Secure Homelab Access: Remote Browser Isolation with KASM & Authentik

Want to share your homelab services with friends or family without giving them direct access to your network? In this video, we flip the script on Remote Browser Isolation (RBI). Instead of protecting ourselves from the open internet, we're using KASM workspaces to protect our homelab from external users. By combining KASM, Docker networks, iptables, and Authentik, we can serve users a containerized, disposable browser locked in "kiosk mode" that can only route traffic to a single specific application. No exposed ports, no direct network paths, and no lingering session data! ⏳ Timestamps 00:00 Intro: Inverting Remote Browser Isolation 02:32 Demo: What we’re Building 04:45 Solution diagram 06:14 Installing KASM 07:31 Building the Guest Workspace 09:29 Network Isolation With Docker + iptables 12:35 Building the Power User Workspace 15:15 Why Use an External Identity Provider? 16:17 Exposing KASM via Cloudflare Tunnel 17:09 Connecting KASM to Authentik via OIDC 20:04 Mapping Groups Between Authentik and KASM 22:57 Controlling Workspace Visibility 24:40 Tradeoffs: When This Approach Shines (and Doesn't) 29:02 Outro 🔗 Resources & Links Github repo with configuration: [https://github.com/filip-lebiecki/kasm] KASM Workspaces: [https://docs.kasm.com/docs] Authentik (Identity Provider): [https://docs.goauthentik.io/] Cloudflare Tunnels: [https://developers.cloudflare.com/clo...] Tags: #Homelab #SelfHosted #KASM #CyberSecurity #Docker #Authentik #Cloudflare #RemoteBrowserIsolation #ReverseProxy #LinuxServer