Self-Hosting Your Own Lab: A Practical Guide

If you work in security or infrastructure, you need a home lab. Not because it's trendy (though it is), but because there's no substitute for having an environment where you can:

Break things without consequences
Test vulnerabilities in a safe space
Learn new tools and technologies
Build your own infrastructure
Practice detection and response

I've been running home labs for over a decade, from a single Raspberry Pi to a full rack of servers in my garage. In this guide, I'll walk you through how to build your own lab-whether you have $50 or $5,000 to spend.

Why Self-Host?

You could just spin up cloud VMs (AWS, DigitalOcean, Linode). And for some use cases, you should. But self-hosting has unique advantages:

1. You Own the Hardware

No monthly bills. No surprise charges. No vendor lock-in. Once you buy the hardware, it's yours. Run it for 5 years and the cost-per-month becomes negligible.

2. You Control the Network

Want to simulate a corporate network with VLANs, firewalls, and DMZs? Good luck doing that in AWS without a massive bill. At home? Pfft, just grab a managed switch and go wild.

3. It's a Learning Playground

Want to test a ransomware sample? Cloud providers will (rightfully) shut you down. At home, with proper isolation, you can do whatever you want.

4. It's Fun

There's something deeply satisfying about racking your own server, cable managing like a pro, and watching your homelab dashboard light up green.

My Lab Evolution: From Humble Beginnings to Overkill

Phase 1: The Raspberry Pi Era (2012)

My first "lab" was a Raspberry Pi Model B running Raspbian. It hosted:

A personal website (Apache + PHP)
A Minecraft server (horribly slow, but it worked)
Pi-hole for network-wide ad blocking

Cost: ~$35 What I learned: Linux basics, networking, the importance of backups (RIP corrupted SD card #3)

Phase 2: The Old Laptop (2014)

I repurposed an old laptop (Dell Latitude) as a server:

Proxmox VE for virtualization
Multiple VMs: pfSense firewall, Ubuntu web server, Windows for testing
External HDD for storage

Cost: Free (already had the laptop) What I learned: Virtualization, VLANs, firewall rules, the pain of laptop cooling under load

Phase 3: The Dedicated Server (2016)

I bought a used Dell PowerEdge R710 off eBay:

Dual Xeon CPUs, 96 GB RAM
RAID controller with 4x 2 TB drives
Ran ESXi with 20+ VMs

Cost: ~$300 (server) + $50/month (electricity, oops) What I learned: Enterprise hardware, RAID, power consumption matters, server noise is real

Phase 4: The Modern Homelab (2020-Now)

Now I run a mix:

Compute: Dell R730 (128 GB RAM, 2x E5-2680 v4), Proxmox cluster
Storage: TrueNAS with 24 TB usable (ZFS RAID-Z2)
Networking: UniFi Dream Machine Pro, managed switches, multiple VLANs
Monitoring: Grafana + Prometheus + Loki
Extras: Pi-hole, Home Assistant, Plex, Gitea, etc.

Cost: ~$2,000 (spread over years) What I learned: Way too much. Let's dive in.

The Practical Guide: Building Your Lab

Budget Tier ($50-$200): The Starter Pack

If you're just starting out, you don't need much:

Raspberry Pi 4 (4 GB or 8 GB) - $55-$75
Or: Old laptop/desktop (free if you have one)
Or: Cheap VPS (Hetzner, Linode, Vultr) - $5-$10/month
Linux distro (Ubuntu Server, Debian, Rocky Linux)
Docker + Docker Compose
Portainer (web UI for Docker)
Basic monitoring (Netdata or Cockpit)
Pi-hole (network-wide ad blocking)
Nginx reverse proxy
Personal website/blog
Git server (Gitea)
Password manager (Vaultwarden - Bitwarden clone)

Sample Docker Compose:

version: '3.8'
services:
  pihole:
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'Europe/Dublin'
      WEBPASSWORD: 'changeme'
    volumes:
      - './pihole:/etc/pihole'
      - './dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

gitea: image: gitea/gitea:latest ports: - "3000:3000" - "222:22" environment: USER_UID: 1000 USER_GID: 1000 volumes: - './gitea:/data' restart: unless-stopped

nginx: image: nginx:alpine ports: - "443:443" volumes: - './nginx.conf:/etc/nginx/nginx.conf' - './certs:/etc/nginx/certs' restart: unless-stopped ```

Mid Tier ($200-$800): The Serious Hobbyist

You're ready to level up. Time for real hardware.

