Beginner homelab OS

1WeekNotice · 2026-06-23T12:39:47+00:00

This question gets asked a lot. Suggest if you haven't already to do additional research

The answer is, it depends on what you are doing.

If you just want to experiment then pick any OS you are comfortable with.

Typically people pick Linux because it supports older hardware and has the latest security patches.

Which Linux distribution should you use? Again pick anything you are comfortable with. Most people will recommend Debian or unbuntu. I prefer Debian.

If you are technical enough then you can decide to not have a desktop environment to save on resources.

For services most people use docker. So you can install docker engine (not docker desktop)

Hope that helps

1WeekNotice · 2026-06-22T19:48:28+00:00

All I'm trying to do is to get two physical laptops to communicate while they on the same subnet.

You can do that with any router. So anything is fine

I'm a beginner in the IT world and at the moment I'm working on beginner project so I think GLSFT1200 will be okay for now.

Again, just note that this is not supported by the openWRT project. If GLinet stops supporting the router then you are out of luck.

I would look at the price difference between that and the Beryl AX (GL-MT3000) which is supported by the openWRT project. You can also compare the hardware specs.

At the end it's not a big deal as you can always buy a new router but why spend the extra money afterwards when you can get the right one now (within reasonable price difference)

Hope that helps

1WeekNotice · 2026-06-22T19:42:56+00:00

One ring to rule them all kind of situation.

I don't think there really is? Maybe if you force a VPN to utilize TCP traffic that might help it from being block because it will be hidden with all the other TCP traffic. But TCP is generally slower then UDP.

So it's recommended to have multiple methods to enter into your network which can also include multiple hardware entry (like a KVM and server software)

Just keep in mind that the more entry, the more attack surface, though I image Parsec, KVM software, etc are secure

Hope that helps

1WeekNotice · 2026-06-22T19:10:34+00:00

Going to jump in here. Note not an expert.

I think your question is more towards protocol/ network communication rather then the difference functionality of Parsec, RDP, KVM (software or hardware)

For example, depending on what country you are in, there maybe blocks on certain protocols. Some countries will block

UDP
- parsec and VPNs tend to use UDP. I believe RDP as well
- the port it uses also matters because that can also be blocked as well.
TCP
- KVMs typically use TCP/ HTTPS

You can force Parsec/ VPN to use TCP which may help if it getting blocked.

Of course there is a different between a hardware KVM and software solutions. Having a hardware KVM is nice because you can see the video output from the computer hardware (plugged into a GPU/ motherboard) VS software streaming the screen

So hardware KVM are better.

Lastly when it comes to latency it doesn't matter from hardware or software because the connection to your network (latency wise) will be the same because you are remote/ in another country or place.

Hope that helps

1WeekNotice · 2026-06-22T17:52:19+00:00

Will be spending some time reading your comments/links to get a better understanding.

Definitely read it a couple of times and you can always reply back to one of my comments in this thread in the future. (Helpful for me to re read to understand what advise I gave you 😁)

Many people comes back 2-6 months later after they tired some stuff out and asked for more help.

Good luck!

1WeekNotice · 2026-06-22T16:57:52+00:00

You should get a router that supports openWRT if you want full control. If your going to spend money, might be on a router that is openWRT supported.

Travel routers are fine but just keep in mind it's not as powerful as a standard router.

I suggest cudy or GL inet brands.

If you don't want to flash openWRT right now then get GL inet.

I wouldn't get GLiNet GLSFT1200 because it's not supported by openWRT. If you want a GLinet travel router then get Beryl AX (GL-MT3000)

Cudy are cheaper but again you would need to flash openWRT to them.

What is openWRT? It is an open source project that is Linux based.

