It’s been a slow and complicated journey to remove my reliance on Google products. I’ll be documenting what products that I’m using and how they are set up. But first, the fundamentals of what my home lab environment is.
- Ubiquiti Dream Machine gateway and switch
- Synology DS920+ NAS
- Raspberry Pi 3B
- Dell R720 (recently acquired to my home lab)
I will be saving a discussion on the Dell, as it’s my first foray into enterprise grade hardware and will require a lot of reconfiguring.
A logical layout of my applications looks like this:
This was created with PlantUML, which is a great diagramming tool for those that don’t like to actually draw.
The only access to applications, such as photo storage, Nextcloud calendars and contacts, etc. requires VPN access. This is a conscientious choice for security as I don’t want to harden every single application for Internet access.
Switch from OpenVPN to WireGuard
I previously used OpenVPN for my VPN access for my phones and laptop, and that allowed me remote access. It previously was configured directly on my previous Asus router.
Reading online (I don’t remember where), I’ve discovered that WireGuard is a performant and mostly straightforward replacement for OpenVPN. I repurposed a Raspberry Pi that was running Pi-hole and replaced it with PiVPN.
Since I already had a dynamic DNS record for my VPN, the only change needed on my home network was to open the firewall for the WireGuard port to the Pi. Adding clients is neat as PiVPN will create a configuration file or QR code to configure the VPN client.
Removing the Pi from the Equation
The Pi has been working reliably for half a year this way. However, I had a few concerns:
- The Raspberry Pi 3B has limited CPU capabilities and only 300 Mbps ethernet
- Although the PiVPN never failed, I had previous experiences with Raspberry Pis stopped working, usually due to corrupted SD cards.
I contemplated moving WireGuard to the Synology NAS, but I felt uncomfortable opening up a port with direct Internet access, even if it was only for WireGuard. Ubiquiti’s offerings up until recently were OpenVPN and L2TP. However, checking in the last month:
Great! With the gateway offering the WireGuard service, this cleans up a lot of small things:
- No need for a Raspberry Pi running for a single service
- Reduced network hops and gigabit ports for throughput
- Removal of port forwarding firewall rule for WireGuard as it’s now on the gateway itself
- Web UI to add/remove new VPN clients, instead of having to SSH into the PiVPN server and do it via terminal
What’s Next?
I mentioned that I recently acquired a Dell R720. During this month, I ordered some SAS hard drives and drive caddies on eBay. Next steps is to add it to the network and set up the operating system to move items off the Synology NAS. When I get a stable environment, I’ll share the progress.