valerieolg/Homelab
GitHub: valerieolg/Homelab
Stars: 0 | Forks: 0
# Homelab
**Built by a cybersecurity student with 8 months of experience who wanted to learn enterprise infrastructure hands-on - not just read about it.**
This lab simulates an enterprise-like network at home. It uses real hardware, real network segmentation, a functional firewall with IDS, VPN, Active Directory, and a SIEM. It is also used as a penetration testing environment against my own network.
## Hardware
| Device | Role |
|---|---|
| HPE ProLiant DL180 Gen10 | Main server (Proxmox hypervisor) |
| HP Switch 1820 24-port | Managed switch (VLAN trunking) |
| TP-Link Archer A6 | Secondary router / double NAT layer |
| ISP Modem | WAN uplink |
## Architecture Overview
## Network Map
| Network | Subnet | Purpose |
|---|---|---|
| VLAN10 Management | 192.168.10.0/24 | Laptop, Proxmox access, switch management |
| VLAN20 Lab | 192.168.20.0/24 | VMs, Active Directory, Wazuh, Plex |
| WireGuard VPN | 10.10.10.0/24 | Remote access (iPhone + laptop) |
## Services
### Infrastructure
| Service | Type | Description |
|---|---|---|
| Proxmox VE | Bare metal | Hypervisor running all VMs |
| OPNsense | VM | Firewall, router, gateway, DHCP, DNS |
| HP Switch 1820 | Physical | VLAN segmentation and trunking |
### Security & Monitoring
| Service | Type | Description |
|---|---|---|
| Suricata IDS | OPNsense plugin | Intrusion detection on WAN, PCAP mode, alert only |
| Unbound DNS | OPNsense plugin | Recursive DNS with DNSSEC, registers DHCP leases |
| WireGuard VPN | OPNsense plugin | Remote access VPN, port 51820, tunnel 10.10.10.0/24 |
| DuckDNS | OPNsense plugin | Dynamic DNS, auto-updates public IP on WAN change |
| Monit | OPNsense plugin | Service monitoring and email alerts |
| Wazuh SIEM | VM | Centralized log collection, threat detection, agents on Proxmox and DC-01 |
| Active Directory | VM | homelab.local domain, DC-01, intentional misconfigs for pentest practice |
### Planned
| Service | Target IP | Notes |
|---|---|---|
| Plex Media Server | 192.168.20.12 | After QoS tuning |
| HAProxy | OPNsense | Reverse proxy after all VMs stable |
| Kali Linux | 192.168.20.13 | Pentest VM |
## Security Architecture
### Defense-in-Depth Layers
| Layer | Tool | Function |
|---|---|---|
| Perimeter | OPNsense firewall | Block all unsolicited inbound, VLAN isolation |
| IDS | Suricata on WAN | Alert on known threat signatures |
| DNS | Unbound + DNSSEC | Validates DNS responses, blocks cache poisoning |
| Network segmentation | VLANs 10 and 20 | Management and lab traffic isolated from each other |
| Remote access | WireGuard VPN | Encrypted tunnel, only UDP 51820 exposed |
| SIEM | Wazuh | Centralized log analysis and threat detection |
| Active Directory | DC-01 | Domain controller with intentional misconfigs for attack practice |
| Monitoring | Monit + email alerts | Notifies on service failures |
### What Is Exposed to the Internet
| Component | Exposed? | Protection |
|---|---|---|
| OPNsense WAN | Public IP visible | Firewall drops all unsolicited inbound |
| WireGuard | UDP 51820 only | Encrypted, authenticated tunnel |
| All internal services | No | LAN or VPN only |
| Proxmox web UI | No | VLAN10 only |
| Switch management | No | VLAN10 only |
## Implementation Phases
| Phase | Focus | Status |
|---|---|---|
| 1 | Proxmox install, network config, vmbr setup | Done |
| 2 | OPNsense VM, WAN/LAN/VLAN interfaces | Done |
| 3 | Switch VLAN config, trunk port, laptop VLAN | Done |
| 4 | Firewall rules, aliases, DHCP, Unbound DNS | Done |
| 5 | Suricata IDS, DuckDNS, WireGuard VPN | Done |
| 6 | Monit monitoring, scheduled rules, QoS placeholder | Done |
| 7 | Wazuh SIEM VM | Done |
| 8 | Active Directory VM | Done |
| 9 | Plex VM, QoS tuning | Planned |
| 10 | HAProxy reverse proxy | Planned |
| 11 | Penetration testing lab exercises | Planned |
## Skills Demonstrated
- Network segmentation with VLANs on a managed switch
- Firewall design with defense-in-depth (OPNsense)
- Intrusion detection deployment and ruleset configuration (Suricata)
- DNS security with DNSSEC and recursive resolver (Unbound)
- VPN setup with WireGuard through double NAT
- Dynamic DNS configuration (DuckDNS)
- Service monitoring and alerting (Monit)
- Virtualization and VM management (Proxmox VE)
- Active Directory and Windows Server administration
- SIEM deployment and log analysis (Wazuh)
- Penetration testing fundamentals (planned)
## Repository Structure
## Notable Challenges and Lessons Learned
A few highlights - full list in each relevant doc:
- Always configure OPNsense DHCP and firewall rules BEFORE moving the laptop port to a new VLAN on the switch or you lose all connectivity
- WireGuard in OPNsense 26.1 cannot have a static IP on the tunnel interface - use IPv4 type None with dynamic gateway policy
- Double NAT requires port forwards on both devices for VPN to work
- Port checkers always show UDP as closed even when WireGuard is working - check handshake status in OPNsense instead
- Wazuh agent version must match or be lower than the manager version - pin it explicitly
## Note on Sensitive Data
Real IPs for management interfaces, DuckDNS subdomain, and VPN endpoints are not published in this repository. Network subnets are documented accurately. Host-specific addresses for infrastructure devices are redacted.
