Guide · ~5 min · Proxmox VE

Expose Proxmox services
to the internet in 5 minutes

Your Proxmox host runs Jellyfin, Home Assistant, maybe a dev server. Everything works on your LAN — but the moment you leave the house, it's all unreachable. Let's fix that.

🖥

Proxmox VE

Manage your hypervisor from anywhere. No VPN required.

🎬

Jellyfin

Stream your media library remotely. Share with family.

🏠

Home Assistant

Check cameras, control lights, run automations from anywhere.

The problem

Port forwarding is a nightmare

You could open ports on your router, set up dynamic DNS, configure SSL certificates, and pray your ISP doesn't block port 443. Or you could set up a VPN — and then explain to your family why they need to install WireGuard just to watch a movie.

HLE takes a different approach. It creates an encrypted outbound tunnel from your Proxmox host to a relay server. No ports to open, no DNS to manage, no certificates to renew. You get a public https:// URL with SSO authentication built in.

Before you start

What you need

This guide assumes you have a Proxmox VE host running on your local network with at least one service you want to expose. The examples use Jellyfin and Home Assistant, but the same approach works for any HTTP service — Grafana, Nextcloud, Gitea, Pi-hole, you name it.

  1. A Proxmox VE host Running on your LAN with services you want to expose.
  2. A free HLE account Sign up here — takes 30 seconds.
  3. An API key Create one at hle.world/dashboard/keys. Copy it somewhere safe — you'll only see it once.
Recommended
Option A

One-command installer

The fastest path. SSH into your Proxmox host and paste this:

bash -c "$(wget -qO- https://hle.world/scripts/proxmox-install.sh)"

The installer prompts you for your API key, the local service URL (defaults to Proxmox at https://<host-ip>:8006), a label for the subdomain, and your email for SSO access.

Behind the scenes, it creates a minimal Debian 13 LXC container (512 MB RAM, 4 GB disk), installs the HLE Web App, writes a systemd service, and starts it. Uses about 50 MB of RAM at idle. Once done, open http://<container-ip>:8099 to manage tunnels from your browser.

Manage the tunnel with standard pct commands:

# Check tunnel status
pct exec <CTID> -- systemctl status hle-webapp

# View logs
pct exec <CTID> -- journalctl -u hle-webapp -f

# Restart
pct exec <CTID> -- systemctl restart hle-webapp
Other installation methods

Create a Debian/Ubuntu LXC and install the HLE CLI client inside it to manage multiple tunnels.

pct exec 200 -- bash -c "apt update && apt install -y python3 python3-pip pipx && pipx install hle-client"

# Save API key
pct exec 200 -- bash -c "mkdir -p /etc/hle && echo 'HLE_API_KEY=hle_your_key_here' > /etc/hle/env && chmod 600 /etc/hle/env"

# Expose a service
pct exec 200 -- bash -c "source /etc/hle/env && hle expose \
  --service https://192.168.1.100:8006 \
  --label proxmox \
  --allow google:you@gmail.com"

To persist across reboots, create a systemd service per tunnel. See the full Proxmox docs for the complete setup.

Use LAN IPs, not localhost. The LXC has its own network namespace — always use the service's LAN IP, not localhost.
Under the hood

How it works

Your Proxmox host
LXC / Docker
HLE Relay
Encrypted tunnel
You / Family
Browser

The HLE client inside your LXC or Docker container makes an outbound WebSocket connection to the relay. No inbound ports need to be opened on your router. When someone visits your tunnel URL, traffic flows through the encrypted tunnel to your local service and back.

Every tunnel gets a public HTTPS URL with a valid certificate. SSO authentication is enabled by default — visitors must log in with Google or GitHub before reaching your service. You control who has access.

Access control

Lock it down further

SSO is just the starting point. You can layer on additional protection:

# Restrict to specific emails
hle access add proxmox-x7k you@gmail.com
hle access add proxmox-x7k partner@gmail.com --provider google

# Add a PIN code (prompted after SSO)
hle pin set proxmox-x7k

# Or use HTTP Basic Auth instead
hle basic-auth set proxmox-x7k

# Create a temporary share link (no permanent access)
hle share create jellyfin-x7k --duration 24h --label "movie-night"
Good to know

Tips

Labels are permanent subdomains. Pick short, memorable names — proxmox, jellyfin, ha. They become part of your public URL and persist across restarts.

Free tier includes 2 tunnels. Enough for Proxmox + one service. Need more? Upgrade your plan.

SSL verification is off by default. Most homelab services use self-signed certs. If your service has a valid certificate, add --verify-ssl to enable verification.

Updating is easy. Run pipx upgrade hle-client inside the LXC, or pull the latest Docker image. Your tunnels pick up improvements automatically.

Works for any HTTP service. Grafana, Nextcloud, Pi-hole, Gitea, n8n, Portainer, a dev server — if it speaks HTTP, HLE can expose it.

Ready to try it?

Create a free account, grab your API key, and run the one-liner on your Proxmox host.

Get Started Free → Full Documentation