homelab-optimized/docs/infrastructure/laptop-travel-setup.md

💻 Laptop Travel Setup Guide

🟡 Intermediate Guide

This guide covers setting up your laptop for secure travel with full homelab access, including Tailscale VPN tunneling through Atlantis for IP privacy, remote filesystem mounting, and zero-local-storage security practices.

🎯 Travel Security Philosophy

Zero Trust Laptop Model

• No critical data stored locally - Everything mounted from homelab
• Encrypted disk - Full disk encryption for physical security
• VPN-only access - All traffic routed through homelab
• Disposable mindset - Laptop loss/theft has minimal impact
• Remote wipe capability - Can be wiped remotely if compromised

---

🌐 Tailscale Travel Configuration

Step 1: Install Tailscale on Laptop

Linux (Ubuntu/Debian)

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Connect to your tailnet
sudo tailscale up

# Verify connection
tailscale status
tailscale ip -4

macOS

# Install via Homebrew
brew install --cask tailscale

# Or download from: https://tailscale.com/download/mac
# Launch Tailscale and sign in to your tailnet

Windows

# Download from: https://tailscale.com/download/windows
# Install and sign in to your tailnet
# Run as administrator for best performance

Step 2: Configure Exit Node (Atlantis)

On Atlantis (Exit Node Setup)

# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Advertise as exit node
sudo tailscale up --advertise-exit-node

# Verify exit node status
tailscale status

On Laptop (Use Exit Node)

# Use Atlantis as exit node for all traffic
tailscale up --exit-node=atlantis.vish.local

# Verify your public IP is now Atlantis
curl ifconfig.me
# Should show your home IP, not travel location IP

# Check routing
tailscale status
ip route | grep 100.64

Step 3: Advanced Tailscale Configuration

Laptop-Specific Settings

# Enable key expiry for security
tailscale up --exit-node=atlantis.vish.local --auth-key=[auth-key] --timeout=24h

# Configure DNS to use homelab Pi-hole
tailscale up --exit-node=atlantis.vish.local --accept-dns=true

# Disable key expiry warnings (optional)
tailscale set --auto-update

Split Tunneling (Advanced)

# Route only specific traffic through exit node
# Create custom routing rules

# Route homelab traffic through Tailscale
sudo ip route add 192.168.1.0/24 via $(tailscale ip -4) dev tailscale0

# Route specific services through exit node
sudo ip route add 0.0.0.0/0 via $(tailscale ip -4 atlantis) dev tailscale0 table 100
sudo ip rule add from $(tailscale ip -4) table 100

---

📁 Remote Filesystem Mounting

SSHFS Setup (Recommended)

Install SSHFS

# Ubuntu/Debian
sudo apt install sshfs

# macOS
brew install macfuse sshfs

# Windows (WSL)
sudo apt install sshfs

Mount Homelab Filesystems

# Create mount points
mkdir -p ~/mounts/{atlantis,calypso,homelab-vm,projects,documents}

# Mount Atlantis (Primary NAS)
sshfs vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis \
    -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks

# Mount Calypso (Media NAS)
sshfs vish@calypso.vish.local:/volume1/media ~/mounts/calypso \
    -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3

# Mount Homelab VM (Development)
sshfs vish@homelab-vm.vish.local:/home/vish/projects ~/mounts/projects \
    -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3

# Mount Documents (Secure storage)
sshfs vish@atlantis.vish.local:/volume1/documents ~/mounts/documents \
    -o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3

Automated Mounting Script

#!/bin/bash
# ~/scripts/mount-homelab.sh

set -e

MOUNTS_DIR="$HOME/mounts"
LOG_FILE="$HOME/.homelab-mounts.log"

log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}

mount_fs() {
    local name="$1"
    local remote="$2"
    local local_path="$3"
    local options="$4"
    
    if mountpoint -q "$local_path"; then
        log "✅ $name already mounted"
        return 0
    fi
    
    mkdir -p "$local_path"
    
    if sshfs "$remote" "$local_path" -o "$options"; then
        log "✅ Mounted $name: $remote -> $local_path"
    else
        log "❌ Failed to mount $name"
        return 1
    fi
}

# Check Tailscale connectivity
if ! tailscale status >/dev/null 2>&1; then
    log "❌ Tailscale not connected"
    exit 1
fi

log "🚀 Starting homelab filesystem mounting..."

