Proxmox Pulse
Installation & Initial Setup

Proxmox Homelab Starter: 5 VMs to Deploy First

New to Proxmox? Deploy these 5 essential VMs and LXCs first—DNS, VPN, reverse proxy, monitoring, and storage—to build a useful homelab fast.

Proxmox Pulse Proxmox Pulse
10 min read
homelab proxmox setup dns vpn reverse proxy
Five glowing virtual machine nodes interconnected by data streams above a home server rack.
On this page

You've installed Proxmox, you're staring at the web UI, and now you're wondering what to actually do with it. That blank node is full of potential, but where do you start? This guide cuts through the noise and gives you an opinionated answer: here are the five VMs and LXCs to deploy first, in order, so your homelab is actually useful by the end of the day.

Each pick solves a real problem, builds on the previous one, and sets the foundation for everything else you'll run later. No fluff, just the essentials.

Why Order Matters

Most homelab guides throw a list of cool projects at you without explaining dependencies. The problem is that some services rely on others being in place first.

Local DNS should come before anything else, because every service you deploy afterward will need a clean hostname to reach it. A VPN comes next so you can reach everything securely from outside. Once you have those two, a reverse proxy makes managing HTTPS and routing trivial. From there, monitoring gives you visibility across the whole stack, and a local storage/cloud replacement ties it all together.

This order isn't arbitrary—it's the sequence that causes the least rework.

VM 1: AdGuard Home or Pi-hole (Local DNS)

The single most impactful thing you can add to a homelab is local DNS. Without it, you're bookmarking IP addresses, dealing with browser HSTS warnings on self-signed certs, and manually updating configs every time a VM gets a new address.

Deploy this as a lightweight LXC, not a full VM. An Alpine or Debian LXC with 256 MB RAM and 2 GB disk is more than enough.

Why AdGuard Home?

AdGuard Home bundles DNS-over-HTTPS, DNS rewrites, and a clean ad-blocking UI in one package. Pi-hole is the classic alternative and has a larger community, but AdGuard's interface and built-in DoH support make it the easier pick for 2026.

Setup in 5 Minutes

Using the excellent tteck community scripts, you can spin one up with a single command run from the Proxmox shell:

bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/adguard.sh)"

Once running, open the AdGuard Home UI and add DNS rewrites for every service you plan to run. Something like:

nextcloud.home.lab → 192.168.1.51 grafana.home.lab → 192.168.1.52 vault.home.lab → 192.168.1.53

Then point your router's DHCP to hand out this LXC's IP as the primary DNS server for your whole network. Every device on your LAN now resolves your homelab hostnames automatically.

Pro Tips

  • Assign a static IP to this LXC before you do anything else—you never want DNS to go down because DHCP handed out a new address
  • Set a secondary upstream DNS (like 9.9.9.9) so internet resolution still works if AdGuard restarts
  • Use a .home.lab or .internal TLD for your local domain to avoid conflicts with real domains

VM 2: WireGuard VPN (Secure Remote Access)

Once your homelab has useful services, you'll want to reach them from outside. Exposing services directly to the internet is asking for trouble. WireGuard solves this cleanly—it's fast, modern, and trivial to configure compared to OpenVPN.

Again, an LXC works perfectly here. WireGuard is a kernel module, so it runs efficiently with minimal overhead.

WireGuard vs Tailscale

Tailscale is the zero-config option that works on top of WireGuard. It's a valid choice if you just want remote access without touching firewall rules, but it routes traffic through Tailscale's coordination servers. Self-hosted WireGuard keeps everything under your control and teaches you how the underlying networking actually works.

Basic WireGuard LXC Setup

# Run from Proxmox shell to create a WireGuard LXC
bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/wireguard.sh)"

After setup, the container will include wg-easy, a web UI for managing peers. Access it on port 51821, create a client config, and download the QR code to your phone.

Forward UDP port 51820 on your router to this LXC's IP, and you're done. From anywhere on the internet, you connect to WireGuard and get full access to your homelab as if you were on the local network—including the local DNS from step one.

