# đŸ’ģ Laptop Travel Setup Guide **🟡 Intermediate Guide** This guide covers setting up your laptop for secure travel with full homelab access, including Tailscale VPN tunneling through Atlantis for IP privacy, remote filesystem mounting, and zero-local-storage security practices. ## đŸŽ¯ Travel Security Philosophy ### **Zero Trust Laptop Model** - **No critical data stored locally** - Everything mounted from homelab - **Encrypted disk** - Full disk encryption for physical security - **VPN-only access** - All traffic routed through homelab - **Disposable mindset** - Laptop loss/theft has minimal impact - **Remote wipe capability** - Can be wiped remotely if compromised --- ## 🌐 Tailscale Travel Configuration ### **Step 1: Install Tailscale on Laptop** #### **Linux (Ubuntu/Debian)** ```bash # Install Tailscale curl -fsSL https://tailscale.com/install.sh | sh # Connect to your tailnet sudo tailscale up # Verify connection tailscale status tailscale ip -4 ``` #### **macOS** ```bash # Install via Homebrew brew install --cask tailscale # Or download from: https://tailscale.com/download/mac # Launch Tailscale and sign in to your tailnet ``` #### **Windows** ```bash # Download from: https://tailscale.com/download/windows # Install and sign in to your tailnet # Run as administrator for best performance ``` ### **Step 2: Configure Exit Node (Atlantis)** #### **On Atlantis (Exit Node Setup)** ```bash # Enable IP forwarding echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p # Advertise as exit node sudo tailscale up --advertise-exit-node # Verify exit node status tailscale status ``` #### **On Laptop (Use Exit Node)** ```bash # Use Atlantis as exit node for all traffic tailscale up --exit-node=atlantis.vish.local # Verify your public IP is now Atlantis curl ifconfig.me # Should show your home IP, not travel location IP # Check routing tailscale status ip route | grep 100.64 ``` ### **Step 3: Advanced Tailscale Configuration** #### **Laptop-Specific Settings** ```bash # Enable key expiry for security tailscale up --exit-node=atlantis.vish.local --auth-key=[auth-key] --timeout=24h # Configure DNS to use homelab Pi-hole tailscale up --exit-node=atlantis.vish.local --accept-dns=true # Disable key expiry warnings (optional) tailscale set --auto-update ``` #### **Split Tunneling (Advanced)** ```bash # Route only specific traffic through exit node # Create custom routing rules # Route homelab traffic through Tailscale sudo ip route add 192.168.1.0/24 via $(tailscale ip -4) dev tailscale0 # Route specific services through exit node sudo ip route add 0.0.0.0/0 via $(tailscale ip -4 atlantis) dev tailscale0 table 100 sudo ip rule add from $(tailscale ip -4) table 100 ``` --- ## 📁 Remote Filesystem Mounting ### **SSHFS Setup (Recommended)** #### **Install SSHFS** ```bash # Ubuntu/Debian sudo apt install sshfs # macOS brew install macfuse sshfs # Windows (WSL) sudo apt install sshfs ``` #### **Mount Homelab Filesystems** ```bash # Create mount points mkdir -p ~/mounts/{atlantis,calypso,homelab-vm,projects,documents} # Mount Atlantis (Primary NAS) sshfs vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis \ -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks # Mount Calypso (Media NAS) sshfs vish@calypso.vish.local:/volume1/media ~/mounts/calypso \ -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 # Mount Homelab VM (Development) sshfs vish@homelab-vm.vish.local:/home/vish/projects ~/mounts/projects \ -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 # Mount Documents (Secure storage) sshfs vish@atlantis.vish.local:/volume1/documents ~/mounts/documents \ -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 ``` #### **Automated Mounting Script** ```bash #!