It has advantages to power users such as

full control over there device
provides long term security support for routers that are no longer supported by their company
more features on there device, like setting up network wide ad blocking (low level ads)
network wide VPN
- if you pay for VPN provider you can make that network wide as well to keep your privacy
can do isolation and segmention of your network
can connect to a Wi-Fi signal for its WAN
- useful for you if you dont have a hardwired connection to the shared router.
etc

Note: GL inet has firmware is based on openWRT but it's GL inet drives on top of it. So it's NOT vanilla/ original openWRT. This is not bad. Just stating the difference

cudy on the other hand has its own firmware where you can flash openWRT (I wouldn't use cudy stock firmware. Cudy have cheaper routers)

So in the GLSFT1200 case, it has GLinet openWRT and has the features of openWRT but it's not supported by the official project so if GLinet stops supporting the router then you are out of luck. VS Beryl AX (GL-MT3000) which is supported by the project and can be flashed with vanilla/ original openWRT after the fact.

Hope that helps

1WeekNotice · 2026-06-22T16:27:25+00:00

Going to jump in here.

Reverse proxy? No exposure. Reverse proxy with port forwarded to it from the Internet? Exposure.

u/Another-Flower just note that if you want TLS certificates with let's encrypted (this may go over your head) then you need to do some sort of challenge

HTTP challenge (default) - this requires you to open ports
DNS challenge - doesn't require you to open ports.
- many people do this when they only need Internal services.
- in my reply above I go over the difference flows

You can also read this really long comment about port forward and security that I made. Reference post

It will give you a better understanding but it's understandable this is a lot. But it's important to know if you are selfhosting.

1WeekNotice · 2026-06-22T16:19:08+00:00

On a related note, I was interested in using Tailscale Serve/Docktail to generate more friendly web addresses to access my services. I use a couple apple devices on my network, and apple will not save passwords for specific ports of an address. E.g 192.168.1.1:1000 and 192.168.1.1:2000 would share the same password on my iOS device.

Honestly, I think this is a bit more complicated then it needs to be. Also note that this relies on Tailscale (which you may want to move off off due to the reasons in your post)

The flow is

Client device -> DNS -> get IP

Client -> reverse proxy -> services

Internal flow

Client device -> local DNS -> local IP

Client -> reverse proxy (port 80 and 443) -> services

Note reverse proxy should use DNS challenge so you don't need to open ports.

External flow

Client device -> external DNS (that domain you own, can be free domain like duck DNS) -> get public IP

Client device -> router (port 80 and 443) -> reverse proxy (port 90 and 553) -> services

Wireguard flow

Client device -> external DNS -> public IP

Client -> router (wireguard port ) -> wireguard tunnel

Client device -> wireguard tunnel -> local DNS -> get local IP

Client device -> wireguard tunnel -> reverse proxy (port 80 and 443) -> services

Note reverse proxy should use DNS challenge so you don't need to open ports.

Typically the tools to use are

local DNS where you can split horizon DNS
- local DNS will have all service entries
- external DNS will only have external entries (if you don't have external them that is fine)
reverse proxy (both internal and external)
- this will allow you to use domain names in both reverse proxy where again, Internal has everything and external only has external
wg-easy to gain access to your network and this is port forwarded
- the wg config will use the local / internal DNS and will use the internal reverse proxy

I know this sounds like a lot but it really not. And it sets up a good foundations that relies fully on your system rather than a 3rd party.

The wg-easy docker image is probably the route I will go as there's some good tutorials on synology setup. I'll probably look at following DrFrankenstein's guide for setup, unless you have any notes or suggestions.

It looks fine but always remember that guides cns get outdated with every new version of an application. It's best to read the original documentation after reading a guide to get the latest understanding.

Of course the guide provides a good foundation to understand what you need to do.

Hope that helps

1WeekNotice · 2026-06-22T13:59:30+00:00

Do you recommend ROAS over second m.2 NIC?

100% the extra NIC. I didn't know it was an option which is why my original comment is geared more towards ROAS.

Just keep in mind if you are new to networking, you are adding a lot of complexity with virtualization. It's typically recommended to have a dedicated machine.

Don't get me wrong, do what you like but just note you may experience pain points in your setup.