Important: Firewall Rules

Once WireGuard is running, go to the Proxmox Datacenter firewall and add a rule to restrict management access to the Proxmox web UI to only the WireGuard subnet. This means even if port 8006 were somehow exposed, it wouldn't be reachable without first authenticating through WireGuard.

Proxmox firewall rule (Datacenter → Firewall → Add)

Direction: IN Interface: vmbr0 Protocol: tcp Dest. Port: 8006 Source: 10.0.0.0/24 # your WireGuard subnet Action: ACCEPT

VM 3: Nginx Proxy Manager (Reverse Proxy + HTTPS)

At this point you have a handful of services running on different ports. Remembering 192.168.1.51:3000 vs 192.168.1.52:8080 is tedious, and getting valid HTTPS certificates for internal services is annoying without a reverse proxy.

Nginx Proxy Manager (NPM) solves both problems. It provides a GUI-driven reverse proxy with automatic Let's Encrypt certificate management, including wildcard certs for your internal domain.

Deploy as an LXC

bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/nginx-proxy-manager.sh)"

NPM runs on port 81 for the admin UI. Default credentials are admin@example.com / changeme—change these immediately.

Setting Up Proxy Hosts

For each service you want to expose internally:

  1. Go to Hosts → Proxy Hosts → Add Proxy Host
  2. Set the domain name: grafana.home.lab
  3. Point it to the upstream IP and port: 192.168.1.52:3000
  4. Enable Websockets Support (most services need this)
  5. On the SSL tab, request a Let's Encrypt certificate

For internal-only services, use DNS challenge instead of HTTP challenge so you don't need to expose port 80 to the internet. NPM supports Cloudflare DNS validation natively—just add your Cloudflare API token.

Wildcard Certificates

Rather than issuing a cert per service, request a wildcard cert for *.home.lab. This covers every subdomain with a single cert and renewal.

Domain: *.home.lab Challenge: DNS (Cloudflare) API Token: your-cloudflare-token

Now every service behind NPM gets a trusted HTTPS certificate and a clean hostname. Your browser stops complaining, and you can start using services like real web apps.

VM 4: Grafana + Prometheus (Monitoring)

Once you have three or more services running, you need visibility. Which LXC is eating CPU? Is your disk filling up? Did a container restart overnight? Without monitoring, you're flying blind.

The Grafana + Prometheus + node_exporter stack is the homelab standard for good reason: it's powerful, free, and the dashboards are genuinely beautiful.

What Each Component Does

  • Prometheus: Scrapes metrics from exporters and stores them as time-series data
  • node_exporter: Runs on each host/VM and exposes CPU, RAM, disk, and network stats
  • Grafana: Visualizes the metrics with dashboards
  • Loki (optional): Log aggregation, pairs with Grafana for a full observability stack

Deployment Options

For a homelab, running all three in a single LXC or lightweight VM is perfectly reasonable. The tteck script handles this:

bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/grafana.sh)"

For Prometheus, either use the same container or a dedicated one. Then install node_exporter on every host you want to monitor:

# On each LXC or VM
apt install prometheus-node-exporter -y
systemctl enable --now prometheus-node-exporter

Prometheus Config

Edit /etc/prometheus/prometheus.yml to add your scrape targets:

scrape_configs:
  - job_name: 'proxmox'
    static_configs:
      - targets: ['192.168.1.10:9100']  # Proxmox host
        labels:
          instance: 'proxmox-node'
  • job_name: 'services' static_configs:
    • targets:
      • '192.168.1.51:9100' # adguard lxc
      • '192.168.1.52:9100' # wireguard lxc
      • '192.168.1.53:9100' # npm lxc

Grafana Dashboards

Instead of building dashboards from scratch, import community ones:

  • Node Exporter Full — Dashboard ID 1860, comprehensive system metrics
  • Proxmox VE — Dashboard ID 10347, shows VM and LXC status
  • AdGuard Home — Dashboard ID 13330, DNS query stats and block rates

In Grafana: Dashboards → Import → Enter Dashboard ID → Load. You'll have a professional monitoring setup in under 10 minutes.

Alerting

Set up at least these basic alerts:

  • Disk usage > 85% on any host
  • A service has been down for more than 5 minutes
  • RAM usage sustained above 90%

Grafana's alerting UI handles this natively and can notify via email, Telegram, Slack, or a webhook.

