Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5cdf36e5453f1ffe2bb74f50e164cfcae00ee072
homelab-optimized/docs/infrastructure/laptop-travel-setup.md
Gitea Mirror Bot 5cdf36e545
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-04-05 12:11:15 UTC
2026-04-05 12:11:15 +00:00

723 lines
18 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 💻 Laptop Travel Setup Guide
**🟡 Intermediate Guide**
This guide covers setting up your laptop for secure travel with full homelab access, including Tailscale VPN tunneling through Atlantis for IP privacy, remote filesystem mounting, and zero-local-storage security practices.
## 🎯 Travel Security Philosophy
### **Zero Trust Laptop Model**
- **No critical data stored locally** - Everything mounted from homelab
- **Encrypted disk** - Full disk encryption for physical security
- **VPN-only access** - All traffic routed through homelab
- **Disposable mindset** - Laptop loss/theft has minimal impact
- **Remote wipe capability** - Can be wiped remotely if compromised
---
## 🌐 Tailscale Travel Configuration
### **Step 1: Install Tailscale on Laptop**
#### **Linux (Ubuntu/Debian)**
```bash
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Connect to your tailnet
sudo tailscale up
# Verify connection
tailscale status
tailscale ip -4
```
#### **macOS**
```bash
# Install via Homebrew
brew install --cask tailscale
# Or download from: https://tailscale.com/download/mac
# Launch Tailscale and sign in to your tailnet
```
#### **Windows**
```bash
# Download from: https://tailscale.com/download/windows
# Install and sign in to your tailnet
# Run as administrator for best performance
```
### **Step 2: Configure Exit Node (Atlantis)**
#### **On Atlantis (Exit Node Setup)**
```bash
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Advertise as exit node
sudo tailscale up --advertise-exit-node
# Verify exit node status
tailscale status
```
#### **On Laptop (Use Exit Node)**
```bash
# Use Atlantis as exit node for all traffic
tailscale up --exit-node=atlantis.vish.local
# Verify your public IP is now Atlantis
curl ifconfig.me
# Should show your home IP, not travel location IP
# Check routing
tailscale status
ip route | grep 100.64
```
### **Step 3: Advanced Tailscale Configuration**
#### **Laptop-Specific Settings**
```bash
# Enable key expiry for security
tailscale up --exit-node=atlantis.vish.local --auth-key=[auth-key] --timeout=24h
# Configure DNS to use homelab Pi-hole
tailscale up --exit-node=atlantis.vish.local --accept-dns=true
# Disable key expiry warnings (optional)
tailscale set --auto-update
```
#### **Split Tunneling (Advanced)**
```bash
# Route only specific traffic through exit node
# Create custom routing rules
# Route homelab traffic through Tailscale
sudo ip route add 192.168.1.0/24 via $(tailscale ip -4) dev tailscale0
# Route specific services through exit node
sudo ip route add 0.0.0.0/0 via $(tailscale ip -4 atlantis) dev tailscale0 table 100
sudo ip rule add from $(tailscale ip -4) table 100
```
---
## 📁 Remote Filesystem Mounting
### **SSHFS Setup (Recommended)**
#### **Install SSHFS**
```bash
# Ubuntu/Debian
sudo apt install sshfs
# macOS
brew install macfuse sshfs
# Windows (WSL)
sudo apt install sshfs
```
#### **Mount Homelab Filesystems**
```bash
# Create mount points
mkdir -p ~/mounts/{atlantis,calypso,homelab-vm,projects,documents}
# Mount Atlantis (Primary NAS)
sshfs vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis \
-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks
# Mount Calypso (Media NAS)
sshfs vish@calypso.vish.local:/volume1/media ~/mounts/calypso \
-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3
# Mount Homelab VM (Development)
sshfs vish@homelab-vm.vish.local:/home/vish/projects ~/mounts/projects \
-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3
# Mount Documents (Secure storage)
sshfs vish@atlantis.vish.local:/volume1/documents ~/mounts/documents \
-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3
```
#### **Automated Mounting Script**
```bash
#!/bin/bash
# ~/scripts/mount-homelab.sh
set -e
MOUNTS_DIR="$HOME/mounts"
LOG_FILE="$HOME/.homelab-mounts.log"
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}
mount_fs() {
local name="$1"
local remote="$2"
local local_path="$3"
local options="$4"
if mountpoint -q "$local_path"; then
log "$name already mounted"
return 0
fi
mkdir -p "$local_path"
if sshfs "$remote" "$local_path" -o "$options"; then
log "✅ Mounted $name: $remote -> $local_path"
else
log "❌ Failed to mount $name"
return 1
fi
}
# Check Tailscale connectivity
if ! tailscale status >/dev/null 2>&1; then
log "❌ Tailscale not connected"
exit 1
fi
log "🚀 Starting homelab filesystem mounting..."