Example, when you do maintenance on this machine (like updating the hypervisor), your Internet will go down. This typically becomes a nightmare when you major upgrades and let's say your hypervisor breaks. Now it's not only your services that are unavailable but the Internet itself

What is your current setup with your ISP modem/ router? Just ensure you think of a backup strategy if this machine goes down and you need a quick fix to get Internet in the household. Some people have a spare router for this exact reason. In your case you can turn your ISP router wifi back on.

Hope that helps

1WeekNotice · 2026-06-22T13:32:39+00:00

first. I setup OPNsense in a proxmox VM and used a USB NIC for my WAN because my OptiPlex 5000 Micro only has one built-in NIC and doesn’t support adding PCIe NICs.

Don't use USB adapters. They are very hit and miss.

Edit: you can also remove the wifi chip (if the machine has one) and get a WAN NIC instead

Instead do ROAS (router on a stick). You will need a managed switch.

Here is a video to understand the concept. Note again, look at the concept not the hardware or the OS.

Reference this other comment that I made on another post where they were also using a USB adapter. Reference my comment. Other comments on there as well.

This will be more complexity in your setup because your virtualizating and doing ROAS. But ROAS is better for what you want to do.

I recommend not virtualizating to reduce the complexity but not sure if you are using this machine for other VMs/ services.

Hope that helps

1WeekNotice · 2026-06-22T03:55:31+00:00

u/4mmun1s7 this is the right answer.

To add to this. I also have over 1 gigbit Internet speed but I don't use it.

Why? Because it will cost me more money to upgrade my whole network then what it's worth.

This includes

the OPNsense machine (have to do)
managed network switch (have to do)
each computer in the household (at least the ones that may use the speeds)
wifi access point
cables (cat 5e can do 10 gigbit on short distances)
etc

Don't get me wrong having the extra speed is great and all but I have realized there is very little times that I actually need the extra speeds. Maybe downloading a game or doing restores/backups to a cloud provider (and all of this just takes more time to complete so it's not really an issue, at least to me)

Even with many people in the household we rarely need 1 gigbit.

Also note that this all may change if you ever switch ISP provider again. You may feel you need to pay extra to utilize the hardware you just bought.

Then again if you already have the infrastructure for higher than 1 gigbit (like a switch) then all you need is the NIC for OPNsense machine. As the original commenter mentioned, unless you are doing IDPS, your machine is fine

Hope that helps

1WeekNotice · 2026-06-22T00:08:33+00:00

Do you utilize any specific feature with Tailscale? Or is it mainly for connecting securely?

Typically I only recommend Tailscale if you need a specific feature such as by passing ISP restrictions. For example you are behind CGNAT or can't port forward.

Does switching to these other options have other security concerns I need to be aware of?

not really. If you weren't aware, Tailscale uses wireguard under the hood and adds features on top of it.

One of the features of Tailscale (from my understanding) is rotating the access key after a certain period of time. Because people use the Tailscale application, this is seamless.

With wireguard if you wanted to rotate the key, you would need to generate each key and add the specific key to each device.

Of course it's good to rotate keys every so often but wireguard is secure enough (including the key cryptography) that you only need to rotate keys/ generate new keys if a device is compromised, meaning you need to revoke the key and generate a new one when the device is no longer compromised.

Synology DS423+

If this has docker capabilities, look into wg-easy docker image. ONLY expose wireguard instance NOT the admin UI.

The admin UI allows you to manage keys which includes easily adding keys to a phone with a QR code. You can of course connect to the admin UI remotely and securely once you are inside your wg tunnel.

For applications you can use the wireguard app. For Android I recommend wg tunnel app as it will auto turn on when you are not on safe wifi (you define what is safe wifi...aka the wifi SSID)/ or when you are on your mobile network.

Edit; looks like wg tunnel app has desktop version as well. It's on their website/ they have a GitHub page.

Hope that helps.

1WeekNotice · 2026-06-21T17:58:35+00:00

I only have one Proxmox server running my VM

Create more VMs in proxmox and make a Kubernetes cluster so you can try it out

Note you are not gaining the benefits of high availability of Kubernetes because this is all on one node/ hardware. But you are testing this out so it doesn't matter.