VM 5: Nextcloud or Immich (Local Cloud Storage)

The fifth VM completes the homelab: a self-hosted alternative to Google Photos, Dropbox, or iCloud. This is the service that makes non-technical people in your household actually care about the homelab.

Nextcloud is the general-purpose option—file sync, calendar, contacts, notes, office docs, and a photo viewer. It does everything but can feel heavy.

Immich is the focused option—Google Photos replacement only, but it's genuinely excellent. Fast, well-designed, and actively developed. If photos are your primary goal, pick Immich.

Nextcloud AIO on Proxmox LXC

Nextcloud All-in-One is the recommended deployment method. It handles all dependencies (PostgreSQL, Redis, Collabora, talk server) via Docker containers inside a single entry point.

Deploy a Debian LXC with at least 4 GB RAM and 4 vCPUs for a comfortable experience. Enable nesting and keyctl in the LXC features to allow Docker to run inside it:

# In Proxmox shell, edit the LXC config
pct set 100 --features nesting=1,keyctl=1

Then inside the LXC:

# Install Docker
curl -fsSL https://get.docker.com | sh

Run Nextcloud AIO

docker run
--sig-proxy=false
--name nextcloud-aio-mastercontainer
--restart always
--publish 80:80
--publish 8080:8080
--publish 8443:8443
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config
--volume /var/run/docker.sock:/var/run/docker.sock:ro
ghcr.io/nextcloud-releases/all-in-one:latest

Access the setup UI at https://your-lxc-ip:8080 and follow the wizard.

Storage Considerations

Don't store Nextcloud data on the same disk as your Proxmox OS. Add a dedicated virtual disk to the LXC and mount it as the data directory:

# In Proxmox, add a disk to the LXC via the Hardware tab
# Then inside the LXC:
mkfs.ext4 /dev/sdb
mount /dev/sdb /mnt/data

For larger storage needs, use a bind mount to a ZFS dataset on the host:

# On Proxmox host
zfs create rpool/data/nextcloud

Add bind mount to LXC config (/etc/pve/lxc/100.conf)

mp0: /rpool/data/nextcloud,mp=/mnt/data

This keeps your data on ZFS with checksumming and snapshot support, separate from the LXC itself.

Putting It All Together

Here's what your Proxmox node looks like after following this guide:

LXC/VM Service IP Purpose
LXC 101 AdGuard Home 192.168.1.51 Local DNS + ad blocking
LXC 102 WireGuard 192.168.1.52 Remote access VPN
LXC 103 Nginx Proxy Manager 192.168.1.53 HTTPS reverse proxy
LXC 104 Grafana + Prometheus 192.168.1.54 Monitoring + alerting
LXC 105 Nextcloud / Immich 192.168.1.55 Local cloud storage

Total resource usage on a modest machine (Intel N100, 16 GB RAM): roughly 2-3 GB RAM and 2 vCPUs at idle. That leaves plenty of headroom for additional VMs and experimentation.

What Comes Next

With these five services running, you have the infrastructure to support almost anything else you want to add:

  • Vaultwarden — Self-hosted Bitwarden password manager (tiny LXC, big impact)
  • Home Assistant — Smart home automation hub
  • Jellyfin — Media server for local video streaming
  • Gitea — Private Git hosting for your configs and scripts
  • Paperless-ngx — Document management and OCR

All of these slot naturally into the foundation you've built: AdGuard gives them hostnames, WireGuard makes them reachable remotely, NPM gives them HTTPS, and Grafana watches them.

Conclusion

A Proxmox homelab is only as useful as what's running on it. Spinning up random VMs without a foundation leads to a messy, hard-to-maintain setup that you'll eventually wipe and start over. By deploying local DNS first, then VPN, reverse proxy, monitoring, and storage—in that order—you build something coherent and maintainable.

The five services in this guide aren't the most glamorous homelab projects, but they're the ones that make every subsequent project easier. Get these running first, and the rest of your homelab practically configures itself.

Share
Proxmox Pulse

Written by

Proxmox Pulse

Sysadmin-driven guides for getting the most out of Proxmox VE in production and homelab environments.

Related Articles

View all →