Comment on Paralyzed by indecision
MigratingtoLemmy@lemmy.world 11 months ago
I will assume that you will expand your homelab with time.
I will also assume that you’re not going to open ports from your home network to the internet. If you need to do that, come back here/research Cloudflare tunnels (I have an alternative to those but that will need some explaining).
Now, purchase a 4 port/6 port “Router Firewall” from Aliexpress. They’ll cost you $200 + RAM + SSD, but at the end of that you’ll have an x86 router + switch (the celeron/pentium/i3s are plenty capable to switch without dedicated hardware). Get a TPLink/Mikrotik WAP and install OpenWRT.
Now, to bring my previous point into focus: you will place this router/firewall behind your consumer router. This will effectively place you behind double NAT, but if you’re using Comcast you shouldn’t care anyway (and it doesn’t matter unless you’re planning to expose ports).
How many drives do you need for your NAS? Look at Lenovo P310s and replace the PSU with your own. RAM + storage will be your biggest expenses in a homelab.
Use your gaming PC as a server, and get a Dell/HP/Lenovo mini PC for HA with it. Don’t even think about ESXi and jump straight into KVM/Xen. Bhyve if you’re brave/want to try something new.
Use Terraform/Ansible when you can, and nothing will terrify you anymore since you can literally rebuild the entire lab inside 15 minutes of you doing nothing but waiting.
Have fun!
Molecular0079@lemmy.world 11 months ago
Not OP, but I’ve been looking into Cloudflare tunnels on my end as well and ended up not going with them because you’re forced to use their own certs so they can decrypt and see the data. I mean most likely they aren’t doing anything untoward, but it’s still a consideration with regards to data privacy.
MigratingtoLemmy@lemmy.world 11 months ago
Absolutely. Everyone should, in theory, be alarmed by the blatant push towards being the world’s biggest MiTM by Cloudflare, but if one doesn’t care about that, then it’s a very good service.
I would personally consider running my own VPS with encrypted storage and run Wireguard tunnels (with the VPS as the server and my devices/home router) as the client. If I connect to the same socket, I could essentially connect to my home network without opening any ports there. Tailscale operates on a similar concept at scale, but you’d be better off hosting headscale if you care about privacy.
Molecular0079@lemmy.world 11 months ago
I was thinking the same thing regarding VPS and Wireguard. I use Wireguard personally to VPN into my home network for remote management, but I still haven’t looked up how to make a VPS as a proxy using it. I know they can join the same network and talk with each other but how what’s the best way to route port 80 and 443 on the VPS to my server at home? Iptables?
MigratingtoLemmy@lemmy.world 11 months ago
That would be correct. Typically people recommend reverse-proxies for this because of their routing capabilities, but unless you have complicated checks and other functionality you need to implement, simple NAT is the best way to go about this.
nftablescan do exactly what you need with excellent performance.