# Default SSHFS options
OPTS="reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,follow_symlinks,cache=yes,compression=yes"

# Mount all filesystems
mount_fs "Atlantis Home" "vish@atlantis.vish.local:/volume1/homes/vish" "$MOUNTS_DIR/atlantis" "$OPTS"
mount_fs "Calypso Media" "vish@calypso.vish.local:/volume1/media" "$MOUNTS_DIR/calypso" "$OPTS"
mount_fs "Projects" "vish@homelab-vm.vish.local:/home/vish/projects" "$MOUNTS_DIR/projects" "$OPTS"
mount_fs "Documents" "vish@atlantis.vish.local:/volume1/documents" "$MOUNTS_DIR/documents" "$OPTS"
mount_fs "Backups" "vish@anubis.vish.local:/volume1/backups" "$MOUNTS_DIR/backups" "$OPTS"

log "🎯 Homelab mounting complete"

# Create convenient symlinks
ln -sf "$MOUNTS_DIR/projects" "$HOME/Projects"
ln -sf "$MOUNTS_DIR/documents" "$HOME/Documents"
ln -sf "$MOUNTS_DIR/atlantis/Desktop" "$HOME/Desktop-Remote"
ln -sf "$MOUNTS_DIR/calypso/Photos" "$HOME/Photos"
ln -sf "$MOUNTS_DIR/calypso/Movies" "$HOME/Movies"

log "🔗 Symlinks created"

Unmounting Script

#!/bin/bash
# ~/scripts/unmount-homelab.sh

MOUNTS_DIR="$HOME/mounts"

unmount_fs() {
    local path="$1"
    local name="$2"
    
    if mountpoint -q "$path"; then
        if fusermount -u "$path" 2>/dev/null || umount "$path" 2>/dev/null; then
            echo "✅ Unmounted $name"
        else
            echo "❌ Failed to unmount $name"
            return 1
        fi
    else
        echo "ℹ️  $name not mounted"
    fi
}

echo "🔄 Unmounting homelab filesystems..."

unmount_fs "$MOUNTS_DIR/atlantis" "Atlantis"
unmount_fs "$MOUNTS_DIR/calypso" "Calypso"
unmount_fs "$MOUNTS_DIR/projects" "Projects"
unmount_fs "$MOUNTS_DIR/documents" "Documents"
unmount_fs "$MOUNTS_DIR/backups" "Backups"

# Remove symlinks
rm -f "$HOME/Projects" "$HOME/Documents" "$HOME/Desktop-Remote" "$HOME/Photos" "$HOME/Movies"

echo "🎯 Unmounting complete"

NFS Setup (Alternative)

On Homelab Servers (NFS Server)

# Install NFS server (on Atlantis/Calypso)
sudo apt install nfs-kernel-server

# Configure exports
sudo tee /etc/exports << 'EOF'
/volume1/homes/vish 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
/volume1/documents 100.64.0.0/10(rw,sync,no_subtree_check,no_root_squash)
/volume1/media 100.64.0.0/10(ro,sync,no_subtree_check)
EOF

# Apply exports
sudo exportfs -ra
sudo systemctl restart nfs-kernel-server

# Check exports
sudo exportfs -v

On Laptop (NFS Client)

# Install NFS client
sudo apt install nfs-common

# Mount NFS shares
sudo mount -t nfs atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis
sudo mount -t nfs calypso.vish.local:/volume1/media ~/mounts/calypso