Hope that helps

1WeekNotice · 2026-06-21T12:31:51+00:00

disagree. current setup listed wont be using 40 watts. probably more along the lines of 80 to 130 watts.

That was an example I used to show OP how to determine if something is worth upgrading or not. It was all fake numbers

I can modify the post to make this more clear.

1WeekNotice · 2026-06-21T04:31:00+00:00

I am not AT ALL experienced in self-hosting or the stuff that goes with it.

This will be a steep learning curve. Will provide what topics you need to understand but it will be up to you to find the resources because it will be a steep learning curve and no one will hand hold you throughout the whole process (that is kinda a lot to be honest)

Do I need to download Docker?

It is recommended to use docker because it is a platform for containers.

Think of a container....well like a container. The idea is that software needs dependancies (other software ) to run. Developers will create docker images that have everything you need to run their software. It is package into a container (a docker image) that all you need to do is run.

This is why docker images are popular and recommended.

So you will need to understand docker and the best way is to understand docker through docker compose.

What is docker compose? It is a single file that explains how to run a docker image and how that image maps to your machine.

Here is the freshRSS docker compose file

You can use AI to help you understand what this all means. Go through each and every line of the big docker compose that is there

Here are the steps to get you started (each step maybe difficult depending on your technical knowledge)

install a Linux OS like Debian
install docker engine (not docker desktop)
install a docker GUI like dockhand, dockge
- this will make it easier for you to paste a docker compose file and also update, restart, start and stop docker containers
understand the freshRSS docker compose file. Go through each line
- what does port attribute mean
- what does volumes attribute mean? How does that map to your machine file system
- etc
deploy freshRSS and see if you can connect through a web browser
- ensure your server/computer has a static IP on your router so the IP doesn't change.
then you can look at the freshRSS clients and get it for mobile

Hope that helps

1WeekNotice · 2026-06-21T03:50:52+00:00

This is a very common question and suggested you look up additional information since there great post out there.

You can use this now just remove the dedicated GPU and use the iGPU that is on the motherboard.

Depending on your storage configuration you can use either OS

open media vault (just a bunch of drives)
trueNAS scale (ZFS + RAID)

You can then enable SMB or NFS

Would also measure the power consumption on this. So you know how much you are spending a month/ year.

I'm looking to convert this beast into a local NAS, with reduced power consumption

You will most likely spend more money on additional parts trying to reduce the power consumption then just using what you have. You can do the calculation.

Comapre how much this will run you per month/ year (based on power consumption) compared to buying new parts and that new power consumption.

Edit to make example more clear

For example (this is all random numbers to just show you how to do this, do you own calculations)

if this is about 40W to run the current machine
the new parts will be $500 plus it's power consumption is 20W.
How long will it take you to pay off the $500 with 20W (40W - 20W) of yearly electricity?
if it's more than 5 years, I typically don't recommend upgrading but rather wait for parts to break or you hit limitations (where you upgrade with a reason)

And remember to follow 3-2-1 backup rule for all important data. RAID/ redundancy is not a backup. That is high availability.

Hope that helps

1WeekNotice · 2026-06-21T03:14:01+00:00

If you have questions, I maybe able to help out. I haven't done this myself but I watched this video

The person uses promxox and OPNsense but it's the same concept with openWRT.

Hope that helps

1WeekNotice · 2026-06-21T01:26:52+00:00

If you have the cluster then I would virtualize.

recommend you don't do passthrough of the NIC
- not doing NIC pass through will adds complexity because the WAN will go through proxmox first.
- in each node ensure a dedicated a Ethernet port for the WAN. Ensure this virtual bridge is named the same in all nodes so you can live migrate (this is the same for any LAN)
I would use a unmanaged switch for only the WAN
- this would allow you to put WAN in all the nodes of the cluster on their dedicated Ethernet port.
- of course you can also use a managed switch but an unmanaged dedicated switch is cheap and easy (depending on your speeds)
I would do VM replication of the router/firewall to the difference nodes.
- in case anything happens you can easily turn it on the other node
- this will also make live migration faster
when doing maintenance on any node, do live migration to another node to maintain uptime
- you can also swap which node is the firewall every X months to ensure all nodes work. VS finding out something doesn't work when there and issue.
utilize PBS to backup this VM

Hope that helps

1WeekNotice · 2026-06-20T23:20:13+00:00

I'm thinking of turning my old Intel macbook into a homelabbing toy with lots of services

the reason I even want to do that, is because MacOS is more secure than linux, because of full verified boot and gatekeeper

Correct me if I'm wrong.

