Checking on the Lab from Anywhere
A lab you can only reach from your desk chair is a lab you stop checking. I wanted to get to mine from anywhere without doing the one thing that makes security people wince: forwarding a pile of ports through the firewall. The answer was WireGuard.
If you haven’t used it, WireGuard is a VPN that feels like it was designed by someone who hates VPNs. The config is a handful of lines, the keys are simple public/private pairs, and there’s no fragile daemon to babysit. My phone and laptop each get a peer config, the tunnel terminates at the lab, and from the outside world exactly one UDP port is exposed. Everything else stays dark.
Once the tunnel is up, remote is the same as local. I can hit Grafana to check dashboards, reach NetBox, SSH into the boxes, or kick a Semaphore job from wherever I am. When a playbook run fails while I’m away from the house, I can look at why instead of wondering until I get home.
The setup lesson worth passing on is about layering. The VPN gets you onto the network, but it shouldn’t be the only lock on the doors. Everything behind it still authenticates like the tunnel doesn’t exist: SSH keys, credentials in vault, services that ask who you are. A VPN that leads to trusting everything behind it isn’t security, it’s a single point of failure with good marketing.
