Home Refined Home Lab Network
Post
Cancel

Refined Home Lab Network

In my previous home lab build I enjoyed setting up and building small labs for pentesting, but I also enjoyed hosting a ton of open source apps. It got to the point where I had so many self hosted apps that I said I would use, but would never did just because it was hard to find a use for all of them in daily life/workflow. So with my new home lab build I made it my goal make it as simple as possible and ease of use. So here is my take…

Overall Network Layout

The apps and their use case can be found below:

  • Gitea: Storing Coding Projects such as malware, scripts, and tools
  • Homer: Dashboard to navigate my internal network
  • Pi-Hole: Block Ads and route internal DNS request.
  • Jekyll Security Blog: This is just a staging blog where I can view how my post look before I push my changes to my public Github
  • Portainer: Used to maintain my docker containers
  • Ubooquity: A virtual library of all my PDFs and Cyber Security Books
  • Watchtower: Used to update Docker containers automatically
  • Ubuntu: This docker container has the mounted folders to both my blogs root directories, Ubooquity books folder, and Homer configuration folder.
  • VaultWarden: Used to store all my passwords
  • Syncthing: Syncs all my notes.
  • Guacamole: This allows me to remote into my computers directly from my browser.
  • Element: A web interface for chatting with matrix server.
  • Wireguard VPN: A VPN server to access my internal network
  • Visual Studio Code Server: This is used to edit my configuration and other files easily on the following docker containers: Homer, Security Blog, Photography Blog, Pi-Hole, and Cloudflared.
  • Malware Visual Studio Code Server: This code server is running directly on an Ubuntu virtual machine on my Synology NAS so I can work on security tools and malware relate project 100% remote.

Hardware Resources

I still host a variety of applications, but all the applications have a purpose of improving my workflow and decreasing the time spent tending to setting up or maintaining the applications. The best part about it all is that my lab uses very little resources.

Firewall and Reverse Proxy Setup

My internal networking relies heavily on Synology’s reverse proxy and my Cloudflared docker container to route traffic to the appropriate locations. I also utilize Synology’s Firewall to only open ports that are needed to be accessed by the LAN and Cloudflare’s servers.

Remote Access

When I’m away from home or just working remote and I need to get access to files or to use an application I have two ways to access my lab and neither has failed me yet:

  • Wireguard VPN: Using a VPN config on my laptop or phone I can access the entire network.
  • Cloudflare: Using one of the specified subdomains to access my lab.

The nice thing about each of these options is that either one will give me access to all my applications. Since my applications are mapped to a subdomain through Cloudflare they can all be accessed externally and choose which application I want to require Cloudflare authentication.

Cloudflare Authentication

The use of Cloudflare Access allows me to place an authentication barrier in front of any of the applications I specify along with a security banner. If you navigate to my portainer subdomian then you will be greeted with the Cloudflare Sign In prompt.

I currently have two methods to authenticate. One is to enter my email and have Cloudflare send a One Time Password (OTP) to my email. The method I use most often is signing in with Google and using my 2FA code to authenticate with my Yubi-Key.

SSH and VNC Browser Rendering

Another great thing about Cloudflare Access is that I can tunnel my SSH terminal through Cloudflare and have a terminal rendered in the browser like so:

Another cool feature Cloudflare Access can do is connect to a machine via VNC. So I installed Kali in a docker container and installed all the hacking tools and the XFCE desktop since it is light weight. I then can use my Cloudflared tunnel to connect to it without the need of being on the same network and access my Kali machine from anywhere that has a browser. I decided not to implement a Kali machine in my lab since I mostly use my VMware Kali instance for everything.

DNS

When Im working from my desktop/laptop at home I set my primary DNS to be Pi-Hole. In Pi-Hole I set the each of the subdomains to point to the Synology reverse proxy and seems to be quick when resolving my applications.

When I work remote I can use the DNS records I specified in Cloudflare

Syncing Notes

When I take notes I like to make sure they are consistent across all devices and I don’t have to worry pulling the latest version from git or downloading it from my NAS. So for taking notes I like to Obsidian.md and in order to ensure that my notes are synced across my Synology, Desktop, Laptop, and Phone I use Syncthing.

Another thing to note when reviewing my home lab setup is the use of VMware Workstation Pro. I added this to point out that besides the Malware Code Server VM on the Synology all my other VMs are run directly on my desktop/laptop and is completely separate from my docker containers on my Synology NAS.

VMware Workstation Pro

If you are curious how I use development instances to work efficiently when working on projects remotely or at home you can find that blog post listed here.

This post is licensed under CC BY 4.0 by the author.