this post was submitted on 29 Dec 2024
1 points (100.0% liked)

homelab.

10 readers
1 users here now

Welcome to your friendly /r/homelab, where techies and sysadmin from everywhere are welcome to share their labs, projects, builds, etc.

founded 2 years ago
MODERATORS
[email protected]
1
Exposing services : security considerations (zerobytes.monster)
submitted 2 days ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
The original post: /r/homelab by /u/neilyoung57 on 2024-12-29 07:17:49.

Hi,

I've recently started building a very basic homelab. I use tailscale for remote but I'm considering exposing specific services to the internet.

Here is a simplified view of my homelab :

https://preview.redd.it/8npr2651lq9e1.png?width=877&format=png&auto=webp&s=51276679daa744e57d68d270bb7fb1ac8b154b90

The general idea is to use a dedicated VM, connected to the OPT1 interface for services exposed to the internet.

  • It's incredibly difficult to get rid of the ISP router where I live. It's very limited in terms of functionalities but allows basic port forwarding and redirections.
  • All HTTP(S) request are forwarded to the OPNsense VM. No other ports are exposed on the ISP router.
  • Caddy is installed on OPNsense to act as reverse proxy.
  • The "public" VM connected to interface OPT1 uses it's own virtual network not connected to any other network on the hypervisor.
  • Access to other VM is limited to the local network (192.168.1.0/24) and Tailscale network.

I'm trying to airgap the public VM as much as possible. What step could I take to maximise security ?

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here