# Default SSHFS options
OPTS="reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks,cache=yes,compression=yes"
# Mount all filesystems
mount_fs "Atlantis Home" "vish@atlantis.vish.local:/volume1/homes/vish" "$MOUNTS_DIR/atlantis" "$OPTS"
mount_fs "Calypso Media" "vish@calypso.vish.local:/volume1/media" "$MOUNTS_DIR/calypso" "$OPTS"
mount_fs "Projects" "vish@homelab-vm.vish.local:/home/vish/projects" "$MOUNTS_DIR/projects" "$OPTS"
mount_fs "Documents" "vish@atlantis.vish.local:/volume1/documents" "$MOUNTS_DIR/documents" "$OPTS"
mount_fs "Backups" "vish@anubis.vish.local:/volume1/backups" "$MOUNTS_DIR/backups" "$OPTS"
log "🎯 Homelab mounting complete"
# Create convenient symlinks
ln -sf "$MOUNTS_DIR/projects" "$HOME/Projects"
ln -sf "$MOUNTS_DIR/documents" "$HOME/Documents"
ln -sf "$MOUNTS_DIR/atlantis/Desktop" "$HOME/Desktop-Remote"
ln -sf "$MOUNTS_DIR/calypso/Photos" "$HOME/Photos"
ln -sf "$MOUNTS_DIR/calypso/Movies" "$HOME/Movies"
log "🔗 Symlinks created"
```
#### **Unmounting Script**
```bash
#!/bin/bash
# ~/scripts/unmount-homelab.sh
MOUNTS_DIR="$HOME/mounts"
unmount_fs() {
local path="$1"
local name="$2"
if mountpoint -q "$path"; then
if fusermount -u "$path" 2>/dev/null || umount "$path" 2>/dev/null; then
echo "✅ Unmounted $name"
else
echo "❌ Failed to unmount $name"
return 1
fi
else
echo " $name not mounted"
fi
}
echo "🔄 Unmounting homelab filesystems..."
unmount_fs "$MOUNTS_DIR/atlantis" "Atlantis"
unmount_fs "$MOUNTS_DIR/calypso" "Calypso"
unmount_fs "$MOUNTS_DIR/projects" "Projects"
unmount_fs "$MOUNTS_DIR/documents" "Documents"
unmount_fs "$MOUNTS_DIR/backups" "Backups"
# Remove symlinks
rm -f "$HOME/Projects" "$HOME/Documents" "$HOME/Desktop-Remote" "$HOME/Photos" "$HOME/Movies"
echo "🎯 Unmounting complete"
```
### **NFS Setup (Alternative)**
#### **On Homelab Servers (NFS Server)**
```bash
# Install NFS server (on Atlantis/Calypso)
sudo apt install nfs-kernel-server
# Configure exports
sudo tee /etc/exports << 'EOF'
/volume1/homes/vish 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
/volume1/documents 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
/volume1/media 100.64.0.0/10(ro,sync,no_subtree_check)
EOF
# Apply exports
sudo exportfs -ra
sudo systemctl restart nfs-kernel-server
# Check exports
sudo exportfs -v
```
#### **On Laptop (NFS Client)**
```bash
# Install NFS client
sudo apt install nfs-common
# Mount NFS shares
sudo mount -t nfs atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis
sudo mount -t nfs calypso.vish.local:/volume1/media ~/mounts/calypso
# Add to /etc/fstab for automatic mounting
echo "atlantis.vish.local:/volume1/homes/vish $HOME/mounts/atlantis nfs defaults,user,noauto 0 0" | sudo tee -a /etc/fstab
```
---
## 🔐 SSH Key Management for Travel
### **SSH Agent Setup**
```bash
# Start SSH agent
eval "$(ssh-agent -s)"
# Add homelab keys
ssh-add ~/.ssh/homelab_ed25519
ssh-add ~/.ssh/atlantis_ed25519
ssh-add ~/.ssh/servers_ed25519
# List loaded keys
ssh-add -l
# Configure SSH agent forwarding
echo "ForwardAgent yes" >> ~/.ssh/config
```
### **SSH Configuration for Homelab**
```bash
# ~/.ssh/config
Host atlantis
HostName atlantis.vish.local
User vish
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
ForwardAgent yes
Compression yes
Host calypso
HostName calypso.vish.local
User vish
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
ForwardAgent yes
Compression yes
Host homelab-vm
HostName homelab-vm.vish.local
User vish
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
ForwardAgent yes
Compression yes
Host *.vish.local
User vish
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
ForwardAgent yes
Compression yes
StrictHostKeyChecking accept-new
```
### **Secure Key Storage**
```bash
# Encrypt SSH keys for travel
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
--s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
--output ~/.ssh/homelab_ed25519.gpg ~/.ssh/homelab_ed25519
# Decrypt when needed
gpg --decrypt ~/.ssh/homelab_ed25519.gpg > ~/.ssh/homelab_ed25519
chmod 600 ~/.ssh/homelab_ed25519
ssh-add ~/.ssh/homelab_ed25519
