Building a Comprehensive Cybersecurity Home Lab

A detailed walkthrough of my virtualized security playground for learning, testing, and developing cybersecurity skills.

Proxmox VE
Network Segmentation
Virtualization
Security Testing
Offensive Security
Table of Contents
Overview & Goals

Building a home lab is one of the most valuable investments for anyone serious about cybersecurity. It provides a safe, controlled environment to practice both offensive and defensive techniques without the risk of affecting production systems or breaking any laws.

My home lab journey started with a simple goal: create a versatile environment that could support both everyday services I rely on (like file storage and media streaming) and a separate playground for security testing, malware analysis, and skill development.

Key Objectives of My Home Lab

  • Skill Development — Hands-on practice with real-world security tools and techniques
  • Isolation — Separate environments for potentially dangerous activities
  • Resource Efficiency — Maximize hardware utilization through virtualization
  • Reproducibility — Ability to quickly spin up and tear down environments
  • Self-hosting — Reduce reliance on third-party services for personal data

This blog post documents my setup process, configuration decisions, and the lessons learned along the way. Whether you're looking to build your own security lab or just curious about home virtualization setups, I hope you'll find some useful insights here.

Hardware Setup

After researching various options, I settled on a compact mini PC that offers an excellent balance of performance, energy efficiency, and value. The small form factor means it can sit unobtrusively in my home office while running 24/7.

Hardware Specifications

  • CPUIntel Core i5-12450H (4.4 GHz)
  • Cache12 MB
  • RAM32 GB DDR4
  • Storage1 TB NVMe SSD
  • GraphicsIntel UHD (1.2 GHz)

Why This Hardware?

  • Virtualization Support — Intel VT-x and VT-d for efficient VM management
  • Memory Capacity — 32GB RAM allows running multiple VMs simultaneously
  • Power Efficiency — Low power consumption for 24/7 operation
  • Compact Size — Small footprint that fits anywhere
  • Expandability — Additional USB ports for external storage

Pro Tip

When selecting hardware for a virtualization server, prioritize RAM over CPU power. Most home lab VMs are memory-constrained rather than CPU-constrained. The 32GB in this build provides enough headroom for running 8-10 modest VMs simultaneously.

Before installing any software, I completely reflashed the BIOS to ensure I was starting with a clean system and to enable all virtualization features. This step is crucial for optimal Proxmox performance.

Proxmox Configuration

Proxmox Virtual Environment (VE) is an open-source server virtualization management platform. It's based on Debian Linux and combines KVM hypervisor and LXC containers, software-defined storage and networking functionality.

Why Proxmox?

Advantages

  • Free and open-source core functionality
  • Web-based management interface
  • Support for both VMs and containers
  • Built-in backup and snapshot capabilities
  • Clustering support for future expansion

Alternatives Considered

  • ESXi — More enterprise features but resource-heavy
  • Hyper-V — Windows-centric ecosystem
  • XCP-ng — Good but less mature container support
  • Unraid — Excellent for storage but less VM-focused

Installation and Initial Setup

Installing Proxmox was straightforward. I downloaded the ISO from the official website, created a bootable USB drive, and followed the installation wizard. The key steps included:

  1. Configuring the network interface with a static IP
  2. Setting up the hostname and domain name
  3. Creating the initial storage configuration on the NVMe drive
  4. Setting up the root password and email for notifications

VM Templates and CIS Hardening

One of the most time-saving aspects of my setup was creating CIS-hardened templates for common operating systems. The Center for Internet Security (CIS) provides benchmarks for securely configuring operating systems and applications.

My Template Creation Process:

  1. Install base OS (Ubuntu Server 22.04, Windows Server 2019, etc.)
  2. Apply all updates and install qemu-guest-agent
  3. Apply CIS hardening guidelines using automated scripts
  4. Remove unnecessary services and packages
  5. Configure basic firewall rules
  6. Convert to template in Proxmox

# Example hardening script for Ubuntu Server
wget https://downloads.cisecurity.org/benchmarks/CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.0.0.zip
unzip CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.0.0.zip
sudo bash ./CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.0.0/scripts/apply_level1_server.sh

With these templates in place, I can spin up new, security-hardened VMs in minutes rather than hours, ensuring a consistent baseline security posture across all systems.

