Skip to content
ZestSSH Docs

Homelab Setup with ZestSSH

Managing a homelab from your phone or tablet turns ZestSSH into a portable control plane. This guide walks through a common homelab topology: a WAN-exposed jump server that tunnels into private LAN services such as Proxmox, Home Assistant, Pi-hole, and Grafana.

Architecture Overview

Section titled “Architecture Overview”

A typical homelab network looks like this:

Internet
  |
  v
[Router / Firewall]
  |  port 22 forwarded
  v
[Jump Server]  ── LAN ──> Proxmox (192.168.1.10)
                           Home Assistant (192.168.1.20)
                           Pi-hole (192.168.1.53)
                           Grafana (192.168.1.30:3000)
                           NAS (192.168.1.50)

The jump server is the only device with a public-facing SSH port. Everything else stays on the private LAN.

Step 1: Prepare Your Jump Server

Section titled “Step 1: Prepare Your Jump Server”

Choose a low-power device that stays on 24/7 --- a Raspberry Pi, an old thin client, or a small VM on your hypervisor. Harden it:

  1. Disable password authentication. In /etc/ssh/sshd_config, set PasswordAuthentication no and PubkeyAuthentication yes.
  2. Change the SSH port (optional). Moving off port 22 reduces automated scanning noise. Use any high port (e.g. 2222) and set it in sshd_config.
  3. Install fail2ban to rate-limit brute-force attempts.
  4. Enable key-only login. Generate an Ed25519 key in ZestSSH (Settings > Identities > Generate Key) and copy the public key to ~/.ssh/authorized_keys on the jump server.

On your router, forward the chosen SSH port to the jump server’s LAN IP.

Step 2: Create the Jump Server Connection

Section titled “Step 2: Create the Jump Server Connection”

In ZestSSH, tap the + button and fill in:

  • Label: Jump Server
  • Host: Your public IP or dynamic DNS hostname (e.g. home.example.com)
  • Port: 2222 (or whatever you chose)
  • Identity: Select the Ed25519 identity you created

Save the connection. Tap to verify you can connect.

Step 3: Add LAN Servers Behind the Jump

Section titled “Step 3: Add LAN Servers Behind the Jump”

Now create connections for each private LAN host. The key setting is Connect Via:

  1. Tap + to add a new connection.
  2. Label: Proxmox
  3. Host: 192.168.1.10
  4. Port: 22
  5. Connect Via: Select Jump Server
  6. Identity: Select or create an identity for this host.

Repeat for Home Assistant, Pi-hole, Grafana, NAS, and any other LAN hosts. Each connection will automatically tunnel through the jump server --- ZestSSH establishes an SSH channel through the jump host’s connection before connecting to the final destination.

Step 4: Port Forwarding to LAN Web UIs

Section titled “Step 4: Port Forwarding to LAN Web UIs”

Many homelab services expose web dashboards. ZestSSH’s port forwarding lets you access them from your device’s browser.

Proxmox Web UI (port 8006)

Section titled “Proxmox Web UI (port 8006)”

Create a port forward rule on the Jump Server connection:

  • Type: Local
  • Local Port: 8006
  • Remote Host: 192.168.1.10
  • Remote Port: 8006

After connecting, open https://localhost:8006 in your browser to reach the Proxmox console.

Home Assistant (port 8123)

Section titled “Home Assistant (port 8123)”
  • Local Port: 8123
  • Remote Host: 192.168.1.20
  • Remote Port: 8123

Browse to http://localhost:8123.

Grafana (port 3000)

Section titled “Grafana (port 3000)”
  • Local Port: 3000
  • Remote Host: 192.168.1.30
  • Remote Port: 3000

Browse to http://localhost:3000.

Pi-hole Admin (port 80)

Section titled “Pi-hole Admin (port 80)”
  • Local Port: 8080 (avoid 80 on mobile)
  • Remote Host: 192.168.1.53
  • Remote Port: 80

Browse to http://localhost:8080/admin.

You can set port forward rules to start automatically when you connect to the jump server, so a single tap gives you access to your entire homelab.

Step 5: Wake-on-LAN

Section titled “Step 5: Wake-on-LAN”

ZestSSH supports Wake-on-LAN (WoL) for servers that are powered off until you need them. This is useful for a power-hungry workstation or NAS that should not run 24/7.

In the connection editor, scroll to the Wake-on-LAN section:

  • MAC Address: The server’s Ethernet MAC (e.g. AA:BB:CC:DD:EE:FF)
  • Broadcast Address: Usually 255.255.255.255 for the local subnet, or a directed broadcast like 192.168.1.255
  • WoL Port: 9 (standard)

When you tap Connect on this host, ZestSSH sends a magic packet to wake the machine, then waits for SSH to become available.

Important: WoL magic packets are Layer 2 --- they only travel within the local broadcast domain. To wake a machine remotely through the jump server, the jump server itself must send the packet. You can automate this with a snippet:

Terminal window
wakeonlan AA:BB:CC:DD:EE:FF

Run this snippet on the jump server connection, wait 30 seconds for the target to boot, then connect.

Step 6: Local DNS and .local Hostnames

Section titled “Step 6: Local DNS and .local Hostnames”

If you run Pi-hole or another local DNS server, you can assign hostnames like proxmox.home, nas.home, and grafana.home to your LAN IPs. When connecting through the jump server, SSH resolves hostnames on the jump server’s side of the tunnel. This means you can use these local hostnames as the Host field in your ZestSSH connections:

  • Host: proxmox.home instead of 192.168.1.10

This makes your connection list more readable and survives IP changes from DHCP reassignments.

Organizing Your Homelab

Section titled “Organizing Your Homelab”

Use Connection Groups to keep things tidy:

  • Create a group called “Homelab”
  • Drag all homelab connections into it
  • The jump server and all LAN hosts appear together in a collapsible section

On desktop, pin your most-used homelab connections to the sidebar favorites for one-click access.

Monitoring and Automation

Section titled “Monitoring and Automation”

With ZestSSH Pro, you can automate homelab tasks:

  • Snippets: Save common commands like docker compose pull && docker compose up -d for container updates.
  • Workflows: Chain multiple steps --- update Pi-hole, restart Home Assistant, pull Grafana dashboards --- across multiple servers in sequence.
  • Tasker integration (Android): Trigger a backup script when you leave home, or check server health on a schedule.

For ongoing monitoring, ZestSSH shows connection health status with colored dots and TCP latency beside each saved connection, giving you an at-a-glance view of which homelab services are responding.

Security Considerations

Section titled “Security Considerations”
  • Never expose individual LAN services directly to the internet. Route everything through the jump server.
  • Use unique SSH keys per device. If a phone is lost, revoke that key without affecting your laptop.
  • Enable ZestSSH’s app lock (biometric or PIN) so a stolen device cannot access your homelab.
  • Rotate your jump server SSH keys periodically.
  • Consider running the jump server SSH on a non-standard port and behind fail2ban.