The Homelab Show Episode 29:Bastion Server [YouTube Release]

Additional Resources:
The sponsor for today’s episode

Hi @LTS_Tom I really enjoyed watching this episode. You and Jay mentioned wanting to hear about some other homelab/bastion setups.

I’ve been running a mini homelab for about 3 years now. I’m running KVM on Debian (upgrade from 10 to 11 went smoothly) and hosting nextcloud, grafana, wazuh, gitea servers along a few different desktop distros for various purposes. I’m using a Netgate SG-1100 with multiple VLANs which I am now comfortable configuring and upgrading. I had a lot of help from your videos. I also have a Pi3 running pihole as dns pointing to cloudflare over dnssec.

The main services I am interested in accessing from outside my home are the Nextcloud/Talk services for cloud storage, video chat and secure messaging. I have a proxy server in the DMZ with fail2ban and custom jails. I used to just forward https from my router to this proxy server. After a while I decided I’d like to secure it further. I’ve now setup a WireGuard VM and written some bash scripts to manage user certificate management. This allows me to connect to the WireGuard VPN which in turn allows me to connect to my Nextcloud services.from my phone and laptop while away.

I am currently using NoIP free for DynamicDNS but I don’t like having to open port 80 to renew the certificates every 90 days. I’m about to switch over to Dynu. I’ve written some custom scripts to call their free APIs and renew the LetsEncrypt certs using a DNS challenge.

I like the idea of CrowdSec. I’d like to see if I could use it to cover my WireGuard port and drop malicious traffic. I look forward to hearing more about it on your channel.

1 Like