Network Segmentation

Network segmentation is a critical security practice that involves dividing a network into multiple segments or subnets, each acting as its own small network. This approach improves security by containing breaches and limiting lateral movement.

VLAN Architecture

Home Router / Firewall

Network Gateway & VLAN Management

Internal VLAN (192.168.10.0/24)

Nextcloud

Self-hosted file storage

Plex Media Server

Media streaming

Security Onion

Network monitoring

Home Lab VLAN (192.168.20.0/24)

Kali Linux

Penetration testing

Active Directory

Windows domain environment

Vulnerable VMs

Security practice targets

Firewall Rules

Proper firewall rules are essential for maintaining the integrity of network segmentation. My approach follows the principle of least privilege:

Key Firewall Policies:

  • Internal → Internet: Allow outbound connections for updates and services
  • Home Lab → Internet: Restricted outbound access (whitelist approach)
  • Internet → Internal: Block all except specific ports for remote access
  • Internet → Home Lab: Completely blocked
  • Internal ↔ Home Lab: Strictly controlled with specific allowed services

Security Note

The Home Lab VLAN should be treated as a potentially hostile network. Any traffic between it and other networks should be carefully inspected and limited. This is especially important when working with malware analysis or vulnerable machines.

Internal VLAN Setup

The Internal VLAN hosts services that I use regularly and want to keep separate from my experimental security lab. These services are designed to be reliable, secure, and accessible to authorized devices on my home network.

Nextcloud Setup

Nextcloud provides a self-hosted alternative to services like Dropbox or Google Drive, giving me complete control over my data while offering similar functionality.

Configuration Details

  • Ubuntu Server 22.04 LTS (CIS Hardened)
  • 4GB RAM, 2 vCPUs
  • 100GB storage (expandable)
  • MariaDB for database backend
  • Redis for caching
  • Nginx with HTTP/2 and TLS 1.3
  • Let's Encrypt for SSL certificates

Key Features

  • File synchronization across devices
  • Calendar and contacts sync
  • Collaborative document editing
  • Photo backup and organization
  • Two-factor authentication
  • End-to-end encryption for sensitive files
  • Mobile apps for Android and iOS

Backup Strategy

Data protection is a critical aspect of any home lab. My backup strategy follows the 3-2-1 principle: 3 copies of data, on 2 different media types, with 1 copy stored off-site.

Backup Implementation:

  • Primary Data: Stored on the NVMe drive in the mini PC
  • Local Backup: Weekly snapshots to an external USB drive
  • Off-site Backup: Encrypted backups to a cloud storage provider
  • Configuration Backup: Proxmox configuration and VM templates backed up separately

Automation is key to ensuring backups actually happen. I've set up scripts that handle the backup process on a schedule, with monitoring to alert me if backups fail.

Home Lab VLAN Setup

The Home Lab VLAN is where the real security experimentation happens. This isolated environment allows me to safely work with potentially dangerous tools and vulnerable systems without risking my production network.

Offensive Security Setup

Kali Linux Attack Machine

  • Latest Kali Linux distribution
  • 8GB RAM, 4 vCPUs
  • 100GB storage
  • Full suite of penetration testing tools
  • Custom scripts and tooling

Malware Analysis Environment

  • Isolated Windows VM for dynamic analysis
  • REMnux Linux for static analysis
  • Cuckoo Sandbox for automated analysis
  • Network traffic capture and analysis
  • No internet access (completely air-gapped)
Target Environments

Active Directory Network

  • Windows Server 2019 Domain Controller
  • Multiple Windows 10 client machines
  • Realistic user accounts and permissions
  • Common misconfigurations for practice
  • Monitoring to track attack paths

Vulnerable Machines

  • Damn Vulnerable Linux (DVL)
  • OWASP WebGoat for web app security
  • Metasploitable for exploitation practice
  • Custom vulnerable applications
  • CTF-style challenge VMs

Automation and Development

Beyond security testing, the home lab VLAN also hosts my development and automation environments:

Development Infrastructure:

CI/CD Pipeline
  • GitLab for source control and CI/CD
  • Jenkins for automation tasks
  • Docker registry for container images
  • Testing environments for code validation
Containerized Applications
  • Docker Compose for multi-container apps
  • Kubernetes cluster for orchestration
  • Helm charts for deployment management
  • Monitoring with Prometheus and Grafana

Learning Opportunity

The combination of security testing and development environments creates a perfect learning platform. I can develop secure applications, then immediately test them against various attack vectors in a controlled environment.

