The issue

For some time I've been extremely hesitant to publish my home lab into the internet so that I'll be able to access resources, don't get me wrong, I've really wanted to, and even few times opened it before I had the most current lab setup.

Some might ask, why not setup a VPN connection into the network, that way you can access it securely. Well even with VPN, you would be publishing the VPN gateway to the internet so that you'll be able to authenticate yourself. Knowing how much VPN gateways have been in the crosshairs of both cyber criminals and nation state actors, I really don't want to accept the associated risks in doing so. 

The Solution

Secure Access Service Edge / Zero Trust Network Access

The solution would be to onboard a more modern solution that can work as the zero trust network boundary that will control the network authentication and authorization layer into my network assets, so that the firewall can then only be there to function as a second structural border on what the connector server itself can access. and thus working as the next natural step in the defense in depth design.

Twingate

There are lots of great tools available from multiple different vendors to get this done, to name a few: Palo Alto Prisma Access, Zscaler Zero Trust Exchange, Microsoft Global Secure Access.

I ended up selecting Twingate for my home lab.
Why you might ask? Well ít had all the required capabilities for managing groups, users, resources, you name it, and it is free for home use. 

Identity and Access Management

I already have a Microsoft environment for this site, emails, ddossiamonitor, and other testing. So it is the optimal solution for ensuring that I have also the identity provisioning and logging available. 

When I first signed up into the platform, it enabled me to run through the basic enterprise application consent process to onboard it into my tenant. So it was pretty streamlined on the Twingate admin portal to actually onboard it. You just basically click "Add identity Provider" and it will pretty nicely run you through the process, I of course already had the app from my sign-up so only thing left to do was additional identity for the wife and app provisioning.

Microsoft and Twingate have good documentation also available on the process:
Microsoft (LINK)
Twingate (LINK)

On the Twingate side then it was just creating the appropriate groups and access restrictions to assets. For everyone I added access to our fileshare so we can access it from any device while away. and for privileged users(me) access to few internal admin portals. 

Final words

For anyone having a home lab and not wanting to publish internal resources into the internet through traditional means, I highly recommend getting your hands on some type of SASE solution that can handle this for your own needs.