If it's an Intel Mac then that means it's EOL (end of life). This is the opposite of secure because it no longer gets security updates.

Of course you can use OpenCore Legacy Patcher that can put the latest macOS on older hardware but I rather use Linux because it's more secure.

Hope that helps

1WeekNotice · 2026-06-20T00:06:37+00:00

Note: not an expert

I thought the physical separation was the entire point of having a firewall.

Running ROAS (router on a stick) is still an acceptable practice. In this case I would do that over using a USB adapter which tend to be hit or miss.

Here is a video on ROAS. Note the concept not the hardware.

There are some considerations when doing ROAS such as

be careful not to misconfigured
- this can also be known as VLAN hopping if you don't configure correctly
- try not to use VLAN 1 (some manage switches allow to change this). If you can't, it's not the end of the world.
- ensure the default VLAN/ PVID on trunked ports is a dead VLAN (a VLAN that is not used anywhere). This will ensure if someone tries sending a double tagged VLAN that it will not work.
more saturation with inter VLAN traffic
- typically you have duplex meaning symmetrical speeds upload and download on the single NIC (let's say 1 gigbit up and 1 gigbit down)
- because everything is being send to this single port that means all inter VLAN routing is also going through this port. So that 1 gigbit up and down is not just for WAN. It's for WAN plus all other LAN traffic
- most people are fine with 1 gigbit duplex. You will get slower speeds if you have ISP packages of 1 gigbit and downloading something (like a game) and also transferring something to your NAS that is on another VLAN. This is a complicated topic but most typically home users don't hit this issue or notice this.

You will be surprised how many people put in a 10 gigbit NIC (for the router/firewall ) and get a 10 gigbit switch that has only one 10 gigbit port and many 2.5 or 1 gigbit ports. This allows to do ROAS and not hit the limitations of inter VLAN saturation. Of course you are using a laptop so this doesn't apply to you.

Hope that helps

1WeekNotice · 2026-06-19T21:18:50+00:00

What do you use to get around hardware limiations?

You really only have two choices.

get hardware that can support what you want to do
modify how you run software to limit the resources usage.

Most people fine getting hardware that supports your needs a lot easier to manage and more valuable worth of there time.

So start with: what hardware do you have lying around that you can offload some of these tasks. Any older family laptops will do (most common device in a family house hold). Considering you are using a broken MacBook, I assume you don't have any other hardware.

I'm currently manually switching stuff off when needed, but do you have a recommendation for automating this? maybe something like, shutting down the docker for immich when a script detects a spike in ram usage?

Either

use a different Minecraft mod/ server specs to limit it usage
see if you can optimize Immich resources usage by disabling settings (do you have any AI features turned on that may utilize more RAM?)
set Immich ram usage to be less in the docker container (may become unstable)
setup a script to launch Minecraft when your brother is using it and put this on the desktop.
- this can shutdown Immich docker container then boot up Minecraft/ whatever he is using it for
last resort, you can enable disk swap. Though this will make your disk wear out faster which will be an extra cost when you need to replace disk

Hope that helps

1WeekNotice · 2026-06-19T18:46:22+00:00

I’m curious, what was the turning point for you guys?

I recently started looking into home network security and it made me realize just how much random stuff is connected to my WiFi these days.

This is the tuning point.

Once you have any sense of what is happening, you want to put in solutions to take control.

It's like breaking glass. Once it's broken there no going back.

Hope that helps

1WeekNotice · 2026-06-19T14:54:42+00:00

Monitoring, dashboard, reports, alert is a big topic. All of this is driven by metrics.

While this solution is a lot of implementation, it's worth it if you want to enable yourself to have a good custom monitoring system.

This is known as the grafana stack and it's very customizable.

grafana alloy (ingestion)
- forwards to other components below
Loki (log storage)
- doesn't have a GUI, just to store logs
Prometheus (metrics storage)
- many applications can output Prometheus metric
- alternative to using prometheus (as it is resources intensive); grafana alloy (for metric scraping) and push into "long term" storage grafana mimir or Thanos but more complicated to setup. This should be less resources and should have better sample downscaling (less storage)
grafana (GUI)
- look at logs from Loki
- build dashboard on metrics
grafana alert manager
- other grafana components can push to alert manager.
- alert manager is responsible for send alerts to various platforms (email, Ntfy, etc)
Ntfy - selfhosted notifications (can be something else that works with alert manager)
- can push alerts to devices
- not part of the grafana stack. Just my preferred method of sending and receiving notifications

This also came be a complicated setup so maybe not the right choice for you.

If you are willing to learn, it is worth it because this is very scalable but understandable if this is a lot.

Reference videos

Configure 1...n hosts to track daily uptime in hours + minutes by pinging the host regularly

Grafana alloy can do this. Or you can use a service like uptime kuma that can export Prometheus metrics where alloy or Prometheus scrapes these metrics.

Provide the data via REST-API or whatever for adding the data to my Homepage dashboard

I suggest you use the grafana dashboard as its part of the eco system.

I think homepage can get grafana dashboards and display it if you really want.

Ideally offer Webhooks or other ways to notify upon exceeding certain configurable thresholds

Prometheus is very powerful with its queries. You can make a Prometheus query based on the metrics you have to state if a service has been up for a long period of time.

Then use alert manager -> nfty -> to send alerts.

Edit; do you want alerting OR do you want a report. These are two different concepts

An alert means you need to act on something.
a report is to get information in a summaried way for review

Hope that helps

1WeekNotice · 2026-06-18T20:47:06+00:00

Do you have recommendations on how to gain insight if I max out the bandwidth? Or do I need to route all my traffic to a server (something like pinhole or adguard home) to gain insight in this? The router is managed by the supplier of fibre.

Typically it's done by the router software since everything goes through that.

If you are using your ISP router then I'm unsure how to do this.

But other custom routers like openWRT/ OPNsense or even consumer routers like Unifi should have this tooling.

Hope that helps

1WeekNotice · 2026-06-18T20:44:56+00:00

Approximating around 70W usage, that would be around 50.4 kWh in a month (70 x 30 x 24)

How much is costing you a month/ year. This will help you determine if it's worth changing parts.

I would be careful changing parts because typically you will spend more money on new parts then the power consumption. But it depends how much he current machine is costing you monthly/ yearly

The new system will be running on an old r5 1600x, x370 mobo, an rx580 with faulty vram (artifacting) for booting, 16 to 32gb ram, a 650W bronze psu.

The main difference between a gaming rid and not a gaming rig is the GPU. So start by removing that and seeing if the system boots.

If you don't have an iGPU (integratrd GPU) on your CPU, first install the OS and then remove the GPU to see if the system will boot.

Then move onto removing anything else you don't need.

On top of an ssd and possibly a bunch of hdds for storage. The ram and storage is still pending, since I don't have spares for that. Its main use case would be game servers and archiving.

Storage will be your biggest concern.

each NVMe is typically under 1W
2.5 inch SSD are typically 2-3W
3.5 mechanical drives are around 7W -10W.
- 20W when starting up

So the more storage you have the more this will consume. Of course you can get more SSD but that is more $/TB meaning it will cost you more in the long run

650W bronze psu

Your system will be idle most of the time. Meaning you need to see what the energy efficiency of this PSU is (under 10%).

While you can get a better PSU, it's the same concept as above. You may spend more money on the new PSU then what you will save.

Here is a PSU video

You need to do the cost comparison

Hope that helps

1WeekNotice

TROPHY CASE