# Secure delete original after encryption
shred -vfz -n 3 ~/.ssh/homelab_ed25519
```
---
## 🖥️ Development Environment Setup
### **VS Code Remote Development**
```bash
# Install VS Code extensions
code --install-extension ms-vscode-remote.remote-ssh
code --install-extension ms-vscode-remote.remote-containers
# Configure remote development
# File: ~/.vscode/settings.json
{
"remote.SSH.remotePlatform": {
"homelab-vm.vish.local": "linux",
"atlantis.vish.local": "linux",
"concord-nuc.vish.local": "linux"
},
"remote.SSH.configFile": "~/.ssh/config",
"remote.SSH.enableAgentForwarding": true
}
# Connect to remote development environment
code --remote ssh-remote+homelab-vm.vish.local /home/vish/projects
```
### **Terminal Multiplexer (tmux/screen)**
```bash
# Install tmux on homelab servers
ssh atlantis.vish.local 'sudo apt install tmux'
ssh homelab-vm.vish.local 'sudo apt install tmux'
# Create persistent development sessions
ssh homelab-vm.vish.local
tmux new-session -d -s development
tmux new-session -d -s monitoring
tmux new-session -d -s admin
# Reconnect to sessions from laptop
ssh homelab-vm.vish.local -t tmux attach-session -t development
```
### **Docker Development**
```bash
# Use Docker on homelab servers remotely
export DOCKER_HOST="ssh://vish@homelab-vm.vish.local"
# Run containers on remote host
docker run -it --rm ubuntu:latest bash
docker-compose -f ~/mounts/projects/myapp/docker-compose.yml up -d
# Build images on remote host
docker build -t myapp ~/mounts/projects/myapp/
```
---
## 📱 Mobile Companion Setup
### **Mobile Apps for Homelab Access**
```bash
# Essential mobile apps:
# VPN & Network
- Tailscale (primary VPN)
- WireGuard (backup VPN)
- Network Analyzer (troubleshooting)
# Remote Access
- Termius (SSH client)
- RDP Client (Windows remote desktop)
- VNC Viewer (Linux desktop access)
# File Access
- Solid Explorer (Android file manager with SFTP)
- Documents (iOS file manager with SSH)
- Syncthing (file synchronization)
# Services
- Bitwarden (password manager)
- Plex/Jellyfin (media streaming)
- Home Assistant (smart home control)
```
### **Mobile Hotspot Configuration**
```bash
# Configure laptop to use mobile hotspot when needed
# Network Manager configuration for automatic connection
# Create hotspot profile
nmcli connection add type wifi ifname wlan0 con-name "Mobile-Hotspot" \
autoconnect yes ssid "YourPhone-Hotspot"
nmcli connection modify "Mobile-Hotspot" wifi-sec.key-mgmt wpa-psk
nmcli connection modify "Mobile-Hotspot" wifi-sec.psk "hotspot-password"
# Set priority (lower number = higher priority)
nmcli connection modify "Mobile-Hotspot" connection.autoconnect-priority 10
```
---
## 🔒 Security Hardening for Travel
### **Full Disk Encryption**
```bash
# Ubuntu/Debian - Enable during installation or:
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup luksOpen /dev/sdX encrypted_disk
# macOS - Enable FileVault
sudo fdesetup enable
# Windows - Enable BitLocker
manage-bde -on C: -REDACTED_APP_PASSWORD
```
### **Firewall Configuration**
```bash
# Ubuntu/Debian UFW
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow only Tailscale traffic
sudo ufw allow in on tailscale0
sudo ufw allow out on tailscale0
# Block all other VPN interfaces
sudo ufw deny in on tun0
sudo ufw deny in on wg0
```
### **Auto-lock and Security**
```bash
# Linux - Auto-lock after 5 minutes
gsettings set org.gnome.desktop.screensaver lock-delay 300
gsettings set org.gnome.desktop.screensaver lock-enabled true
# Require password immediately after lock
gsettings set org.gnome.desktop.screensaver lock-delay 0
# Auto-suspend after 30 minutes
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 1800
```
### **Remote Wipe Capability**
```bash
# Install remote wipe tools
sudo apt install openssh-server fail2ban
# Create remote wipe script
sudo tee /usr/local/bin/emergency-wipe.sh << 'EOF'
#!/bin/bash
# Emergency laptop wipe script
# Trigger via SSH: ssh laptop.tailscale "sudo /usr/local/bin/emergency-wipe.sh"
echo "🚨 EMERGENCY WIPE INITIATED"
logger "Emergency wipe initiated from $(who am i)"
