I have a VPS that I secure as much as possible since the IP is public, but does a wireguard-access-only homelab warrant the same efforts? Those with homelabs like this, what do you do?
As much as practical. Modern security relies on layers of protection to mitigate failures in methodology. Your strategy isn’t makes a single perfect defense. It’s mitigating risk. If one method fails, then what happens?
Anything that I publicly expose, I have protected with multiple layers up and down my entire stack…
To me, the question is ‘How much do you secure a home server
that’s only accessible with VPN?’ to which I would answer, secure everything, every last jot and tilde. Especially in a homelab environment where a nefarious actor could gain lateral movement. The data on my server, tho important to me, is not the prime concern as much as becoming a zombie in someone’s botnet. The very first Linux server I stood up got hacked overnight. Since then, I’m keen to lock everything down. I’ve been told I go overboard, but I’d rather that scenario.Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters SSO Single Sign-On UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
4 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.
[Thread #46 for this comm, first seen 7th Jul 2026, 20:50] [FAQ] [Full list] [Contact] [Source code]
You’re kind of there but if you live the zero-trust life always be on the lookout for ways to improve security.
If something will make your setup more secure, is low effort, uses few resources and costs you nothing it would be madness not to use it.
I have a hammer hanging above the hard drive on a string, and every time I want to access it, I have to convince an AI it’s really me. If doubt level rises above 20%, the hammer drops.
i duct-tape a 22 to the side of the server with the trigger trip-wired to the wan port.
your move, iptables
No salt circle to prevent hostile spirits from possessing it? No anti-seabear circle? Talk about amateur hour.
And while YOU were worrying about the seabear, you foolishly forgot your anti sea rhinoceros undergarments?!?!
If it’s just wireguard on a nonstandard port, then you are pretty much done. It’s UDP and won’t reply to incorrectly signed packets so it’s essentially invisible.
Putting it on a non standard port will change nothing
Security through obscurity is not sufficient. It’s also not nothing.
Wireguard doesn’t respond to port scans so it changes nothing
Assume a security researcher finds a bug in wireguard that, if sent a malformed packet, it can crash the service. Then it would be trivialy easy to send that packet to the default port on every IP address and just crash everything for fun.
It costs me nothing to increment the port by 1 and avoid all that drama.
And, to be fair, you’ll know more about your setup when you don’t use the defaults as you have to learn more…
It is going to make fingerprinting more annoying while evading default port scans. That isnt nothing but you do you boo
VPS bad!
Can’t put your rings of garlic around it.
I have my home server behind a wireguard vpn access.
While I am no security expert, or precisely because of that, I still try to follow security best practices for the internal setup if I can.
Of course you propably do not have to be as vigilant as if your services were publicly exposed. But I believe it is still a good idea to have some “defence in depth” and not assume only one possible attack vector, e.g. what if there already is a bad actor on your home network maybe via a trusted device that has some virus. Also a plus is i guss if you ever decide to expose something later on you wont have as many issues.
My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I’m also a big believer in defense-in-depth, so I follow the same rules of thumb:
- iptables (or equivalent) that drops anything incoming that isn’t wanted. It also rejects anything going out that isn’t planned for.
- any public facing service (except ssh) gets its own user
- disable root login via ssh
- ssh login with key only on any user in sudoers
Yes, I do lock it down. It’s still worth securing it because “internal servers” can still get exposed and touched, even though there are less paths to them, and it’s not as punishing to slip up vs a public server. For example, One of the wireguard client devices downloads a virus, and now you have a cyberattacker with access.
Another problem is supply chain issues. If the distributor of a docker container is hacked, it’s not that bad… as long as your kernel is up to date and is protected against some of the recent vulns, that would enable someone to break out of a docker container
Blajah.zone’s lemmy instance was hacked partially becuase internal servers weren’t being held to the same security standards as the public ones:
https://pen.blahaj.zone/supakaity/weve-been-hacked
I had not patched these internal servers that nobody should have access to against this. Rebooting DB servers causes downtime, and in my hubris – I thought nobody should (nay COULD) be on my servers except me, right?
I have a comment on that post with some potential solutions, that would have cut off attack paths.
Though, I guess, it still does depend. Like if it’s just gonna you wireguarding in and no one else, then the data on your devices is probably worth more than the data on the server, so no, it wouldn’t be worth spending too much effort to secure less valuable data.
But if you are handing out internal access to people, including to some relative who keeps falling for scammers, then yeah, I’d take some time to harden the systems.
I use pangolin and traefik together and expose a few of my services that way. But not everything.
I slot services into categories based on:
- do I really need to be able to access this externally?
- …with full admin rights?
- what write/delete access am I granting?
- if an attacker got in, how much damage could they do with what they could access?
Then the service is either not externally open at all, secured behind pangolin SSO, or secured behind pangolin SSO AND that service’s native auth. Which is an annoying double auth, but I feel like it’s another layer of protection in case one of them gets a 0-day exploit.
You should consider the VPN as a part of the protection (and also as a part of an attack vector).
I run a weekly vuln scan against my ip ranges. If anything comes up I deal with it.
Could you provide some more information on how you perform a vuln scan, or what services/softwares you use to perform the scan?
I use tenable but i get it from work for free. You could use Nessus.
Tenable owns Nessus. But they have a free tier.
The FOSS equivalent is Greenbone OpenVAS: https://greenbone.github.io/docs/latest/








