe or hotel Wi-Fi never sees the traffic in the clear. Home Assistant stays on the home LAN and is reachable directly there or over Tailscale. A reverse proxy is in preparation for the handful of things I actually want on the open web, and that one is deliberately taking its time.

Ingress · 6 items

Mesh VPNTailscale: How I reach the home network from anywhere. Also the exit node I route my own traffic through when I'm travelling, so the cafe Wi-Fi or the hotel Wi-Fi never sees the traffic in the clear.
Outbound relayPlex remote access: Plex's own NAT-traversal path. Lets the Plex apps reach wednesday from outside the LAN, on Plex's terms.
Camera relayTapo cloud: TP-Link's cloud handles outside access to the Tapo C200. Nothing inbound from me, the camera dials out.
Device relayTuya / Smart Life cloud: Heaters, plugs and the garden pump come in over Tuya's cloud when I'm out. Locally everything talks Tuya Local through Home Assistant, so the cloud is the backup, not the primary.
Lighting relayHue cloud: Philips Hue's cloud, for the rare occasion I want the Hue app from outside the network. Day-to-day control of the lamps is local through HA.
In preparationReverse proxy: A first-party ingress for the few things I actually want on the open web. This one is deliberately taking its time; I am in no hurry to expose something that is not yet hardened to my satisfaction.

Last updated · April 28, 2026