# Unmount all SSHFS mounts
fusermount -u /home/*/mounts/* 2>/dev/null || true
# Clear SSH keys and known hosts
rm -rf /home/*/.ssh/id_* /home/*/.ssh/known_hosts
# Clear browser data
rm -rf /home/*/.mozilla/firefox/*/cookies.sqlite
rm -rf /home/*/.config/google-chrome/Default/Cookies
rm -rf /home/*/.config/chromium/Default/Cookies
# Clear recent files and history
rm -rf /home/*/.local/share/recently-used.xbel
rm -rf /home/*/.bash_history /home/*/.zsh_history
# Disconnect from Tailscale
tailscale logout
# Optional: Full disk wipe (DESTRUCTIVE!)
# dd if=/dev/urandom of=/dev/sda bs=1M
echo "🎯 Emergency wipe complete"
logger "Emergency wipe completed"
EOF
sudo chmod +x /usr/local/bin/emergency-wipe.sh
```
---
## 🌍 Travel Workflow Examples
### **Coffee Shop Work Session**
```bash
# 1. Connect to WiFi
# 2. Start Tailscale
tailscale up --exit-node=atlantis.vish.local
# 3. Mount filesystems
~/scripts/mount-homelab.sh
# 4. Start development environment
code --remote ssh-remote+homelab-vm.vish.local ~/projects/current-project
# 5. Open monitoring dashboards
firefox https://atlantis.vish.local:3000 # Grafana
firefox https://atlantis.vish.local:3001 # Uptime Kuma
# 6. Work normally - all data stays on homelab
```
### **Hotel Work Session**
```bash
# 1. Connect to hotel WiFi (potentially untrusted)
# 2. Immediately connect Tailscale with exit node
tailscale up --exit-node=atlantis.vish.local --accept-dns=true
# 3. Verify IP is masked
curl ifconfig.me # Should show home IP
# 4. Mount filesystems and work
~/scripts/mount-homelab.sh
```
### **Airplane Work (Offline)**
```bash
# 1. Before flight, sync critical files
rsync -av atlantis.vish.local:/volume1/homes/vish/current-project/ ~/offline-work/
# 2. Work offline on local copy
# 3. After landing, sync changes back
rsync -av ~/offline-work/ atlantis.vish.local:/volume1/homes/vish/current-project/
# 4. Clean up local copy
rm -rf ~/offline-work/
```
---
## 🔧 Troubleshooting Travel Issues
### **Tailscale Connection Problems**
```bash
# Check Tailscale status
tailscale status
tailscale netcheck
# Reset Tailscale connection
sudo tailscale down
sudo tailscale up --exit-node=atlantis.vish.local
# Check routing
ip route | grep tailscale
ip route | grep 100.64
# Test connectivity to homelab
ping atlantis.vish.local
ping 192.168.1.100
```
### **SSHFS Mount Issues**
```bash
# Check if mounts are stale
df -h | grep fuse
mountpoint ~/mounts/atlantis
# Force unmount stale mounts
fusermount -uz ~/mounts/atlantis
# or
sudo umount -f ~/mounts/atlantis
# Remount with debug
sshfs -d vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis
