I'm re-setting up my HomeLab and one of the things I'm trying to learn about on this go-around is Zero Trust networking. To accomplish this I am planning on using NetBird's mesh overlay network. I would like all of my services to use the NetBird mesh network at all times, whether they are communicating within my homelab's LAN or I am accessing them from outside via the greater internet.
I have successfully set up the NetBird management interface on a Hetzner VPS, however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface. However, if I self host the management interface in my homelab, I am unable to access it from outside my home LAN.
I've identified 2 solutions that could solve this:
-
Self host the management interface and set up a Cloudflare tunnel to the management interface, which would allow access from outside my home network.
-
Self host the management interface, then set up a wireguard proxy/tunnel on a VPS that forwards traffic to my management interface (Similar in my mind to option 1, but not relying on Cloudflare)
What are your thoughts? Any other ideas?
I appreciate your comments/criticisms!
FreeIPA and Keycloak will give you directory management (LDAP and Kerberos), identity management, and single-sign on (OIDC and SAML) which if all your computers are running Linux as well, will give you centralized management of users.
You can then set other FOSS business management/productivity applications like NextCloud, Oodoo, Seafile, OnlyOffice, LibreOffice, CryptPad, etc. To use Keycloak as its authentication mechanism.
A lot of this will depend on what kind of work the business does.
You'll also want to look into log management and SEIM for security monitoring, Wazuh, Graylog, and others. This is especially true if the business has any data compliancy responsibilities in the country this is in.