Used enterprise server (Dell R720, HP DL380 Gen8) - $200-$400 on eBay
Or: Build your own (Ryzen 5, 32 GB RAM, budget case) - $500-$800
Managed switch (Ubiquiti, TP-Link) - $50-$100
Proxmox VE (virtualization)
pfSense/OPNsense (firewall/router)
TrueNAS Core (storage)
Wazuh (SIEM/XDR)
TheHive + Cortex (incident response)
Security lab (vulnerable VMs, attack simulation)
Multi-tier web app (web server, app server, database)
Active Directory domain (Windows Server)
Monitoring stack (Prometheus, Grafana, Loki)

Example Setup:

┌─────────────────────────────────────┐
│  Proxmox Host (Dell R720)           │
│  - 128 GB RAM, 2x Xeon E5-2670      │
│                                     │
│  VMs:                               │
│  ┌───────────────┐                  │
│  │ pfSense       │ (Router/Firewall)│
│  ├───────────────┤                  │
│  │ Wazuh SIEM    │ (Security)       │
│  ├───────────────┤                  │
│  │ TrueNAS       │ (Storage)        │
│  ├───────────────┤                  │
│  │ Kali Linux    │ (Pentesting)     │
│  ├───────────────┤                  │
│  │ Windows DC    │ (Active Directory│
│  ├───────────────┤                  │
│  │ Ubuntu Web    │ (Services)       │
│  └───────────────┘                  │
└─────────────────────────────────────┘

High Tier ($800-$2,000+): The Home Datacenter

You're committed. Maybe too committed. But it's glorious.

Multiple servers (compute + storage)
Proper networking (UniFi UDM Pro, 10 GbE switches)
UPS (battery backup)
Server rack (if you're fancy)
Proxmox cluster (HA, live migration)
Ceph distributed storage
Kubernetes (K3s or full K8s)
ELK stack (Elasticsearch, Logstash, Kibana)
Security Onion (full NSM platform)
Everything from Mid Tier +
Full kubernetes cluster
Network Security Monitoring (Security Onion, Suricata, Zeek)
Red/Blue team lab (attack and defend)
CI/CD pipelines (GitLab, Jenkins)
Enterprise simulacrum (pretend you're a small company)

Key Components Explained

1. Hypervisor (Virtualization)

Your hypervisor lets you run multiple VMs on one physical machine.

Proxmox VE (my choice): Open source, web UI, KVM + LXC containers
VMware ESXi: Enterprise-grade, free tier available
XCP-ng: Open source Xen-based

Why it matters: Run 10+ VMs on one server. Isolate workloads. Snapshot before breaking things.

2. Firewall/Router

Your lab network needs a firewall, especially if you're running vulnerable VMs.

pfSense: Feature-rich, excellent docs
OPNsense: pfSense fork, modern UI
VyOS: CLI-based, very flexible

Why it matters: Segment your network. VLANs for isolation. VPN access. IDS/IPS with Suricata.

3. Storage

You need reliable storage for VMs, backups, media.

TrueNAS Core/Scale: ZFS-based, amazing features
Unraid: Easy to use, flexible
Proxmox built-in: LVM, ZFS, Ceph

Why it matters: ZFS gives you snapshots, RAID, compression, deduplication. Backups save lives.

4. Monitoring

If you don't monitor it, you don't know when it breaks.

Prometheus + Grafana: Industry standard, flexible
Zabbix: Enterprise-level monitoring
Netdata: Real-time, beautiful dashboards

Why it matters: Know when services go down. Track resource usage. Pretty dashboards are motivating.

