By Aleksander Johansen in homelab

My 'Oh Crap' Moment: How I Finally Secured My Homelab

Join me on a journey through my personal homelab security awakening! I share the humbling experience of realizing my beloved lab was wide open to the internet, and the steps I took to lock it down, from VLANs to VPNs, and everything I learned along the way.

My 'Oh Crap' Moment: How I Finally Secured My Homelab

My 'Oh Crap' Moment: How I Finally Secured My Homelab

Hey fellow tech enthusiasts! Let me tell you a story – a slightly embarrassing, but ultimately very educational one – about my homelab. Like many of you, I started my homelab journey with pure excitement, spinning up VMs, containers, and services left and right. I was focused on functionality, on getting things to work, and to be honest, security was… an afterthought. A very, very distant afterthought.

The Rude Awakening

It all started innocently enough. I was chatting with a friend, a seasoned network engineer, about a new service I'd just deployed. He casually asked, "So, how's your firewall configured? Are you exposing anything directly?" I confidently replied, "Nah, it's fine, I'm behind my router." He gave me 'that look'. You know the one. The one that says, 'Bless your heart, you sweet summer child.'

He then pulled out his phone, typed something, and moments later, showed me a screenshot. It was my public IP address, with several open ports listed, identified by Shodan. My jaw dropped. My Plex server, my Nextcloud instance, and even my Proxmox web interface were all accessible directly from the internet! I felt a cold dread wash over me. All those hours of tinkering, all that personal data... wide open. It was a true 'oh crap' moment.

From Panic to Plan: My Security Overhaul

After a brief but intense panic attack, I realized this was a blessing in disguise. It was a wake-up call I desperately needed. I dove headfirst into learning everything I could about network security, specifically for a home environment. Here's what I implemented and learned:

1. Network Segmentation with VLANs

This was the biggest game-changer. My entire network was flat – everything on one subnet. This meant if one device was compromised, it could potentially access everything else. I invested in a managed switch and a proper firewall (I chose pfSense, but OPNsense is just as excellent) and started segmenting my network into VLANs:

• Management VLAN: For Proxmox, switches, APs – only accessible from my main workstation.

• Server VLAN: For all my lab services (Plex, Nextcloud, databases, etc.).

• IoT VLAN: For smart home devices that I don't fully trust.

• Guest VLAN: Isolated internet access for visitors.

• Main LAN: For my personal devices.

Challenge: Configuring VLANs was a steep learning curve. I broke internet connectivity multiple times and spent hours troubleshooting why devices couldn't talk to each other. Understanding inter-VLAN routing and firewall rules between them was crucial.

2. Strict Firewall Rules (Default Deny!)

With pfSense in place, I adopted a 'default deny' policy. This means nothing is allowed unless explicitly permitted. I created rules to:

• Block all inbound connections from the internet by default.

• Allow only specific, absolutely necessary ports (like 443 for a reverse proxy) to my DMZ/Server VLAN, and only from specific external IPs if possible.

• Strictly control traffic between VLANs (e.g., IoT devices can't talk to my Server VLAN).

• Implement NAT reflection so I could access my services internally using their public domain names.

Lesson Learned: It's tedious, but explicit rules are vital. Every time I added a new service, I had to think about its network requirements and create the minimum necessary rules.

3. VPN for Remote Access

Instead of exposing services directly, I set up an OpenVPN server on my pfSense box. Now, when I'm away from home, I VPN into my network first. This means my services are only accessible through a secure, encrypted tunnel, drastically reducing their attack surface.

4. Reverse Proxy with SSL/TLS

For services I absolutely needed to access from outside (like Nextcloud or a personal website), I deployed Nginx Proxy Manager (though Traefik or Caddy are also great options) in a DMZ-like segment. This acts as a single entry point, handling SSL certificates (via Let's Encrypt) and forwarding requests to the correct internal service. This way, only the reverse proxy is directly exposed, not the individual services.

5. Strong Passwords & Multi-Factor Authentication (MFA)

This is basic, but cannot be stressed enough. Every service, every login, every device received a unique, strong password (managed by a password manager). Where available, MFA was enabled immediately. My Proxmox, Nextcloud, and even my router login now require a second factor.

6. Regular Updates & Monitoring

I set up a routine to update all my systems (OS, applications, firmware) regularly. I also started looking at logs more often and even dabbled with Suricata on pfSense for intrusion detection. Knowing what's happening on your network is half the battle.

The Takeaway: Security is a Journey, Not a Destination

My 'oh crap' moment was a humbling, yet incredibly valuable experience. I learned that security isn't just about installing an antivirus; it's about a multi-layered, thoughtful approach to network design and device configuration. It's an ongoing process of learning, adapting, and refining.

If you're just starting your homelab, or even if you've had one for years, I urge you to take a critical look at your security posture. Don't wait for your own 'oh crap' moment. Start small, perhaps with a VPN, then explore VLANs. The peace of mind knowing your digital playground is secure is absolutely worth the effort. Happy (and secure) homelabbing!