Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?
This is generally how I see the community action on this:
Scenario 1: Air-gapped, fully Isolated Machine for Public Stuff
Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn’t go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.
Scenario 2: Single server with VM exposed
A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.
For networking, I typically see two main options:
- Option A: Completely isolate the “public-facing” VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
- Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the “public” VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF
In the second option, a firewall would run inside the “public” VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.
Scenario 3: Exposed VM on a Windows/Linux Desktop Host
Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.
The host OS would be used as a personal desktop and contain sensitive information.
Scenario 4: Dual-Boot Between Desktop and Server
A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the “personal” OS and b) a direct connection to the switch (and ISP) when running the “public/hosting” OS.
For increased security, each OS would be installed on a separate NVMe drive, and the “personal” one would use TPM with full disk encryption to protect sensitive data. If the “public/hosting” system were compromised.
The theory here is that, if properly done, the TPM doesn’t release the keys to decrypt the “personal” disk OS when the user is booted into the “public/hosting” OS.
People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.
What’s your approach / paranoia level :D
Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?
Let’s discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.
Have you heard of Qubes?
Wow hold your horses Edward Snowden!.. but at the end of the day Qubes is just a XEN hypervisor with a cool UI.
Use defense in depth when possible. What you are describing wouldn’t work for any bigger setup as Proxmox clusters trust the underlying hosts. Also the chances of a hypervisor escape is very very small as in almost impossible. Chances are your weakest point will not be the hypervisor. I would focus on the network level with containers to separate workloads.
What you’re describing is scenario 2.
That’s what pretty much everyone uses
Also your probably don’t even need vlans. Sure it is nice but you are being way paranoid. You need to define a threat model before you do anything or else you are just going to spend lots of the protecting the wrong things.
I normally am all for security but if you are this paranoid you probably shouldn’t be putting things on the internet. Realistically there is a low threat even if someone manages to exploit a service. Try to come up with where a exploit is likely to happen and how you would prevent lateral movement. From an attack perspective it is extremely unlikely there is a person behind the attacks. If anything a container will be exploited and then it will be used as either a proxy or cryptominer.
I go with scenario 1 because it radically reduces the ways I can screw things up for myself.
I don’t have anything publically accesible on my network (other than wireguard), but if I did I’d just put whatever it was on its own VLAN, run a wireguard server on it, and use a VPS as a reverse proxy that connects to it.
I only use unprivileged LXCs and everything I host on my network runs in its own LXC, so I’m not really worried about someone getting access to the host from there.
So you do trust LXC isolation to the point of thinking that it would be close to impossible to compromise your host?
Nothing is impossible to compromise. It’s about making it not worth it (why go after some home lab when they can use the same methods to extort milliions of dollars?).
I’m not really worried about it. Each LXC runs as its own user on the host, and they only have access to what they need to run each service.
If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.
If there’s an exploit found that makes that setup inherently vulnerable then a lot of people would be way more screwed than I would.
Fair enough ahah
I have a server that I run services through traefik/docker on.
It ALSO has a drive that is a MIRROR of my NAS.
that NAS has a lil slavey twin, an external 14tb USB HDD. It’s on my laptop.
Every time my laptop is idle, It does a little rsync with the servers NAS to stay current.
I keep a 3rd copy (mirroring server NAS) in the cloud.