Security Lab Specifics

If you're building a lab for security work, here's what you need:

Vulnerable VMs

Metasploitable 2/3: Intentionally vulnerable Linux VMs
DVWA: Damn Vulnerable Web Application
VulnHub VMs: Hundreds of challenge VMs
HackTheBox offline VMs: Retired machines

Attack Tools

Kali Linux: Every pentesting tool you need
Parrot OS: Alternative to Kali
Commando VM: Windows-based attack VM
Custom scripts: Build your own tools

Defense Tools

Wazuh: Open source SIEM/XDR
Security Onion: Full NSM platform (Suricata, Zeek, ELK)
Velociraptor: Endpoint monitoring and DFIR
TheHive: Incident response platform

Network Segmentation

Isolate your attack/vulnerable VMs:

VLAN 10: Management (Proxmox, TrueNAS)
VLAN 20: Production (Pi-hole, Gitea, etc.)
VLAN 30: Security Lab (Kali, vulnerable VMs)
VLAN 40: DMZ (anything internet-facing)

VLAN 30 can't reach VLAN 10 or 20
VLAN 30 can only reach internet via specific IPs
VLAN 10 can access everything (but requires VPN)

My Actual Setup (The Full Monty)

For those curious, here's my current homelab:

Proxmox Host 1: Dell R730, 128 GB RAM, 2x E5-2680 v4 (28 cores)
Storage: TrueNAS on dedicated server, 24 TB usable (8x 4 TB in RAID-Z2)
Network: UniFi Dream Machine Pro, 2x UniFi 48-port switches, 10 GbE between servers
UPS: CyberPower 1500VA
pfSense (firewall/router)
Pi-hole (DNS + ad blocking)
Wazuh (SIEM)
Kali Linux (pentesting)
Windows Server 2019 (AD lab)
Ubuntu web server (Nginx, PHP, MySQL)
GitLab (self-hosted CI/CD)
Grafana + Prometheus (monitoring)
Home Assistant (smart home automation)
Plex (media server)
Personal website (you're reading this on it)
Git server for personal projects
Password manager (Vaultwarden)
VPN (Wireguard)
Nextcloud (file sync)
Bookstack (documentation wiki)

Lessons Learned the Hard Way

Lesson 1: Power Consumption is Real

My R710 drew 300W idle. At $0.15/kWh, that's $35/month. Ouch.

Solution: Upgraded to more efficient hardware (R730 draws ~150W idle). Consider power before buying.

Lesson 2: Backups Are Not Optional

I've lost data exactly once (RAID controller failure + corrupted backup). Never again.

3 copies of your data
2 different storage types
1 off-site backup

I use: TrueNAS snapshots + external HDD + cloud backup (encrypted Backblaze B2).

Lesson 3: Documentation Saves Future You

When you're tinkering at 2 AM, you won't remember why you configured something a certain way.

Network diagram
VLAN assignments
Firewall rules
VM inventory
Backup procedures

Lesson 4: Start Small, Grow Over Time

Don't try to build a datacenter on day one. Start with a Raspberry Pi or old laptop. Add servers as you learn.

My lab took 10+ years to get where it is. Yours doesn't need to match mine on day one.

Lesson 5: Community is Key

Join /r/homelab, /r/selfhosted, and Discord communities. People share knowledge, troubleshoot issues, and inspire new projects.

Practical Tips

Buying Used Hardware

eBay, Facebook Marketplace, Craigslist
Look for "enterprise pulls" (decommissioned datacenter gear)
Check power consumption before buying
Gen 8-9 servers (2012-2015) are the sweet spot (cheap, efficient enough)

Noise Management

Replace fans with quieter models (Noctua)
Use IPMI to set custom fan curves
Put the server in a closet/basement
Or just embrace the datacenter ambiance

Power Management

Use a UPS (battery backup) to protect against outages
Schedule non-critical VMs to shut down at night
Use power-efficient hardware where possible

Networking

Buy a managed switch (VLANs are essential)
Use 10 GbE between servers if you can (NFS/iSCSI performance)
Label everything (cables, ports, patch panels)

Resources

/r/homelab
/r/selfhosted
/r/datahoarder
ServeTheHome forums
Techno Tim
Craft Computing
NetworkChuck
Lawrence Systems
draw.io (network diagrams)
Netbox (IPAM/DCIM)
Ansible (automation)

Wrapping Up

Building a homelab is one of the best investments you can make in your tech career. You'll learn more from breaking and fixing your own stuff than any tutorial or certification can teach.

Start small. Break things. Fix them. Repeat.

And most importantly: have fun. This is your playground.

---

Janusz Czeropski runs a homelab with too many VMs and not enough time. When he's not breaking things in his lab, he's breaking things in production (just kidding, Trend Micro). You can find him on GitHub or LinkedIn.