/bin/bash # ~/scripts/mount-homelab.sh set -e MOUNTS_DIR="$HOME/mounts" LOG_FILE="$HOME/.homelab-mounts.log" log() { echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE" } mount_fs() { local name="$1" local remote="$2" local local_path="$3" local options="$4" if mountpoint -q "$local_path"; then log "✅ $name already mounted" return 0 fi mkdir -p "$local_path" if sshfs "$remote" "$local_path" -o "$options"; then log "✅ Mounted $name: $remote -> $local_path" else log "❌ Failed to mount $name" return 1 fi } # Check Tailscale connectivity if ! tailscale status >/dev/null 2>&1; then log "❌ Tailscale not connected" exit 1 fi log "🚀 Starting homelab filesystem mounting..." # Default SSHFS options OPTS="reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks,cache=yes,compression=yes" # Mount all filesystems mount_fs "Atlantis Home" "vish@atlantis.vish.local:/volume1/homes/vish" "$MOUNTS_DIR/atlantis" "$OPTS" mount_fs "Calypso Media" "vish@calypso.vish.local:/volume1/media" "$MOUNTS_DIR/calypso" "$OPTS" mount_fs "Projects" "vish@homelab-vm.vish.local:/home/vish/projects" "$MOUNTS_DIR/projects" "$OPTS" mount_fs "Documents" "vish@atlantis.vish.local:/volume1/documents" "$MOUNTS_DIR/documents" "$OPTS" mount_fs "Backups" "vish@anubis.vish.local:/volume1/backups" "$MOUNTS_DIR/backups" "$OPTS" log "đŸŽ¯ Homelab mounting complete" # Create convenient symlinks ln -sf "$MOUNTS_DIR/projects" "$HOME/Projects" ln -sf "$MOUNTS_DIR/documents" "$HOME/Documents" ln -sf "$MOUNTS_DIR/atlantis/Desktop" "$HOME/Desktop-Remote" ln -sf "$MOUNTS_DIR/calypso/Photos" "$HOME/Photos" ln -sf "$MOUNTS_DIR/calypso/Movies" "$HOME/Movies" log "🔗 Symlinks created" ``` #### **Unmounting Script** ```bash #!/bin/bash # ~/scripts/unmount-homelab.sh MOUNTS_DIR="$HOME/mounts" unmount_fs() { local path="$1" local name="$2" if mountpoint -q "$path"; then if fusermount -u "$path" 2>/dev/null || umount "$path" 2>/dev/null; then echo "✅ Unmounted $name" else echo "❌ Failed to unmount $name" return 1 fi else echo "ℹī¸ $name not mounted" fi } echo "🔄 Unmounting homelab filesystems..." unmount_fs "$MOUNTS_DIR/atlantis" "Atlantis" unmount_fs "$MOUNTS_DIR/calypso" "Calypso" unmount_fs "$MOUNTS_DIR/projects" "Projects" unmount_fs "$MOUNTS_DIR/documents" "Documents" unmount_fs "$MOUNTS_DIR/backups" "Backups" # Remove symlinks rm -f "$HOME/Projects" "$HOME/Documents" "$HOME/Desktop-Remote" "$HOME/Photos" "$HOME/Movies" echo "đŸŽ¯ Unmounting complete" ``` ### **NFS Setup (Alternative)** #### **On Homelab Servers (NFS Server)** ```bash # Install NFS server (on Atlantis/Calypso) sudo apt install nfs-kernel-server # Configure exports sudo tee /etc/exports << 'EOF' /volume1/homes/vish 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash) /volume1/documents 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash) /volume1/media 100.64.0.0/10(ro,sync,no_subtree_check) EOF # Apply exports sudo exportfs -ra sudo systemctl restart nfs-kernel-server # Check exports sudo exportfs -v ``` #### **On Laptop (NFS Client)** ```bash # Install NFS client sudo apt install nfs-common # Mount NFS shares sudo mount -t nfs atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis sudo mount -t nfs calypso.vish.local:/volume1/media ~/mounts/calypso # Add to /etc/fstab for automatic mounting echo "atlantis.vish.local:/volume1/homes/vish $HOME/mounts/atlantis nfs defaults,user,noauto 0 0" | sudo tee -a /etc/fstab ``` --- ## 