Building a Cybersecurity Home lab: Architecture, Tools, and Lessons Learned

Ayush Madavi — Fri, 09 Jan 2026 14:41:04 +0000

Cybersecurity is best learned by building and breaking real system not only through theory.

In this blog i document my journey of creating a personal home lab using tools like pfsense, vpn, linux server and one media service.

The goal of this blog is to share my practical configurations, real world problems i faced and the solution i implemented while securing and managing my own infrastructure.

This blog will serve as a learning log as well as resource for student and beginners interested in hands-on cybersecurity and networking.

Why I Built a Cybersecurity Home lab

While studying cybersecurity, I realized that concepts such as networking, firewalls, VPNs, NAT, and server hardening are difficult to fully understand without practical exposure.

A home lab allows me to:

Simulate real-world networks

Practice firewall and VPN configuration

Understand security misconfigurations

Learn Linux system administration

Experiment safely without impacting production systems

Prerequisites

Basic knowledge of the following topics helps in understanding this blog:

IP addressing and basic networking

Virtual machines (VirtualBox / VMware)

Linux fundamentals

Firewall concepts

Architecture Overview

My home lab is designed to mimic a small real-world network.

High-level architecture includes:

A firewall acting as the network gateway

Internal machines behind the firewall

Secure remote access using VPN

Self-hosted services inside a protected network

The firewall controls incoming and outgoing traffic between the internal network and the internet, while VPN access allows secure remote connectivity even under CGNAT conditions.

Tools and Technologies Used

pfSense – Firewall and network gateway

Linux (Ubuntu Server) – Hosting services

VPN (Tailscale) – Secure remote access

Jellyfin / Navidrome – Self-hosted media services

VirtualBox / VMware – Virtualization platform

These tools are widely used in real environments, making this home lab highly relevant for learning.

Implementation Steps

Step 1: Firewall Setup

I deployed the firewall as a virtual machine in VMware with one WAN and one LAN interface.
I configured the DHCP server to automatically assign IP addresses and set up basic outbound NAT.

This step helped me clearly understand how network traffic flows through a firewall to the internet.

Step 2: Internal Network Configuration

Behind the firewall, I created:

One Linux server for hosting services

One Parrot OS machine for managing web interfaces such as pfSense and internal services

This setup allowed me to practice access control and rule-based filtering inside a protected network.

Step 3: VPN Configuration

Accessing the home lab remotely was challenging due to CGNAT. I had two options:

Self-host a VPN

Use a cloud-based VPN service

I chose Tail scale because it is easy to set up and works well under CGNAT. It uses a mesh topology instead of traditional port forwarding.

This solution:

Encrypts traffic end-to-end

Allows remote access without a public IP

Avoids port forwarding security risks

Step 4: Self-Hosted Services

I deployed services such as Jellyfin inside the secured network and restricted access using firewall rules and VPN-only connectivity.

This step demonstrated how exposed services can significantly increase the attack surface if not properly secured.

Problems Faced and Solutions

Issue: Permission Denied Errors in Jellyfin

Cause: Incorrect Linux directory ownership

While adding a media path in Jellyfin, I faced permission errors when uploading files.

Solution:

I created a dedicated group for Jellyfin, added the service user to that group, and assigned proper read and write permissions to the specific directory.
This successfully resolved the upload issue.

Security Consideration

While building the lab, I focused on:

Disabling default credentials
Minimizing exposed services
Applying the principle of least privilege in firewall rules
Using VPN for administrative access
Monitoring logs and traffic

Security is not a one-time task but a continuous process.

Results and What I Learned

This home lab significantly improved my understanding of:

Firewall rule evaluation
VPN architectures
CGNAT limitations
Linux permissions and service management
Real-world security mistakes and fixes

More importantly, it helped me understand how attackers exploit misconfigurations.

Conclusion and Future Work

This cybersecurity home lab has become my primary learning environment.
In future posts, I plan to:

Add intrusion detection and monitoring
Implement centralized logging
Perform attack simulations
Convert selected findings into research papers

This blog will continue to document my progress, mistakes, and improvements as I grow in cybersecurity.

Final Tip

Don’t wait until everything is perfect.
Build, document, break, fix, and share.

This blog was originally published on Hashnode
Website:

home-lab.hashnode.dev

Forem: Ayush Madavi