# Add to /etc/fstab for automatic mounting
echo "atlantis.vish.local:/volume1/homes/vish $HOME/mounts/atlantis nfs defaults,user,noauto 0 0" | sudo tee -a /etc/fstab

---

🔐 SSH Key Management for Travel

SSH Agent Setup

# Start SSH agent
eval "$(ssh-agent -s)"

# Add homelab keys
ssh-add ~/.ssh/homelab_ed25519
ssh-add ~/.ssh/atlantis_ed25519
ssh-add ~/.ssh/servers_ed25519

# List loaded keys
ssh-add -l

# Configure SSH agent forwarding
echo "ForwardAgent yes" >> ~/.ssh/config

SSH Configuration for Homelab

# ~/.ssh/config
Host atlantis
    HostName atlantis.vish.local
    User vish
    IdentityFile ~/.ssh/homelab_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ForwardAgent yes
    Compression yes

Host calypso
    HostName calypso.vish.local
    User vish
    IdentityFile ~/.ssh/homelab_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ForwardAgent yes
    Compression yes

Host homelab-vm
    HostName homelab-vm.vish.local
    User vish
    IdentityFile ~/.ssh/homelab_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ForwardAgent yes
    Compression yes

Host *.vish.local
    User vish
    IdentityFile ~/.ssh/homelab_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ForwardAgent yes
    Compression yes
    StrictHostKeyChecking accept-new

Secure Key Storage

# Encrypt SSH keys for travel
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
    --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
    --output ~/.ssh/homelab_ed25519.gpg ~/.ssh/homelab_ed25519

# Decrypt when needed
gpg --decrypt ~/.ssh/homelab_ed25519.gpg > ~/.ssh/homelab_ed25519
chmod 600 ~/.ssh/homelab_ed25519
ssh-add ~/.ssh/homelab_ed25519

# Secure delete original after encryption
shred -vfz -n 3 ~/.ssh/homelab_ed25519

---

🖥️ Development Environment Setup

VS Code Remote Development

# Install VS Code extensions
code --install-extension ms-vscode-remote.remote-ssh
code --install-extension ms-vscode-remote.remote-containers

# Configure remote development
# File: ~/.vscode/settings.json
{
    "remote.SSH.remotePlatform": {
        "homelab-vm.vish.local": "linux",
        "atlantis.vish.local": "linux",
        "concord-nuc.vish.local": "linux"
    },
    "remote.SSH.configFile": "~/.ssh/config",
    "remote.SSH.enableAgentForwarding": true
}

# Connect to remote development environment
code --remote ssh-remote+homelab-vm.vish.local /home/vish/projects

Terminal Multiplexer (tmux/screen)

# Install tmux on homelab servers
ssh atlantis.vish.local 'sudo apt install tmux'
ssh homelab-vm.vish.local 'sudo apt install tmux'

# Create persistent development sessions
ssh homelab-vm.vish.local
tmux new-session -d -s development
tmux new-session -d -s monitoring
tmux new-session -d -s admin

# Reconnect to sessions from laptop
ssh homelab-vm.vish.local -t tmux attach-session -t development

Docker Development

# Use Docker on homelab servers remotely
export DOCKER_HOST="ssh://vish@homelab-vm.vish.local"

# Run containers on remote host
docker run -it --rm ubuntu:latest bash
docker-compose -f ~/mounts/projects/myapp/docker-compose.yml up -d

# Build images on remote host
docker build -t myapp ~/mounts/projects/myapp/

---

📱 Mobile Companion Setup

Mobile Apps for Homelab Access

# Essential mobile apps:

# VPN & Network
- Tailscale (primary VPN)
- WireGuard (backup VPN)
- Network Analyzer (troubleshooting)

# Remote Access
- Termius (SSH client)
- RDP Client (Windows remote desktop)
- VNC Viewer (Linux desktop access)

# File Access
- Solid Explorer (Android file manager with SFTP)
- Documents (iOS file manager with SSH)
- Syncthing (file synchronization)

