Networking on The Home Lab

Zero-Config Remote Access with Tailscale

Sat, 29 Nov 2025 00:00:00 +0000

The Problem with Traditional Remote Access

Setting up WireGuard or OpenVPN yourself works, but it has requirements:

A public IP (harder to get on CGNAT/IPv6-only connections)
Port forwarding on your router
Dynamic DNS if your IP changes
Key management for each client

Tailscale removes all of these requirements. It creates an encrypted peer-to-peer mesh network between your devices without any port forwarding, and works through CGNAT, firewalls, and double-NAT.

How Tailscale Works

Tailscale is built on WireGuard. Each device gets a WireGuard key pair. Tailscale’s coordination server (not a relay server) shares public keys between devices so they can establish direct encrypted connections.

Reverse Proxy and SSL with Nginx Proxy Manager

Sat, 15 Nov 2025 00:00:00 +0000

The Problem Nginx Proxy Manager Solves

As your homelab grows, you accumulate services running on various IPs and ports: Proxmox on :8006, Jellyfin on :8096, Nextcloud on :443, Home Assistant on :8123. Remembering port numbers is tedious, but the bigger issue is HTTPS — browsers complain about self-signed certificates, and accessing services over plain HTTP on your LAN is a security risk.

Nginx Proxy Manager (NPM) solves both problems. It’s a Docker container with a web UI that lets you:

Self-Hosted VPN with WireGuard

Sat, 01 Nov 2025 00:00:00 +0000

Why Self-Host a VPN?

A self-hosted VPN gives you a secure tunnel back into your home network when you’re away. Unlike commercial VPN services (which are for hiding traffic from your ISP), this is about remote access — connecting to your NAS, home automation, internal dashboards, or development environment from a coffee shop or hotel.

WireGuard is the right choice today. It’s built into the Linux kernel, uses modern cryptography (ChaCha20, Curve25519), and has a drastically smaller codebase than OpenVPN (~4,000 lines vs ~400,000). Handshakes complete in milliseconds. Battery drain on mobile is noticeably lower.

Network-Wide Ad Blocking with Pi-hole

Sat, 18 Oct 2025 00:00:00 +0000

Why Pi-hole

Most ad blockers work at the browser level. Pi-hole works at the DNS level, which means it blocks ads for every device on your network — smart TVs, phones, game consoles, IoT devices — without installing anything on them. It works by acting as the DNS resolver for your LAN and returning 0.0.0.0 for known ad and tracking domains instead of the real IP.

The side effect is that you also get a full picture of every DNS query every device makes, which is genuinely eye-opening. You will quickly discover that your smart TV is phoning home every few minutes.

VLAN Segmentation: Isolating Your IoT Devices

Sat, 04 Oct 2025 00:00:00 +0000

Why Segment Your Network?

The average home today has dozens of connected devices — smart bulbs, cameras, thermostats, TVs. Most of these devices have poor security track records: default credentials, infrequent firmware updates, and sometimes outright malicious firmware from vendors.

Putting them on the same flat network as your laptop and NAS is an unnecessary risk. VLANs fix this.

What Is a VLAN?

A Virtual LAN (VLAN) is a logical partition of a physical network. Devices on different VLANs cannot communicate with each other unless you explicitly allow it through firewall rules — even if they share the same physical switch.

Setting Up OPNsense as Your Home Firewall

Sat, 20 Sep 2025 00:00:00 +0000

Why Replace Your ISP Router?

ISP-provided routers are designed to be cheap and manageable by support staff, not to give you control. They have opaque firmware, rarely get security updates, and have none of the features a proper firewall offers: VLAN support, traffic shaping, IDS/IPS, meaningful logs, VPN server, DNS over TLS.

OPNsense is a FreeBSD-based firewall/router that runs on commodity x86 hardware. It’s fully open-source (forked from pfSense in 2015), actively maintained, and has a polished web UI.