🔐 SSH Key Management for Travel ### **SSH Agent Setup** ```bash # Start SSH agent eval "$(ssh-agent -s)" # Add homelab keys ssh-add ~/.ssh/homelab_ed25519 ssh-add ~/.ssh/atlantis_ed25519 ssh-add ~/.ssh/servers_ed25519 # List loaded keys ssh-add -l # Configure SSH agent forwarding echo "ForwardAgent yes" >> ~/.ssh/config ``` ### **SSH Configuration for Homelab** ```bash # ~/.ssh/config Host atlantis HostName atlantis.vish.local User vish IdentityFile ~/.ssh/homelab_ed25519 ServerAliveInterval 60 ServerAliveCountMax 3 ForwardAgent yes Compression yes Host calypso HostName calypso.vish.local User vish IdentityFile ~/.ssh/homelab_ed25519 ServerAliveInterval 60 ServerAliveCountMax 3 ForwardAgent yes Compression yes Host homelab-vm HostName homelab-vm.vish.local User vish IdentityFile ~/.ssh/homelab_ed25519 ServerAliveInterval 60 ServerAliveCountMax 3 ForwardAgent yes Compression yes Host *.vish.local User vish IdentityFile ~/.ssh/homelab_ed25519 ServerAliveInterval 60 ServerAliveCountMax 3 ForwardAgent yes Compression yes StrictHostKeyChecking accept-new ``` ### **Secure Key Storage** ```bash # Encrypt SSH keys for travel gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \ --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \ --output ~/.ssh/homelab_ed25519.gpg ~/.ssh/homelab_ed25519 # Decrypt when needed gpg --decrypt ~/.ssh/homelab_ed25519.gpg > ~/.ssh/homelab_ed25519 chmod 600 ~/.ssh/homelab_ed25519 ssh-add ~/.ssh/homelab_ed25519 # Secure delete original after encryption shred -vfz -n 3 ~/.ssh/homelab_ed25519 ``` --- ## đŸ–Ĩī¸ Development Environment Setup ### **VS Code Remote Development** ```bash # Install VS Code extensions code --install-extension ms-vscode-remote.remote-ssh code --install-extension ms-vscode-remote.remote-containers # Configure remote development # File: ~/.vscode/settings.json { "remote.SSH.remotePlatform": { "homelab-vm.vish.local": "linux", "atlantis.vish.local": "linux", "concord-nuc.vish.local": "linux" }, "remote.SSH.configFile": "~/.ssh/config", "remote.SSH.enableAgentForwarding": true } # Connect to remote development environment code --remote ssh-remote+homelab-vm.vish.local /home/vish/projects ``` ### **Terminal Multiplexer (tmux/screen)** ```bash # Install tmux on homelab servers ssh atlantis.vish.local 'sudo apt install tmux' ssh homelab-vm.vish.local 'sudo apt install tmux' # Create persistent development sessions ssh homelab-vm.vish.local tmux new-session -d -s development tmux new-session -d -s monitoring tmux new-session -d -s admin # Reconnect to sessions from laptop ssh homelab-vm.vish.local -t tmux attach-session -t development ``` ### **Docker Development** ```bash # Use Docker on homelab servers remotely export DOCKER_HOST="ssh://vish@homelab-vm.vish.local" # Run containers on remote host docker run -it --rm ubuntu:latest bash docker-compose -f ~/mounts/projects/myapp/docker-compose.yml up -d # Build images on remote host docker build -t myapp ~/mounts/projects/myapp/ ``` --- ## 📱 Mobile Companion Setup ### **Mobile Apps for Homelab Access** ```bash # Essential mobile apps: # VPN & Network - Tailscale (primary VPN) - WireGuard (backup VPN) - Network Analyzer (troubleshooting) # Remote Access - Termius (SSH client) - RDP Client (Windows remote desktop) - VNC Viewer (Linux desktop access) # File Access - Solid Explorer (Android file manager with SFTP) - Documents (iOS file manager with SSH) - Syncthing (file synchronization) # Services - Bitwarden (password manager) - Plex/Jellyfin (media streaming) - Home Assistant (smart home control) ``` ### **Mobile