Home Lab • Tailscale Mesh • SSH (ED25519)

Home Lab Network Architecture

A secure, least-privilege Tailscale mesh with SSH key-based access. Last updated: October 19, 2025

Diagram

		┌───────────────────────────────────┐
               │  ThinkPad T480s (Zorin OS)        │
               │  • Control / Management Node      │
               │  • SSH → MacBook / Desktop / VM   │
               │  • No Inbound SSH                 │
               └───────────────┬───────────────────┘
                               │
                     ╭─────────┴─────────╮
                     │  Tailscale Mesh   │
                     │  VPN + SSH Keys   │
                     ╰─────────┬─────────╯
                               │
          ┌────────────────────┴────────────────────┐
          │                                         │
┌───────────────────┐                    ┌──────────────────┐
│  MacBook Air (M2) │                    │  Desktop (Win11) │
│  • Dev / Study Env│                    │  + WSL2 Host     │
│  • SSH ↔ Desktop  │                    │  • SSH ↔ MacBook │
│  • SSH → Homelab  │                    │  • SSH → Homelab │
└───────────────────┘                    └──────────┬───────┘
                                                    │
                                     (Hosts the VM) │
                                                    │
                                       ┌─────────────────────┐
                                       │   Homelab VM        │
                                       │   (Ubuntu Server)   │
                                       │   • Docker, Tunnels │
                                       │   • Inbound SSH only│
                                       │   • No Outbound SSH │
                                       └─────────────────────┘

Roles & Access Matrix

Device	Role	SSH Direction	Notes
ThinkPad T480s (Zorin OS)	Control / Management Node	Outbound → MacBook / Desktop / Homelab	Inbound SSH disabled
Desktop (Win11 + WSL2)	Host & Peer Node	↔ MacBook, → Homelab	Hosts Ubuntu VM
MacBook Air (M2)	Dev / Study Environment	↔ Desktop, → Homelab	Portable client
Homelab VM (Ubuntu Server)	Server Endpoint	Inbound only ← all nodes	Outbound SSH blocked

Security Model

Least-Privilege SSH: Only required directions allowed; no passwords.
Identity-Based Trust: ED25519 key pairs; aliases via ~/.ssh/config and/or MagicDNS.
Encrypted Overlay: Tailscale Mesh VPN for discovery and end-to-end encryption.
Containment: Homelab VM sandboxed; outbound SSH denied via UFW.
Reversibility: Nodes can be swapped without reconfiguring the mesh.

Key Configuration Snippets

Zorin (Control Node)

# Disable inbound sshd
sudo systemctl disable --now ssh

# ~/.ssh/config (aliases)
Host desktop
  HostName desktop-hjpalp7
  User melchior
  IdentityFile ~/.ssh/id_ed25519

Host homelab
  HostName jam-homelab
  User homelab
  IdentityFile ~/.ssh/id_ed25519

Host macbook
  HostName macbook-m2
  User jermaine
  IdentityFile ~/.ssh/id_ed25519

Homelab VM (Inbound-Only)

# Remove outbound identity
rm -f ~/.ssh/id_*

# UFW policy: inbound allowed on Tailscale; outbound SSH denied
sudo apt install -y ufw
sudo ufw default allow incoming
sudo ufw default deny outgoing
sudo ufw allow in on tailscale0 to any port 22 proto tcp
sudo ufw enable

Desktop (Host)

# Ensure SSH to VM and MacBook is available; WSL/VM hosts Homelab
# (Your existing config; include if relevant to your setup)