# Services
- Bitwarden (password manager)
- Plex/Jellyfin (media streaming)
- Home Assistant (smart home control)

Mobile Hotspot Configuration

# Configure laptop to use mobile hotspot when needed
# Network Manager configuration for automatic connection

# Create hotspot profile
nmcli connection add type wifi ifname wlan0 con-name "Mobile-Hotspot" \
    autoconnect yes ssid "YourPhone-Hotspot"
nmcli connection modify "Mobile-Hotspot" wifi-sec.key-mgmt wpa-psk
nmcli connection modify "Mobile-Hotspot" wifi-sec.psk "hotspot-password"

# Set priority (lower number = higher priority)
nmcli connection modify "Mobile-Hotspot" connection.autoconnect-priority 10

---

🔒 Security Hardening for Travel

Full Disk Encryption

# Ubuntu/Debian - Enable during installation or:
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup luksOpen /dev/sdX encrypted_disk

# macOS - Enable FileVault
sudo fdesetup enable

# Windows - Enable BitLocker
manage-bde -on C: -REDACTED_APP_PASSWORD

Firewall Configuration

# Ubuntu/Debian UFW
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow only Tailscale traffic
sudo ufw allow in on tailscale0
sudo ufw allow out on tailscale0

# Block all other VPN interfaces
sudo ufw deny in on tun0
sudo ufw deny in on wg0

Auto-lock and Security

# Linux - Auto-lock after 5 minutes
gsettings set org.gnome.desktop.screensaver lock-delay 300
gsettings set org.gnome.desktop.screensaver lock-enabled true

# Require password immediately after lock
gsettings set org.gnome.desktop.screensaver lock-delay 0

# Auto-suspend after 30 minutes
gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-timeout 1800

Remote Wipe Capability

# Install remote wipe tools
sudo apt install openssh-server fail2ban

# Create remote wipe script
sudo tee /usr/local/bin/emergency-wipe.sh << 'EOF'
#!/bin/bash
# Emergency laptop wipe script
# Trigger via SSH: ssh laptop.tailscale "sudo /usr/local/bin/emergency-wipe.sh"

echo "🚨 EMERGENCY WIPE INITIATED"
logger "Emergency wipe initiated from $(who am i)"

# Unmount all SSHFS mounts
fusermount -u /home/*/mounts/* 2>/dev/null || true

# Clear SSH keys and known hosts
rm -rf /home/*/.ssh/id_* /home/*/.ssh/known_hosts

# Clear browser data
rm -rf /home/*/.mozilla/firefox/*/cookies.sqlite
rm -rf /home/*/.config/google-chrome/Default/Cookies
rm -rf /home/*/.config/chromium/Default/Cookies

# Clear recent files and history
rm -rf /home/*/.local/share/recently-used.xbel
rm -rf /home/*/.bash_history /home/*/.zsh_history

# Disconnect from Tailscale
tailscale logout

# Optional: Full disk wipe (DESTRUCTIVE!)
# dd if=/dev/urandom of=/dev/sda bs=1M

echo "🎯 Emergency wipe complete"
logger "Emergency wipe completed"
EOF

sudo chmod +x /usr/local/bin/emergency-wipe.sh

---

🌍 Travel Workflow Examples

Coffee Shop Work Session

# 1. Connect to WiFi
# 2. Start Tailscale
tailscale up --exit-node=atlantis.vish.local

# 3. Mount filesystems
~/scripts/mount-homelab.sh

# 4. Start development environment
code --remote ssh-remote+homelab-vm.vish.local ~/projects/current-project

# 5. Open monitoring dashboards
firefox https://atlantis.vish.local:3000  # Grafana
firefox https://atlantis.vish.local:3001  # Uptime Kuma

