| JM Homelab

April 22, 2025

As I started to set up my home server, I couldn't shake the feeling that I was going to do something stupid and leave my home network open to hacking. So I did a deep dive (with ChatGPT) about what to look into to improve my security. It had some great advice:

Configure firewall to only allow traffic from Cloudflare
Use ShieldsUP! to scan my network for any vulnerabilities
Add OAuth for Grafana and other admin-only services, or require a VPN to access them
Get a router with VLAN capabilities to completely separate my server from the rest of my home network
Add rate-limiting configuration to traefik to prevent excessive access
Add Captcha or 2FA with something like Authelia or Authentik
Add logging and alerts about attacks with ufw logs or fail2ban
Regularly update everything

I accomplished Step 1 pretty easily by extending the (arguably unnecessary) script I wrote early to update traefik allowed IPs from Cloudflare to also update my ufw rules to default deny all traffic on ports 80 and 443 and only allow it from Cloudlfare IPs. For convenience, I also added a comment (# Cloudflare) to all of these automated rules so that my script could easily purge them and re-enter them without affecting other firewall rules I configured myself. Parts 2 and 5 were also a breeze. And I purchased a lightly used ASUS RT-AX86U router so that I could work on Step 4.

I decided to defer Steps 3/6/7/8 to a future development session.

But the suggestion of a VPN did get me thinking that I wanted to be able to develop on my server even when away from home. ChatGPT suggested Tailscale which was astoundingly easy to setup. Within a few minutes, I was able to access my server with my laptop on a hotspot. And because it's a VPN, the access is very secure; I have to login to the same Tailscale account on both machines (which is secured with Google OAuth) and I only have to allow access on ufw for the Tailscale IP range (100.64.0.0/10).

Click here to see my full `ufw` configuration

jmassucco@ubuntu-server-1:~/devel/homelab$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80/tcp                     ALLOW IN    173.245.48.0/20            # cloudflare
[ 2] 443/tcp                    ALLOW IN    173.245.48.0/20            # cloudflare
[ 3] 80/tcp                     ALLOW IN    103.21.244.0/22            # cloudflare
[ 4] 443/tcp                    ALLOW IN    103.21.244.0/22            # cloudflare
[ 5] 80/tcp                     ALLOW IN    103.22.200.0/22            # cloudflare
[ 6] 443/tcp                    ALLOW IN    103.22.200.0/22            # cloudflare
[ 7] 80/tcp                     ALLOW IN    103.31.4.0/22              # cloudflare
[ 8] 443/tcp                    ALLOW IN    103.31.4.0/22              # cloudflare
[ 9] 80/tcp                     ALLOW IN    141.101.64.0/18            # cloudflare
[10] 443/tcp                    ALLOW IN    141.101.64.0/18            # cloudflare
[11] 80/tcp                     ALLOW IN    108.162.192.0/18           # cloudflare
[12] 443/tcp                    ALLOW IN    108.162.192.0/18           # cloudflare
[13] 80/tcp                     ALLOW IN    190.93.240.0/20            # cloudflare
[14] 443/tcp                    ALLOW IN    190.93.240.0/20            # cloudflare
[15] 80/tcp                     ALLOW IN    188.114.96.0/20            # cloudflare
[16] 443/tcp                    ALLOW IN    188.114.96.0/20            # cloudflare
[17] 80/tcp                     ALLOW IN    197.234.240.0/22           # cloudflare
[18] 443/tcp                    ALLOW IN    197.234.240.0/22           # cloudflare
[19] 80/tcp                     ALLOW IN    198.41.128.0/17            # cloudflare
[20] 443/tcp                    ALLOW IN    198.41.128.0/17            # cloudflare
[21] 80/tcp                     ALLOW IN    162.158.0.0/15             # cloudflare
[22] 443/tcp                    ALLOW IN    162.158.0.0/15             # cloudflare
[23] 80/tcp                     ALLOW IN    104.16.0.0/13              # cloudflare
[24] 443/tcp                    ALLOW IN    104.16.0.0/13              # cloudflare
[25] 80/tcp                     ALLOW IN    104.24.0.0/14              # cloudflare
[26] 443/tcp                    ALLOW IN    104.24.0.0/14              # cloudflare
[27] 80/tcp                     ALLOW IN    172.64.0.0/13              # cloudflare
[28] 443/tcp                    ALLOW IN    172.64.0.0/13              # cloudflare
[29] 80/tcp                     ALLOW IN    131.0.72.0/22              # cloudflare
[30] 443/tcp                    ALLOW IN    131.0.72.0/22              # cloudflare
[31] 22/tcp                     ALLOW IN    10.0.0.0/24                # local ssh
[32] 22/tcp                     ALLOW IN    100.64.0.0/10              # Tailscale ssh
[33] 80/tcp                     ALLOW IN    2400:cb00::/32             # cloudflare
[34] 443/tcp                    ALLOW IN    2400:cb00::/32             # cloudflare
[35] 80/tcp                     ALLOW IN    2405:8100::/32             # cloudflare
[36] 443/tcp                    ALLOW IN    2405:8100::/32             # cloudflare
[37] 80/tcp                     ALLOW IN    2405:b500::/32             # cloudflare
[38] 443/tcp                    ALLOW IN    2405:b500::/32             # cloudflare
[39] 80/tcp                     ALLOW IN    2606:4700::/32             # cloudflare
[40] 443/tcp                    ALLOW IN    2606:4700::/32             # cloudflare
[41] 80/tcp                     ALLOW IN    2803:f800::/32             # cloudflare
[42] 443/tcp                    ALLOW IN    2803:f800::/32             # cloudflare
[43] 80/tcp                     ALLOW IN    2a06:98c0::/29             # cloudflare
[44] 443/tcp                    ALLOW IN    2a06:98c0::/29             # cloudflare
[45] 80/tcp                     ALLOW IN    2c0f:f248::/32             # cloudflare
[46] 443/tcp                    ALLOW IN    2c0f:f248::/32             # cloudflare

Security