Secure Homelab Access: Remote Browser Isolation with KASM & Authentik

Want to share your homelab services with friends or family without giving them direct access to your network? In this video, we flip the script on Remote Browser Isolation (RBI). Instead of protecting ourselves from the open internet, we're using KASM workspaces to protect our homelab from external users.

By combining KASM, Docker networks, iptables, and Authentik, we can serve users a containerized, disposable browser locked in "kiosk mode" that can only route traffic to a single specific application. No exposed ports, no direct network paths, and no lingering session data!

### ⏳ Timestamps

00:00 Intro: Inverting Remote Browser Isolation
02:32 Demo: What we’re Building
04:45 Solution diagram
06:14 Installing KASM
07:31 Building the Guest Workspace
09:29 Network Isolation With Docker + iptables
12:35 Building the Power User Workspace
15:15 Why Use an External Identity Provider?
16:17 Exposing KASM via Cloudflare Tunnel
17:09 Connecting KASM to Authentik via OIDC
20:04 Mapping Groups Between Authentik and KASM
22:57 Controlling Workspace Visibility
24:40 Tradeoffs: When This Approach Shines (and Doesn't)
29:02 Outro

### 🔗 Resources & Links

* *Github repo with configuration:* [https://github.com/filip-lebiecki/kasm]
* *KASM Workspaces:* [https://docs.kasm.com/docs]
* *Authentik (Identity Provider):* [https://docs.goauthentik.io/]
* *Cloudflare Tunnels:* [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/]

*Tags:*
#Homelab #SelfHosted #KASM #CyberSecurity #Docker #Authentik #Cloudflare #RemoteBrowserIsolation #ReverseProxy #LinuxServer

Видео Secure Homelab Access: Remote Browser Isolation with KASM & Authentik канала LinuxCloudHacks