Key Takeaways Setting up a self-hosted VPN on Proxmox can mitigate security risks from unsecured external networks.

Use Pi-hole for network-wide ad-blocking and custom blocklists on your Proxmox machine.

Deploy a firewall OS inside a VM on Proxmox to boost security against network-based malware.

Despite requiring a little bit of elbow grease on your end, building a Proxmox home lab has many perks. Not only do you get to tinker with cool distros without jeopardizing your daily driver, but you can also self-host useful services to your heart’s content. What’s more, you can host some apps and modify certain settings to turn your Proxmox machine into a full-on security system for your home network.

Related Here's how you can run ARM64 VMs on Proxmox Want to test the ARM64 version of your favorite operating system on Proxmox? This guide can help you out!

4 Initialize a self-hosted VPN

WireGuard for beginners, TailScale for networking experts

Accessing your home lab paraphernalia from an unsecured external network can expose your precious experimentation server and pretty much every other device on your LAN to a host of security vulnerabilities. However, you can mitigate the risks with the aid of a self-hosted VPN server.

Contrary to what you might imagine, it’s quite easy to host WireGuard on your Proxmox machine, though you’ll need to enable port-forwarding on your router before you can connect to it from a different network. If you’ve got access to a VPS, you can even turn your modest self-hosted WireGuard container into a powerful VPN server with location spoofing to maintain your online privacy.

3 Configure Pi-hole

Network-wide ad-blocking, with the added benefit of blocklists

With a name like that, it’s easy to imagine Pi-hole as a service that’s exclusive to the Raspberry Pi SBCs. However, this ultra-lightweight tool can be deployed on any system, including your Proxmox war machine.

While blocking ads is its standout feature, Pi-hole also lets you set up custom blocklists to prevent auto-redirects from forcibly opening malicious links. Heck, you can even run it in tandem with our favorite IDS. Speaking of…

2 Set up a Pi.Alert IDS

Or better yet, get Snort up and snorting running

Whereas the rest of the tools are designed to safeguard your network from online and remote attacks, it’s still possible for hackers to connect to your WLAN and use it as an entry point to launch malicious payloads. That’s where Pi.Alert comes in handy.

Operating as an intrusion detection system, this simple tool monitors your network 24/7 and pings your SMTP server the moment it spots an unauthorized device attempting to gain access to your home WLAN/LAN. If you want even more security, you can configure a working instance of Snort to automatically kick intruders out of your network.

Related Turn your Raspberry Pi into an intrusion detection system with Pi.Alert Repurpose your Raspberry Pi into a watchdog that can warn you the moment it detects unauthorized devices in your network

1 Deploy a firewall OS inside a VM

And stop hackers dead in their tracks

Close

Firewalls, preferably those with extremely hardened security rules, are one of the best ways to prevent worms, keyloggers, and other network-based malware from infiltrating your home network. As such, you can deploy a router OS inside a virtual machine and use it to tinker with the inbound and outbound rules for different protocols and ports.

Personally, I’m a fan of pfSense and after previously using it on my NAS, I have to admit that the installation process for this robust OS is a lot simpler on a virtualization platform like Proxmox. But if pfSense isn’t to your liking, you can check out OpenWrt, OPNsense, vyOS, and other alternatives instead. Just make sure you don’t go too wild with your home lab experiments, or else you might end up losing access to the Internet if your home server crashes after bearing the brunt of your complex projects.

Putting together an all-in-one security hub with Proxmox