Security Considerations

When building a security lab, you need to be especially mindful of security itself. Here are some of the key security measures I've implemented to keep my home lab safe:

Physical Security

  • Location — Server placed in a secure, locked area
  • Boot Security — BIOS password and secure boot enabled
  • Disk Encryption — Full disk encryption on sensitive VMs
  • UPS Backup — Protection against power outages

Network Security

  • VLAN Isolation — Strict separation between networks
  • Firewall Rules — Default-deny policies with explicit allows
  • VPN Access — WireGuard for secure remote access
  • IDS/IPS — Intrusion detection and prevention

Malware Containment

Working with malware requires extra precautions. My approach to malware analysis includes:

Containment Measures:

  • Network Isolation — No direct internet access for malware analysis VMs
  • Snapshot Rollbacks — Regular VM snapshots for quick recovery
  • Simulated Internet — Fake services to trick malware into executing
  • Memory Limits — Resource restrictions to prevent DoS conditions
  • Monitoring — Extensive logging of all activities

Critical Warning

Never connect malware analysis environments directly to the internet or your home network. Even with VLAN isolation, use additional security layers like nested virtualization or dedicated hardware when working with unknown malicious code.

Lessons Learned

Building and maintaining this home lab has been an educational journey. Here are some key lessons I've learned along the way:

What Worked Well
  • VM Templates — Saved countless hours of repetitive setup
  • Network Segmentation — Prevented security issues from spreading
  • Hardware Choice — The mini PC provided excellent performance for the price
  • Automation — Scripts for common tasks reduced manual work
  • Documentation — Keeping detailed notes made troubleshooting easier
Challenges Faced
  • Resource Constraints — Occasionally hit RAM limits with many VMs
  • Storage Management — Underestimated storage needs initially
  • Backup Complexity — Finding efficient backup solutions took time
  • Power Consumption — Higher than expected electricity usage
  • Heat Management — Needed additional cooling solutions

Key Takeaways

  1. Start small and expand gradually

    Begin with core services and add complexity as you become comfortable with the setup.

  2. Automate everything possible

    From backups to VM creation, automation saves time and reduces human error.

  3. Document meticulously

    Keep detailed records of configurations, IP addresses, and procedures.

  4. Plan for resource expansion

    Choose hardware that allows for upgrades as your lab grows.

  5. Security is a continuous process

    Regularly review and update security measures as threats evolve.

Future Expansions

A home lab is never truly finished. Here are some planned expansions and improvements for the future:

Hardware Upgrades
  • Additional mini PC for clustering
  • Network-attached storage (NAS)
  • Managed switch with better VLAN support
  • Dedicated hardware firewall
  • Uninterruptible power supply upgrade
Software Enhancements
  • Proxmox cluster configuration
  • Automated VM provisioning with Terraform
  • Configuration management with Ansible
  • Enhanced monitoring and alerting
  • Centralized authentication system
New Environments
  • Cloud security testing lab
  • IoT security research environment
  • Mobile application testing setup
  • Advanced threat hunting platform
  • Dedicated CTF practice environment

Conclusion

Building a home cybersecurity lab has been one of the most rewarding technical projects I've undertaken. It provides a safe space to learn, experiment, and develop skills that are valuable in the security industry.

Whether you're just starting in cybersecurity or are a seasoned professional, I highly recommend setting up your own lab environment. Start small, focus on your specific learning goals, and expand as your skills and interests grow.

Questions or Comments?

Have questions about my setup or want to share your own home lab experiences? I'd love to hear from you!

Contact MeBack to Blog