# Check SSH connectivity
ssh -v atlantis.vish.local
```
### **DNS Resolution Issues**
```bash
# Check DNS settings
cat /etc/resolv.conf
systemd-resolve --status
# Test DNS resolution
nslookup atlantis.vish.local
dig atlantis.vish.local
# Force DNS through Tailscale
tailscale up --exit-node=atlantis.vish.local --accept-dns=true
```
### **Performance Issues**
```bash
# Test network speed
speedtest-cli
# Test Tailscale performance
iperf3 -c atlantis.vish.local
# Check for packet loss
ping -c 100 atlantis.vish.local | grep loss
# Monitor network usage
iftop -i tailscale0
```
---
## 📋 Travel Checklist
### **Pre-Travel Setup**
```bash
☐ Tailscale installed and configured
☐ Exit node (Atlantis) configured and tested
☐ SSH keys encrypted and backed up
☐ Mount scripts tested and working
☐ Remote wipe script configured
☐ Full disk encryption enabled
☐ Firewall configured for travel
☐ Mobile apps installed and configured
☐ Emergency contact information accessible
☐ Backup authentication methods available
```
### **Daily Travel Routine**
```bash
☐ Connect to Tailscale immediately after WiFi
☐ Verify exit node is active (check IP)
☐ Mount homelab filesystems
☐ Check homelab service status
☐ Work with remote-only data
☐ Unmount filesystems before sleep/shutdown
☐ Log out of sensitive services
☐ Clear browser cache/history if needed
```
### **Post-Travel Security**
```bash
☐ Review travel access logs
☐ Change passwords if compromise suspected
☐ Update SSH keys if needed
☐ Review and clean up local files
☐ Update travel procedures based on experience
☐ Backup any new configurations
☐ Document any issues encountered
```
---
## 🔗 Related Documentation
- [📱 Mobile Device Setup](mobile-device-setup.md) - **NEW!** iOS, Android, macOS, Linux Tailscale configuration
- [Tailscale Setup Guide](tailscale-setup-guide.md) - Complete Tailscale configuration
- [Ubiquiti Enterprise Setup](ubiquiti-enterprise-setup.md) - Enterprise networking for advanced setups
- [Kubernetes Cluster Setup](kubernetes-cluster-setup.md) - Remote access to Kubernetes services
- [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Emergency procedures
- [Offline Password Access](../troubleshooting/offline-password-access.md) - Password management while traveling
- [Security Model](security.md) - Overall security architecture
---
**💡 Pro Tip**: Practice your travel setup at home first! Test all mounting, VPN, and remote access procedures on your home network before traveling. This ensures everything works smoothly when you're away from your homelab.
Reference in New Issue View Git Blame Copy Permalink