Cybersecurity is best learned by building and breaking real system not only through theory.
In this blog i document my journey of creating a personal home lab using tools like pfsense, vpn, linux server and one media service.
The goal of this blog is to share my practical configurations, real world problems i faced and the solution i implemented while securing and managing my own infrastructure.
This blog will serve as a learning log as well as resource for student and beginners interested in hands-on cybersecurity and networking.
Why I Built a Cybersecurity Home lab
While studying cybersecurity, I realized that concepts such as networking, firewalls, VPNs, NAT, and server hardening are difficult to fully understand without practical exposure.
A home lab allows me to:
Simulate real-world networks
Practice firewall and VPN configuration
Understand security misconfigurations
Learn Linux system administration
Experiment safely without impacting production systems
Prerequisites
Basic knowledge of the following topics helps in understanding this blog:
IP addressing and basic networking
Virtual machines (VirtualBox / VMware)
Linux fundamentals
Firewall concepts
Architecture Overview
My home lab is designed to mimic a small real-world network.
High-level architecture includes:
A firewall acting as the network gateway
Internal machines behind the firewall
Secure remote access using VPN
Self-hosted services inside a protected network
The firewall controls incoming and outgoing traffic between the internal network and the internet, while VPN access allows secure remote connectivity even under CGNAT conditions.
Tools and Technologies Used
pfSense – Firewall and network gateway
Linux (Ubuntu Server) – Hosting services
VPN (Tailscale) – Secure remote access
Jellyfin / Navidrome – Self-hosted media services
VirtualBox / VMware – Virtualization platform
These tools are widely used in real environments, making this home lab highly relevant for learning.
Implementation Steps
Step 1: Firewall Setup
I deployed the firewall as a virtual machine in VMware with one WAN and one LAN interface.
I configured the DHCP server to automatically assign IP addresses and set up basic outbound NAT.
This step helped me clearly understand how network traffic flows through a firewall to the internet.
Step 2: Internal Network Configuration
Behind the firewall, I created:
One Linux server for hosting services
One Parrot OS machine for managing web interfaces such as pfSense and internal services
This setup allowed me to practice access control and rule-based filtering inside a protected network.
Step 3: VPN Configuration
Accessing the home lab remotely was challenging due to CGNAT. I had two options:
Self-host a VPN
Use a cloud-based VPN service
I chose Tail scale because it is easy to set up and works well under CGNAT. It uses a mesh topology instead of traditional port forwarding.
This solution:
Encrypts traffic end-to-end
Allows remote access without a public IP
Avoids port forwarding security risks
Step 4: Self-Hosted Services
I deployed services such as Jellyfin inside the secured network and restricted access using firewall rules and VPN-only connectivity.
This step demonstrated how exposed services can significantly increase the attack surface if not properly secured.
Problems Faced and Solutions
Issue: Permission Denied Errors in Jellyfin
Cause: Incorrect Linux directory ownership
While adding a media path in Jellyfin, I faced permission errors when uploading files.
Solution:
I created a dedicated group for Jellyfin, added the service user to that group, and assigned proper read and write permissions to the specific directory.
This successfully resolved the upload issue.
Security Consideration
While building the lab, I focused on:
- Disabling default credentials
- Minimizing exposed services
- Applying the principle of least privilege in firewall rules
- Using VPN for administrative access
- Monitoring logs and traffic
Security is not a one-time task but a continuous process.
Results and What I Learned
This home lab significantly improved my understanding of:
- Firewall rule evaluation
- VPN architectures
- CGNAT limitations
- Linux permissions and service management
- Real-world security mistakes and fixes
More importantly, it helped me understand how attackers exploit misconfigurations.
Conclusion and Future Work
This cybersecurity home lab has become my primary learning environment.
In future posts, I plan to:
- Add intrusion detection and monitoring
- Implement centralized logging
- Perform attack simulations
- Convert selected findings into research papers
This blog will continue to document my progress, mistakes, and improvements as I grow in cybersecurity.
Final Tip
Don’t wait until everything is perfect.
Build, document, break, fix, and share.
This blog was originally published on Hashnode
Website:
Top comments (0)