LUNAROPS · OPERATIONAL UPLINK 100% UPTIME 1,247d POSTS 893 JEFF.MOON@LUNAROPS.DEV UTC --:--:--

Securing Your Home Lab

securityhomelabnetworkingself-hosting

Running a home lab is a great way to learn and self-host services. But exposing services—even on your local network—carries risk. Here’s how to secure your setup without going overboard.

Network Segmentation

Don’t put everything on one network. Separate your devices by trust level.

VLAN Setup

A typical home lab might have:

VLAN Name Purpose
1 Management Router, switches, access points
10 Trusted Personal devices, workstations
20 Lab Servers, experimental services
30 IoT Smart devices, cameras
40 Guest Visitor devices

Why This Matters

If your IoT camera gets compromised (they often do), attackers can’t pivot to your servers or personal machines. Each VLAN is an island.

Basic pfSense/OPNsense Rules

# Allow Lab to access internet
pass out on WAN from VLAN20 to any

# Allow Trusted to access Lab services
pass in on VLAN10 from VLAN10 to VLAN20 port { 80, 443, 22 }

# Block IoT from accessing other VLANs
block in on VLAN30 from VLAN30 to VLAN10
block in on VLAN30 from VLAN30 to VLAN20

# Allow IoT to internet only
pass out on WAN from VLAN30 to any

Firewall Fundamentals

Default Deny

Start with blocking everything, then allow what you need:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# iptables example
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow specific services
iptables -A INPUT -p tcp --dport 22 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Rate Limiting

Prevent brute force attacks:

1
2
3
# Limit SSH attempts
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Exposing Services Safely

Reverse Proxy with TLS

Never expose services directly. Use a reverse proxy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# nginx configuration
server {
    listen 443 ssl;
    http2 on;
    server_name service.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
        proxy_pass http://internal-service:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

VPN Instead of Port Forwarding

For services that don’t need public access, use a VPN:

WireGuard is simple and fast:

1
2
3
4
5
6
7
8
9
# /etc/wireguard/wg0.conf on server
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <server-private-key>

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.200.200.2/32

Now you can access internal services from anywhere without exposing them.

Cloudflare Tunnel

For public services without opening firewall ports:

1
2
3
cloudflared tunnel create homelab
cloudflared tunnel route dns homelab service.yourdomain.com
cloudflared tunnel run homelab

Traffic goes through Cloudflare’s network—your IP stays hidden.

Authentication

Don’t Rely on Obscurity

“It’s on a weird port” is not security. Add real authentication.

Authelia or Authentik

Put an authentication layer in front of services:

1
2
3
4
5
6
7
8
# docker-compose.yml
services:
  authelia:
    image: authelia/authelia
    volumes:
      - ./authelia:/config
    environment:
      - TZ=America/New_York

This gives you:

  • Single sign-on
  • Two-factor authentication
  • Access control policies

Monitoring and Alerting

You can’t secure what you can’t see.

Log Aggregation

Collect logs centrally with Loki or the ELK stack:

1
2
3
4
5
6
7
8
9
# promtail config to ship logs
scrape_configs:
  - job_name: system
    static_configs:
      - targets:
          - localhost
        labels:
          job: varlogs
          __path__: /var/log/*log

Intrusion Detection

Run Crowdsec or Fail2ban to detect and block attacks:

1
2
3
4
5
6
7
8
# Fail2ban jail for nginx
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600

Uptime Monitoring

Know when things go down. Uptime Kuma is simple and self-hosted:

1
2
3
4
5
6
7
services:
  uptime-kuma:
    image: louislam/uptime-kuma
    volumes:
      - ./uptime-kuma:/app/data
    ports:
      - "3001:3001"

Quick Security Checklist

  • Network segmented by trust level
  • Default deny firewall rules
  • SSH key-only authentication
  • Services behind reverse proxy with TLS
  • Two-factor authentication enabled
  • Regular automated backups
  • Log aggregation configured
  • Intrusion detection running
  • Automatic security updates enabled
  • Strong, unique passwords in a password manager

Conclusion

Home lab security is about layers. No single measure is perfect, but combined they make attacks significantly harder. Start with network segmentation and a proper firewall, then add authentication and monitoring. You don’t need enterprise-grade solutions—just consistent application of fundamentals.

Comments