hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3889870e5f49d76226ef8db20f244f1e4e50c6e
homelab/network-security.md

5.4 KiB
Raw Blame History

Network & Security Configuration

Complete guide for securing and networking your homelab.

SSH Security Setup

Initial Configuration

# Generate SSH key pair
ssh-keygen -t ed25519 -C "homelab-key" -f ~/.ssh/homelab_ed25519

# Copy public key to target
ssh-copy-id -i ~/.ssh/homelab_ed25519.pub user@target

SSH Hardening

Edit /etc/ssh/sshd_config:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes

# Change default port (optional)
Port 2222

# Restrict users
AllowUsers hoborg

# Security settings
Protocol 2
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
MaxStartups 2

Restart SSH: sudo systemctl restart sshd

SSH Client Configuration

Create ~/.ssh/config:

Host homelab
    HostName your-domain.duckdns.org
    User hoborg
    Port 2222
    IdentityFile ~/.ssh/homelab_ed25519
    ServerAliveInterval 60

Dynamic DNS with DuckDNS

Account Setup

  1. Create account at duckdns.org
  2. Create subdomain: ak-homelab.duckdns.org
  3. Get token from dashboard

Automatic IP Updates

Update script at ~/.local/scripts/duckdns.py (Python implementation)

Cron job for automatic updates:

# Update every 5 minutes
*/5 * * * * /home/hoborg/.local/scripts/duckdns.py >/dev/null 2>&1

Testing

# Check current IP
curl -s https://ipinfo.io/ip

# Verify DNS resolution
nslookup ak-homelab.duckdns.org

VPN Setup with WireGuard

Server Configuration

Install WireGuard: pacman -S wireguard-tools

Generate keys:

wg genkey | tee server_private.key | wg pubkey > server_public.key

Server config /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = <SERVER_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Client Configuration

Generate client keys:

wg genkey | tee client_private.key | wg pubkey > client_public.key

Client config:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = ak-homelab.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Enable VPN

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Firewall Configuration

UFW Setup

# Install and enable UFW
pacman -S ufw
sudo ufw enable

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# SSH access
sudo ufw allow 2222/tcp

# WireGuard
sudo ufw allow 51820/udp

# HTTP/HTTPS for services
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Advanced Rules

# Rate limiting for SSH
sudo ufw limit 2222/tcp

# Allow from specific networks
sudo ufw allow from 192.168.1.0/24 to any port 22

# Log denied connections
sudo ufw logging on

Network Security Best Practices

Port Management

  • Change default ports: SSH (2222), WireGuard (51820)
  • Close unused ports: Regular port scans with nmap
  • Port forwarding: Only forward necessary ports

Access Control

  • VPN-first approach: Access services through VPN tunnel
  • IP whitelisting: Restrict access to known IPs when possible
  • Rate limiting: Prevent brute force attacks

Monitoring

  • Log analysis: Monitor /var/log/auth.log for SSH attempts
  • Network monitoring: Use netstat/ss to check listening ports
  • Intrusion detection: Consider fail2ban for automated blocking

Router Configuration

Port Forwarding

Forward these ports to your homelab server:

  • SSH: External port → Internal 2222
  • WireGuard: 51820 → 51820
  • Web services: 80/443 → 80/443 (if needed)

Security Settings

  • Disable WPS: Turn off WiFi Protected Setup
  • Strong WiFi password: WPA3 with complex passphrase
  • Guest network: Separate network for guests
  • Firmware updates: Keep router firmware current

Network Planning

IP Address Scheme

  • Router: 192.168.1.1
  • Homelab server: 192.168.1.100 (static)
  • DHCP range: 192.168.1.10-99
  • VPN subnet: 10.0.0.0/24

DNS Configuration

  • Primary DNS: Router (192.168.1.1)
  • Secondary DNS: 1.1.1.1, 8.8.8.8
  • Local domain: homelab.local
  • Dynamic DNS: ak-homelab.duckdns.org

Service Architecture

Internet → Router → Homelab Server
                 ↓
    ┌─────────────────────────────┐
    │  SSH (2222)                 │
    │  WireGuard VPN (51820)      │
    │  Web Services (80/443)      │
    │  Monitoring & Logging       │
    └─────────────────────────────┘

Backup and Recovery

Configuration Backups

  • SSH keys: Store securely, separate from server
  • WireGuard configs: Document peer configurations
  • Firewall rules: Export UFW rules with ufw status numbered

Network Documentation

  • IP mappings: Document static assignments
  • Port forwards: List all forwarded ports and purposes
  • Access credentials: Secure storage of passwords/keys