Secure Remote Access to Your Home Lab
Setting up secure remote access to your home lab is essential for managing your systems and services from anywhere while ensuring that your network remains protected.
In this guide, we'll explore various methods and best practices for achieving secure remote access.
Prerequisites
This guide will assume the following:
- You currently have a home lab setup running a linux-based OS (e.g., Ubuntu).
- You have some understanding of the linux command line and networking concepts.
- You have administrative access to your network (firewall, etc.).
- If applicable, your SSH port is running on port 22. Adjust commands accordingly if using a different port.
Securing SSH Access
SSH (Secure Shell) is a common method for remotely accessing servers.
-
Use SSH Keys: Avoid using password authentication! Generate a public/private key pair and configure your server to only accept key-based authentication.
Use the following command to generate a key pair:
ssh-keygenExample usage:
Enter file in which to save the key (/home/username/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): # Optional: add a passphrase for extra security Enter same passphrase again: The key fingerprint is: SHA256:... username@hostname ...You can now find the generated private and public keys in the
~/.ssh/directory.$ ls ~/.ssh/ authorized_keys id_ed25519 id_ed25519.pub # ^^^^^^^^^^ ^^^^^^^^^^^^^^ # Private Key Public KeyCopy the public key to your server:
ssh-copy-id user@your-server-ipNow you can login using your private key:
ssh -i ~/.ssh/id_ed25519 user@your-server-ipIf you didn't specify a custom key location, SSH will automatically use the default key:
ssh user@your-server-ip -
Disable Password Authentication: Edit the SSH configuration file on your server (
/etc/ssh/sshd_config) to disable password authentication:Before you continue!Make sure you have successfully set up SSH key authentication and can log in using your SSH keys before disabling password authentication. Otherwise, you may lock yourself out of your server.
sudo nano /etc/ssh/sshd_config # or use your preferred text editor- PasswordAuthentication yes + PasswordAuthentication noRestart the SSH service to apply changes:
sudo systemctl restart sshd -
Change the Default SSH Port: Changing the default SSH port (22) to a non-standard port can reduce automated attacks:
sudo nano /etc/ssh/sshd_config # or use your preferred text editor- Port 22 + Port 2222Restart the SSH service:
sudo systemctl restart sshdRemember to update your firewall rules to allow traffic on the new port.
Setting Up a VPN
Using a VPN (Virtual Private Network) allows you to securely connect to your home lab over the internet as if you were on the same local network.
-
Choose a VPN Software: Popular options include OpenVPN, WireGuard, and TailScale.
RecommendationFor simplicity and support, I recommend using TailScale as it requires minimal configuration and works across various platforms.
-
Install and Configure the VPN: Follow the official documentation for your chosen VPN software to install and configure it on your home lab server.
For TailScale, you can follow these steps:
curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up -
Connect to the VPN: Install the VPN client on your remote device and connect to your home lab network securely.
Additional Security Measures
- Firewall Configuration: Ensure your firewall only allows necessary traffic. For example, only allow SSH and VPN ports from trusted IPs if possible.
- Regular Updates: Keep your home lab systems and software up to date with the latest security patches.
- Use Strong Passwords: For any services that still require passwords, ensure they are strong and unique. (Consider using a password manager like Bitwarden.)
- Monitor Access Logs: Regularly check your SSH and VPN access logs for any suspicious activity.
By following these steps and best practices, you can set up secure remote access to your home lab, allowing you to manage your systems safely from anywhere in the world.