homelab Homelab Rebuild 2026 — Overview This section documents a complete rebuild of a personal homelab and privacy stack from the ground up. Rather than just adding services on top of a consumer router, this rebuild takes a different approach: every layer — network, DNS, remote access, authentication, and identity — is purpose-built, open-source where possible, and designed with privacy and security as first-class requirements.
If you're running a similar setup or planning to level up from a consumer router, these guides are written from real experience, including the gotchas that most docs skip over.
Goals Open-source routing — replace a consumer mesh router with OPNsense running on x86 hardware Full DNS sovereignty — no DNS queries leaving to Cloudflare, Google, or the ISP Encrypted remote access — WireGuard VPN built into the router, zero exposed ports Public services without port forwarding — Cloudflare Tunnels as the only inbound path Hardware-bound authentication — YubiKey FIDO2 for SSH and account security Identity privacy — Proton Mail with custom domain, no dependency on Big Tech for email Architecture Overview For a full visual breakdown of how these components connect, see the Architecture Overview .
Component List Network Layer Component Role OPNsense on Zimaboard 2 Router, firewall, DHCP, DNS forwarder TP-Link Deco (AP mode) Wi-Fi access points only, routing disabled Suricata IDS Inline intrusion detection
DNS Layer Component Role Pi-hole Network-wide ad/tracker blocking, LAN DNS Unbound (on OPNsense) Recursive resolver, DNSSEC validation Dnsmasq (on OPNsense) DHCP + local hostname resolution
Remote Access Component Role WireGuard (OPNsense) Kernel-level VPN, split or full tunnel Cloudflare Tunnels Outbound-only path for public services
Identity & Authentication Component Role Proton Mail Privacy-first email on custom domain Proton Pass Password manager Proton Authenticator TOTP 2FA YubiKey (×2) FIDO2 SSH, account hardware keys
Device Security (macOS) Component Role FileVault Full disk encryption LuLu Outbound application firewall BlockBlock Persistence monitor OverSight Mic/camera access alerts
Section Guide Page What it covers OPNsense on Zimaboard 2 Hardware setup, install, initial config, DHCP, cutover Pi-hole + Unbound DNS Full DNS sovereignty stack, DNSSEC, ad blocking WireGuard VPN Router-level WireGuard, split/full tunnel, firewall + NAT rules YubiKey SSH FIDO2 SSH with ed25519-sk keys, macOS setup Cloudflare Tunnels Public services with zero port exposure Internal Hostnames NPM + Pi-hole local DNS, internal TLS Proton Mail Migration Custom domain email migration, MX/SPF/DKIM/DMARC macOS Hardening Native protections + Objective-See toolkit Architecture Diagram Full stack diagram with all layers (reference diagram — no steps)
If there is an issue with this guide or you wish to suggest changes, please raise an issue on GitHub .