Best way to secure a homelab? \ stacker news ~opensource

326 sats \ 4 comments \ @toshitoshi 15 Jun opensource

Hi guys, a good friend of mine is starting her homelab with an old vivobook mini pc with a 6th gen i5, 8GB of memory and 4 sata bays. She asked me for advice on how to best secure her setup so that her info/activities stay private, especially since she lives in a student’s building with shared WiFi infrastructure.

I told her to start with a proxmox setup, allow only OpenSSH (login only through certificates) through the firewall and double-check docker/podman as they tend to ignore firewall rules. The idea is to access everything through something like zerotier/tailscale, which should encrypt connections automatically and work through the ssh port.

What should be a logical next step? Any tips that you can share? Unfortunately I have very limited experience with homelab stuff, I only fiddled with a raspberry pi some time ago but never made anything out of it. Thanks in advance!

view all related items

21 sats \ 0 replies \ @Taranis 15 Jun

here's a useful guide: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

21 sats \ 0 replies \ @justin_shocknet 15 Jun

Kept private, from who? The rest of the WiFi network?

In that case yes it'd need a VPN of some sort like those you mentioned that will encapsulate traffic beyond the router. Wireguard to a VPN provider is probably most common vs the others, but for low-bandwidth stuff straight ssh -R to a lite VPS running a reverse proxy like Caddy/Nginx works too.

Proxmox is dank because it uses LXC instead of Docker and has an interface for the firewall so you can lock it down just to the VPN

Given the dormitory situation, full disk encryption is probably wise in case the laptop grows legs- just be sure to configure shutdown if it loses power.

21 sats \ 0 replies \ @JesseJames 15 Jun

What kind of homelab? You can run kubernetes cluster and use that network for internal comm , then run all docker apps you want using 10.x addresses....Use cloudflareD as your ingress controller if you need outside contact (few requirements you need to have in place but its relatively easy) You won't do much with 8 GB of ram, tell your friend to stop being cheap....lol. This is where old laptops converted to run debian/ubuntu/whatever linux come handy, a few small nodes make a decent cluster giving you redundancy and security. YMMV. Do more research as well.

0 sats \ 0 replies \ @WeAreAllSatoshi 15 Jun

I dont have anything useful to contribute, but I am sure other stackers do!