Zero-Trust Home Lab

Overview

Self-hosted Proxmox server running Docker containerization with LXCs and Linux VMs for networking, storage, monitoring, and security experimentation.

Services Hosted

• Pi-hole + Unbound: DNS-level ad blocking with recursive DNS resolution for privacy
• Self-hosted VPN: Secure remote access to the lab network
• TrueNAS: Network-attached storage for backups and file sharing
• Nginx Proxy Manager: Reverse proxy with SSL termination for all hosted services
• Prometheus + Grafana: Metrics collection and dashboard visualization for system monitoring
• MeshCentral: Remote desktop management for lab machines
• Tailscale + Cloudflared: Zero-trust network access and secure tunneling
• Uptime Kuma: Service availability monitoring with alerting

Architecture

The lab runs on a single Proxmox node with services isolated in Docker containers and LXC containers. Networking is segmented with VLANs separating management, services, and sandbox traffic by utilizing winbox on a Mikrotik managed switchbox. All external access routes through Cloudflared tunnels, Wireguard, ZeroTier, Tailscale, and no ports are exposed directly to the internet.

Lessons Learned

• Running your own DNS with Pi-hole + Unbound gives visibility into network behavior that commercial solutions abstract away
• Container isolation in a home lab mirrors enterprise microservices patterns at a manageable scale
• Monitoring with Prometheus and Grafana builds the same observability skills used in production infrastructure roles