How to secure my home network when running a VM accessible via a Cloudflare Tunnel?


My previous plan of setting up a DMZ with OpenWrt on a Xiaomi router was abandoned, because I had issues with getting the router.

What I'm trying to achieve is to secure my home network when running a web server that is accessible from the outside world via Cloudflare Tunnel.

I currently have a website running on Apache server, on an Ubuntu Server 22.04 VM on Hyper-V

The Ubuntu guest has 2 network adapters connected to it - one of the home network and one of a virtual internal switch from HyperV, in order to set it a static IP address.

It means that the VM is connected directly to the home network. Is it possible to secure it with OpenWrt in the middle? i.e. create another VM, install OpenWrt on it (instead of on a router), and place it between my home network and the VMs?

This is a diagram depicting the current situation, and what I am planning (if possible):

*I am not too good in networking so please be easy on me :slight_smile:

Generally speaking, a VM is not the recommended method of securing your network because there are so many more variables and things that can be misconfigured or go wrong. You are always best served by using a dedicated device as your router.

As far as protecting your main network from the server that is publicly exposed, I would suggest simply putting that server on a different VLAN.

There are a ton of OpenWrt supported devices -- from all-in-one wifi router products to the Pi series and x86... what you select should be based on your ISP bandwidth requirements (now and ideally forward looking) as well as any special needs you may have. But it's just because you couldn't get the Xiaomi router you wanted doesn't mean you've hit a dead-end with this general path.