My Homelab by the start of 2026
On picture above is my small homelab design. I currently host multiple services at home on custom made computer and on one server (actually server).
When I started few years I used Hyper-V on my home PC with ports enabled to the internet (yes directly). Then i slowly switched to to cloud only and today I have combination of both.
Connection from the internet
I closed all ports except of VPN one on my home router. Whole homelab live in it's own isolated VLAN that can connect only to the internet and to datacenter of cloud provider.
When I want to access from services in my lab I'm using VPN or if I have some services that I want to make available from internet I put them behind Cloudflare tunnel.
That solution also allows me set Zero-trust if there are services that I want to make available for some like my friends or family.
VPN(s)
I have multiple choices here.
- Wireguard that running directly on my computer
- Tailscale
- Twingate which also serve as interconnection between homelab and datacenter.
On each of those VPN I configured what you can and cant access when you are there. I'm using a kind of ACL or firewall rules. For example when you connecting from as “me” from my laptop you can also access port 22 on specific devices, otherwise you have only available ports 443, 80 and 53.
There is also 4th option actually, a Back-to-home VPN which is Mikrotik's cloud solution. It allows you to connect to your home even if your router is behind the NAT (not directly visible from the internet) via the relay.
Datacenters and Homelab interconnection
I mentioned that I have some services at my home and some in datacenters. For this I need ensure that some of than can connect to my homelab or to datacenter.
I used to use custom wireguard tunnel on my router but lately i switched to twingate which acts as site-2-site router.
SSH-ing
I have mostly linux based machines. I closed direct access to ssh from the internet on my firewall. If I want to access that port, I'm using Tailscale-ssh which add 2FA on the top of the classic SSH protocol.
That's current state of my homelab, for the future i probably lover number of VPN solutions to lower complexity.