Secure Homelab Internet Access with Raspberry Pi SSH and OpenVPN

I setup a SSH server and a VPN server on a raspberry PI so I can access my home lab from outside of my home network.

Network Isolation with VLAN and Subnet Configuration

The lab is on it’s own subnet and VLAN. I wanted to keep the lab seperate from my main network for security reasons mainly because lab is exposed to the internet world.

Essential Security Hardening for Internet-Exposed Raspberry Pi

The rpi that’s exposed, I implemented a few security practices:

• Disabled password login
• Enabled SSH Keys
• Added 2FA authentication
• Installed Fail2Ban
• Changed the SSH port to avoid unneccesary login attempts

Implement Two-Factor Authentication with Google Authenticator

How enabled 2FA authentication is by installing the libpam-google-authenticator package.

I then initialized it with “google-authenticator” command. There’s a guide you can follow the guide on Digital Ocean linked below for a step by step.

Digital Ocean Guide

The guide is pretty straight forward for the most part.

I had to play around with the config files to get the setup I wanted.

Configure PAM for SSH Key + 2FA Authentication

For example, I edited /etc/pam.d/sshd and comment out the decorator @include to prevent being prompted for my password in addition to my SSH key.

. . .
# Standard Un*x authentication.
#@include common-auth
. . .

Router Port Forwarding Configuration

Lastly, I configured port forwarding on my router at home. With port forwarding I openned a port I choose to point directly to my rpi server’s IP address.

Secure Remote Access Results

Everything is working and I have an added layer of security using 2FA along with my ssh key.

Next Steps in DevOps Journey

Now that you have secure remote access to your home lab, consider these next steps to expand your learning:

or explore.

Next up on the plate is to continue learning python development, DevOps, and learning more.