Skip to content

valerieolg/Homelab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
active-directory
active-directory
 
 
architecture
architecture
 
 
opnsense
opnsense
 
 
switch
switch
 
 
vms
vms
 
 
wazuh
wazuh
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
RESTORE.md
RESTORE.md
 
 
lessons-learned.md
lessons-learned.md
 
 

Repository files navigation

Homelab

Built by a cybersecurity student with 8 months of experience who wanted to learn enterprise infrastructure hands-on - not just read about it.

This lab simulates an enterprise-like network at home. It uses real hardware, real network segmentation, a functional firewall with IDS, VPN, Active Directory, and a SIEM. It is also used as a penetration testing environment against my own network.

Hardware

Device Role
HPE ProLiant DL180 Gen10 Main server (Proxmox hypervisor)
HP Switch 1820 24-port Managed switch (VLAN trunking)
TP-Link Archer A6 Secondary router / double NAT layer
ISP Modem WAN uplink

Architecture Overview

image

Network Map

Network Subnet Purpose
VLAN10 Management 192.168.10.0/24 Laptop, Proxmox access, switch management
VLAN20 Lab 192.168.20.0/24 VMs, Active Directory, Wazuh, Plex
WireGuard VPN 10.10.10.0/24 Remote access (iPhone + laptop)

Services

Infrastructure

Service Type Description
Proxmox VE Bare metal Hypervisor running all VMs
OPNsense VM Firewall, router, gateway, DHCP, DNS
HP Switch 1820 Physical VLAN segmentation and trunking

Security & Monitoring

Service Type Description
Suricata IDS OPNsense plugin Intrusion detection on WAN, PCAP mode, alert only
Unbound DNS OPNsense plugin Recursive DNS with DNSSEC, registers DHCP leases
WireGuard VPN OPNsense plugin Remote access VPN, port 51820, tunnel 10.10.10.0/24
DuckDNS OPNsense plugin Dynamic DNS, auto-updates public IP on WAN change
Monit OPNsense plugin Service monitoring and email alerts
Wazuh SIEM VM Centralized log collection, threat detection, agents on Proxmox and DC-01
Active Directory VM homelab.local domain, DC-01, intentional misconfigs for pentest practice

Planned

Service Target IP Notes
Plex Media Server 192.168.20.12 After QoS tuning
HAProxy OPNsense Reverse proxy after all VMs stable
Kali Linux 192.168.20.13 Pentest VM

Security Architecture

Defense-in-Depth Layers

Layer Tool Function
Perimeter OPNsense firewall Block all unsolicited inbound, VLAN isolation
IDS Suricata on WAN Alert on known threat signatures
DNS Unbound + DNSSEC Validates DNS responses, blocks cache poisoning
Network segmentation VLANs 10 and 20 Management and lab traffic isolated from each other
Remote access WireGuard VPN Encrypted tunnel, only UDP 51820 exposed
SIEM Wazuh Centralized log analysis and threat detection
Active Directory DC-01 Domain controller with intentional misconfigs for attack practice
Monitoring Monit + email alerts Notifies on service failures

What Is Exposed to the Internet

Component Exposed? Protection
OPNsense WAN Public IP visible Firewall drops all unsolicited inbound
WireGuard UDP 51820 only Encrypted, authenticated tunnel
All internal services No LAN or VPN only
Proxmox web UI No VLAN10 only
Switch management No VLAN10 only

Implementation Phases

Phase Focus Status
1 Proxmox install, network config, vmbr setup Done
2 OPNsense VM, WAN/LAN/VLAN interfaces Done
3 Switch VLAN config, trunk port, laptop VLAN Done
4 Firewall rules, aliases, DHCP, Unbound DNS Done
5 Suricata IDS, DuckDNS, WireGuard VPN Done
6 Monit monitoring, scheduled rules, QoS placeholder Done
7 Wazuh SIEM VM Done
8 Active Directory VM Done
9 Plex VM, QoS tuning Planned
10 HAProxy reverse proxy Planned
11 Penetration testing lab exercises Planned

Skills Demonstrated

  • Network segmentation with VLANs on a managed switch
  • Firewall design with defense-in-depth (OPNsense)
  • Intrusion detection deployment and ruleset configuration (Suricata)
  • DNS security with DNSSEC and recursive resolver (Unbound)
  • VPN setup with WireGuard through double NAT
  • Dynamic DNS configuration (DuckDNS)
  • Service monitoring and alerting (Monit)
  • Virtualization and VM management (Proxmox VE)
  • Active Directory and Windows Server administration
  • SIEM deployment and log analysis (Wazuh)
  • Penetration testing fundamentals (planned)

Repository Structure

image

Notable Challenges and Lessons Learned

A few highlights - full list in each relevant doc:

  • Always configure OPNsense DHCP and firewall rules BEFORE moving the laptop port to a new VLAN on the switch or you lose all connectivity
  • WireGuard in OPNsense 26.1 cannot have a static IP on the tunnel interface - use IPv4 type None with dynamic gateway policy
  • Double NAT requires port forwards on both devices for VPN to work
  • Port checkers always show UDP as closed even when WireGuard is working - check handshake status in OPNsense instead
  • Wazuh agent version must match or be lower than the manager version - pin it explicitly

Note on Sensitive Data

Real IPs for management interfaces, DuckDNS subdomain, and VPN endpoints are not published in this repository. Network subnets are documented accurately. Host-specific addresses for infrastructure devices are redacted.

About

Enterprise-like home lab for hands-on cybersecurity and infrastructure practice.

Topics

penetration-testing suricata vlan unbound-dns wireguard-vpn opnsense-firewall ad-ds wazuh-siem

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors