πŸ›‘οΈ My Cybersecurity Lab

Defense in depth,
built from scratch.

A multi-layer cybersecurity homelab combining OPNsense, NordVPN, PiHole, Tailscale, and Vaultwarden. From CNC machinist to cybersecurity engineer β€” this is my journey, documented in code and configs.

πŸ“¦ View on GitHub β†’ Explore architecture
Architecture

Five layers of defense

Each layer protects independently. If one fails, the others continue defending. This is the essence of defense in depth β€” and the principle this lab is built around.

Cybersecurity lab architecture diagram showing internet, NordVPN, OPNsense firewall, LAN services, and Tailscale mesh
1

NordVPN

Hides home IP, encrypts traffic to the internet via WireGuard tunnel.

2

OPNsense Firewall

Killswitch, stateful filtering, network segmentation. Configured by hand.

3

PiHole

DNS-level ad-blocking, tracker blocking, malware domain filtering.

4

Tailscale

Zero-trust mesh VPN. Devices identify cryptographically β€” no shared passwords.

5

HTTPS + Crowdsec

Application-layer TLS encryption with brute-force protection.

Key features

What this lab actually does

Not theory β€” working infrastructure I use every day.

πŸ›‘οΈ

Privacy by design

All LAN traffic flows through NordVPN. Killswitch prevents leaks. DNS filtered through PiHole.

🌍

Secure remote access

Tailscale mesh: phone and laptop reach lab from anywhere. Subnet routing for full LAN access.

πŸ”’

Hardened authentication

Diceware master passwords (80+ bits entropy). TOTP 2FA. Argon2-hashed admin tokens.

πŸ“¦

Production-grade ops

Snapshot-based recovery. Volume persistence. Service isolation. Automatic restarts.

Tech Stack

Tools and technologies

The components I configured, broke, and rebuilt to make this work.

Infrastructure

Proxmox VE Debian 12/13 Docker

Networking

OPNsense WireGuard NordVPN Tailscale PiHole Kea DHCP

Services

Vaultwarden Caddy Crowdsec

Diagnostic Tools

tcpdump pfctl curl jq ssh systemd
Lessons Learned

What broke, and why it matters

Theory is clean; practice is messy. These are the moments that taught me more than any tutorial could.

πŸ”₯ OPNsense rebuilt three times

Routing through a VPN tunnel requires firewall-based gateways, not changing the default route. Took three full rebuilds to learn this.

🌐 The Tailscale SNAT trick

Exit-node packets were rewritten before reaching firewall rules. Hours of tcpdump debugging led to one checkbox: "Disable SNAT".

🏠 Independence for critical infra

Proxmox host must not depend on PiHole VM for DNS. A circular dependency at boot can ruin your day.

⚠️ Always check before removing kernels

`uname -r` before `apt autoremove`. Removing the running kernel is a one-way trip to an unbootable system.

πŸ“‹ WARN β‰  ERROR

Caddy's "Caddyfile not formatted" looks scary. It's purely cosmetic. Read log levels carefully before panicking.

πŸ“Έ Snapshots saved me 15 times

Every nontrivial change got a labeled, dated Proxmox snapshot. Storage is cheap; debugging time is expensive.

Full details in lessons-learned.md on GitHub.

Want the full story?

Detailed setup guides, anonymized configs, and architecture deep-dives β€” all on GitHub. Open source, MIT licensed.

πŸ“¦ View andro-lab on GitHub