Hotspot Configuration** ```bash # Configure laptop to use mobile hotspot when needed # Network Manager configuration for automatic connection # Create hotspot profile nmcli connection add type wifi ifname wlan0 con-name "Mobile-Hotspot" \ autoconnect yes ssid "YourPhone-Hotspot" nmcli connection modify "Mobile-Hotspot" wifi-sec.key-mgmt wpa-psk nmcli connection modify "Mobile-Hotspot" wifi-sec.psk "hotspot-password" # Set priority (lower number = higher priority) nmcli connection modify "Mobile-Hotspot" connection.autoconnect-priority 10 ``` --- ## 🔒 Security Hardening for Travel ### **Full Disk Encryption** ```bash # Ubuntu/Debian - Enable during installation or: sudo cryptsetup luksFormat /dev/sdX sudo cryptsetup luksOpen /dev/sdX encrypted_disk # macOS - Enable FileVault sudo fdesetup enable # Windows - Enable BitLocker manage-bde -on C: -REDACTED_APP_PASSWORD ``` ### **Firewall Configuration** ```bash # Ubuntu/Debian UFW sudo ufw enable sudo ufw default deny incoming sudo ufw default allow outgoing # Allow only Tailscale traffic sudo ufw allow in on tailscale0 sudo ufw allow out on tailscale0 # Block all other VPN interfaces sudo ufw deny in on tun0 sudo ufw deny in on wg0 ``` ### **Auto-lock and Security** ```bash # Linux - Auto-lock after 5 minutes gsettings set org.gnome.desktop.screensaver lock-delay 300 gsettings set org.gnome.desktop.screensaver lock-enabled true # Require password immediately after lock gsettings set org.gnome.desktop.screensaver lock-delay 0 # Auto-suspend after 30 minutes gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 1800 ``` ### **Remote Wipe Capability** ```bash # Install remote wipe tools sudo apt install openssh-server fail2ban # Create remote wipe script sudo tee /usr/local/bin/emergency-wipe.sh << 'EOF' #!/bin/bash # Emergency laptop wipe script # Trigger via SSH: ssh laptop.tailscale "sudo /usr/local/bin/emergency-wipe.sh" echo "🚨 EMERGENCY WIPE INITIATED" logger "Emergency wipe initiated from $(who am i)" # Unmount all SSHFS mounts fusermount -u /home/*/mounts/* 2>/dev/null || true # Clear SSH keys and known hosts rm -rf /home/*/.ssh/id_* /home/*/.ssh/known_hosts # Clear browser data rm -rf /home/*/.mozilla/firefox/*/cookies.sqlite rm -rf /home/*/.config/google-chrome/Default/Cookies rm -rf /home/*/.config/chromium/Default/Cookies # Clear recent files and history rm -rf /home/*/.local/share/recently-used.xbel rm -rf /home/*/.bash_history /home/*/.zsh_history # Disconnect from Tailscale tailscale logout # Optional: Full disk wipe (DESTRUCTIVE!) # dd if=/dev/urandom of=/dev/sda bs=1M echo "đŸŽ¯ Emergency wipe complete" logger "Emergency wipe completed" EOF sudo chmod +x /usr/local/bin/emergency-wipe.sh ``` --- ## 🌍 Travel Workflow Examples ### **Coffee Shop Work Session** ```bash # 1. Connect to WiFi # 2. Start Tailscale tailscale up --exit-node=atlantis.vish.local # 3. Mount filesystems ~/scripts/mount-homelab.sh # 4. Start development environment code --remote ssh-remote+homelab-vm.vish.local ~/projects/current-project # 5. Open monitoring dashboards firefox https://atlantis.vish.local:3000 # Grafana firefox https://atlantis.vish.local:3001 # Uptime Kuma # 6. Work normally - all data stays on homelab ``` ### **Hotel Work Session** ```bash # 1. Connect to hotel WiFi (potentially untrusted) # 2. Immediately connect Tailscale with exit node tailscale up --exit-node=atlantis.vish.local --accept-dns=true # 3. Verify IP is masked curl ifconfig.me # Should show home IP # 4. Mount filesystems and work ~/scripts/mount-homelab.sh ``` ### **Airplane Work (Offline)** ```bash # 1. Before flight, sync critical files rsync -av atlantis.vish.local:/volume1/homes/vish/current-project/ ~/offline-work/ # 2. Work offline on local copy # 3. After landing, sync changes back rsync -av ~/offline-work/ atlantis.vish.local:/volume1/homes/vish/current-project/ # 4. Clean up local copy rm -rf ~/offline-work/ ``` --- ## 🔧 Troubleshooting Travel Issues ### **Tailscale Connection Problems** ```bash # Check Tailscale status tailscale status tailscale netcheck # Reset Tailscale connection sudo tailscale down sudo tailscale up --exit-node=atlantis.vish.local # Check routing ip route | grep tailscale ip route | grep 100.64 # Test connectivity to homelab ping atlantis.vish.local ping 192.168.1.100 ``` ### **SSHFS Mount Issues** ```bash # Check if mounts are stale df -h | grep fuse mountpoint ~/mounts/atlantis # Force unmount stale mounts fusermount -uz ~/mounts/atlantis # or sudo umount -f ~/mounts/atlantis # Remount with debug sshfs -d vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis # Check SSH connectivity ssh -v atlantis.vish.local ``` ### **DNS Resolution Issues** ```bash # Check DNS settings cat /etc/resolv.conf systemd-resolve --status # Test DNS resolution nslookup atlantis.vish.local dig atlantis.vish.local # Force DNS through Tailscale tailscale up --exit-node=atlantis.vish.local --accept-dns=true ``` ### **Performance Issues** ```bash # Test network speed speedtest-cli # Test Tailscale performance iperf3 -c atlantis.vish.local # Check for packet loss ping -c 100 atlantis.vish.local | grep loss # Monitor network usage iftop -i tailscale0 ``` --- ## 📋 Travel Checklist ### **Pre-Travel Setup** ```bash ☐ Tailscale installed and configured ☐ Exit node (Atlantis) configured and tested ☐ SSH keys encrypted and backed up ☐ Mount scripts tested and working ☐ Remote wipe script configured ☐ Full disk encryption enabled ☐ Firewall configured for travel ☐ Mobile apps installed and configured ☐ Emergency contact information accessible ☐ Backup authentication methods available ``` ### **Daily Travel Routine** ```bash ☐ Connect to Tailscale immediately after WiFi ☐ Verify exit node is active (check IP) ☐ Mount homelab filesystems ☐ Check homelab service status ☐ Work with remote-only data ☐ Unmount filesystems before sleep/shutdown ☐ Log out of sensitive services ☐ Clear browser cache/history if needed ``` ### **Post-Travel Security** ```bash ☐ Review travel access logs ☐ Change passwords if compromise suspected ☐ Update SSH keys if needed ☐ Review and clean up local files ☐ Update travel procedures based on experience ☐ Backup any new configurations ☐ Document any issues encountered ``` --- ## 🔗 Related Documentation - [📱 Mobile Device Setup](mobile-device-setup.md) - **NEW!** iOS, Android, macOS, Linux Tailscale configuration - [Tailscale Setup Guide](tailscale-setup-guide.md) - Complete Tailscale configuration - [Ubiquiti Enterprise Setup](ubiquiti-enterprise-setup.md) - Enterprise networking for advanced setups - [Kubernetes Cluster Setup](kubernetes-cluster-setup.md) - Remote access to Kubernetes services - [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Emergency procedures - [Offline Password Access](../troubleshooting/offline-password-access.md) - Password management while traveling - [Security Model](security.md) - Overall security architecture --- **💡 Pro Tip**: Practice your travel setup at home first! Test all mounting, VPN, and remote access procedures on your home network before traveling. This ensures everything works smoothly when you're away from your homelab.