## Network Map
| Network | Subnet | Purpose |
|---|---|---|
| VLAN10 Management | 192.168.10.0/24 | Laptop, Proxmox access, switch management |
| VLAN20 Lab | 192.168.20.0/24 | VMs, Active Directory, Wazuh, Plex |
| WireGuard VPN | 10.10.10.0/24 | Remote access (iPhone + laptop) |
## Services
### Infrastructure
| Service | Type | Description |
|---|---|---|
| Proxmox VE | Bare metal | Hypervisor running all VMs |
| OPNsense | VM | Firewall, router, gateway, DHCP, DNS |
| HP Switch 1820 | Physical | VLAN segmentation and trunking |
### Security & Monitoring
| Service | Type | Description |
|---|---|---|
| Suricata IDS | OPNsense plugin | Intrusion detection on WAN, PCAP mode, alert only |
| Unbound DNS | OPNsense plugin | Recursive DNS with DNSSEC, registers DHCP leases |
| WireGuard VPN | OPNsense plugin | Remote access VPN, port 51820, tunnel 10.10.10.0/24 |
| DuckDNS | OPNsense plugin | Dynamic DNS, auto-updates public IP on WAN change |
| Monit | OPNsense plugin | Service monitoring and email alerts |
| Wazuh SIEM | VM | Centralized log collection, threat detection, agents on Proxmox and DC-01 |
| Active Directory | VM | homelab.local domain, DC-01, intentional misconfigs for pentest practice |
### Planned
| Service | Target IP | Notes |
|---|---|---|
| Plex Media Server | 192.168.20.12 | After QoS tuning |
| HAProxy | OPNsense | Reverse proxy after all VMs stable |
| Kali Linux | 192.168.20.13 | Pentest VM |
## Security Architecture
### Defense-in-Depth Layers
| Layer | Tool | Function |
|---|---|---|
| Perimeter | OPNsense firewall | Block all unsolicited inbound, VLAN isolation |
| IDS | Suricata on WAN | Alert on known threat signatures |
| DNS | Unbound + DNSSEC | Validates DNS responses, blocks cache poisoning |
| Network segmentation | VLANs 10 and 20 | Management and lab traffic isolated from each other |
| Remote access | WireGuard VPN | Encrypted tunnel, only UDP 51820 exposed |
| SIEM | Wazuh | Centralized log analysis and threat detection |
| Active Directory | DC-01 | Domain controller with intentional misconfigs for attack practice |
| Monitoring | Monit + email alerts | Notifies on service failures |
### What Is Exposed to the Internet
| Component | Exposed? | Protection |
|---|---|---|
| OPNsense WAN | Public IP visible | Firewall drops all unsolicited inbound |
| WireGuard | UDP 51820 only | Encrypted, authenticated tunnel |
| All internal services | No | LAN or VPN only |
| Proxmox web UI | No | VLAN10 only |
| Switch management | No | VLAN10 only |
## Implementation Phases
| Phase | Focus | Status |
|---|---|---|
| 1 | Proxmox install, network config, vmbr setup | Done |
| 2 | OPNsense VM, WAN/LAN/VLAN interfaces | Done |
| 3 | Switch VLAN config, trunk port, laptop VLAN | Done |
| 4 | Firewall rules, aliases, DHCP, Unbound DNS | Done |
| 5 | Suricata IDS, DuckDNS, WireGuard VPN | Done |
| 6 | Monit monitoring, scheduled rules, QoS placeholder | Done |
| 7 | Wazuh SIEM VM | Done |
| 8 | Active Directory VM | Done |
| 9 | Plex VM, QoS tuning | Planned |
| 10 | HAProxy reverse proxy | Planned |
| 11 | Penetration testing lab exercises | Planned |
## Skills Demonstrated
- Network segmentation with VLANs on a managed switch
- Firewall design with defense-in-depth (OPNsense)
- Intrusion detection deployment and ruleset configuration (Suricata)
- DNS security with DNSSEC and recursive resolver (Unbound)
- VPN setup with WireGuard through double NAT
- Dynamic DNS configuration (DuckDNS)
- Service monitoring and alerting (Monit)
- Virtualization and VM management (Proxmox VE)
- Active Directory and Windows Server administration
- SIEM deployment and log analysis (Wazuh)
- Penetration testing fundamentals (planned)
## Repository Structure