# 6. Work normally - all data stays on homelab

Hotel Work Session

# 1. Connect to hotel WiFi (potentially untrusted)
# 2. Immediately connect Tailscale with exit node
tailscale up --exit-node=atlantis.vish.local --accept-dns=true

# 3. Verify IP is masked
curl ifconfig.me  # Should show home IP

# 4. Mount filesystems and work
~/scripts/mount-homelab.sh

Airplane Work (Offline)

# 1. Before flight, sync critical files
rsync -av atlantis.vish.local:/volume1/homes/vish/current-project/ ~/offline-work/

# 2. Work offline on local copy
# 3. After landing, sync changes back
rsync -av ~/offline-work/ atlantis.vish.local:/volume1/homes/vish/current-project/

# 4. Clean up local copy
rm -rf ~/offline-work/

---

🔧 Troubleshooting Travel Issues

Tailscale Connection Problems

# Check Tailscale status
tailscale status
tailscale netcheck

# Reset Tailscale connection
sudo tailscale down
sudo tailscale up --exit-node=atlantis.vish.local

# Check routing
ip route | grep tailscale
ip route | grep 100.64

# Test connectivity to homelab
ping atlantis.vish.local
ping 192.168.1.100

SSHFS Mount Issues

# Check if mounts are stale
df -h | grep fuse
mountpoint ~/mounts/atlantis

# Force unmount stale mounts
fusermount -uz ~/mounts/atlantis
# or
sudo umount -f ~/mounts/atlantis

# Remount with debug
sshfs -d vish@atlantis.vish.local:/volume1/homes/vish ~/mounts/atlantis

# Check SSH connectivity
ssh -v atlantis.vish.local

DNS Resolution Issues

# Check DNS settings
cat /etc/resolv.conf
systemd-resolve --status

# Test DNS resolution
nslookup atlantis.vish.local
dig atlantis.vish.local

# Force DNS through Tailscale
tailscale up --exit-node=atlantis.vish.local --accept-dns=true

Performance Issues

# Test network speed
speedtest-cli

# Test Tailscale performance
iperf3 -c atlantis.vish.local

# Check for packet loss
ping -c 100 atlantis.vish.local | grep loss

# Monitor network usage
iftop -i tailscale0

---

📋 Travel Checklist

Pre-Travel Setup

☐ Tailscale installed and configured
☐ Exit node (Atlantis) configured and tested
☐ SSH keys encrypted and backed up
☐ Mount scripts tested and working
☐ Remote wipe script configured
☐ Full disk encryption enabled
☐ Firewall configured for travel
☐ Mobile apps installed and configured
☐ Emergency contact information accessible
☐ Backup authentication methods available

Daily Travel Routine

☐ Connect to Tailscale immediately after WiFi
☐ Verify exit node is active (check IP)
☐ Mount homelab filesystems
☐ Check homelab service status
☐ Work with remote-only data
☐ Unmount filesystems before sleep/shutdown
☐ Log out of sensitive services
☐ Clear browser cache/history if needed

Post-Travel Security

☐ Review travel access logs
☐ Change passwords if compromise suspected
☐ Update SSH keys if needed
☐ Review and clean up local files
☐ Update travel procedures based on experience
☐ Backup any new configurations
☐ Document any issues encountered

---

🔗 Related Documentation

• 📱 Mobile Device Setup - NEW! iOS, Android, macOS, Linux Tailscale configuration
• Tailscale Setup Guide - Complete Tailscale configuration
• Ubiquiti Enterprise Setup - Enterprise networking for advanced setups
• Kubernetes Cluster Setup - Remote access to Kubernetes services
• Disaster Recovery Guide - Emergency procedures
• Offline Password Access - Password management while traveling
• Security Model - Overall security architecture

---

💡 Pro Tip: Practice your travel setup at home first! Test all mounting, VPN, and remote access procedures on your home network before traveling. This ensures everything works smoothly when you're away from your homelab.