Using Wireguard to Tunnel All Traffic through a VPS to Home

[giscus[bot]]

Using Wireguard to Tunnel All Traffic through a VPS to Home

In my last post, I discussed how I was moving off of Cloudflare and also moving to Caddy. After about a month of completing that switchover, I’m sticking to it. Still have a few issues with the way Caddy does things but overall it works.
In this post I want to discuss my Caddy setup, particular how I am not directly exposing my homelab/server to the internet but instead am routing all the traffic through a VPS.

https://blog.fuzzymistborn.com/vps-reverse-proxy-tunnel/

[DominikBritz]

What does your iptables config look like?

[FuzzyMistborn]

I don't use iptables. I use UFW. Here are my rules: https://github.com/FuzzyMistborn/infra/blob/0f1496a0273fc806597c582558f95669689a1cc6/group_vars/ambition.yml#L63-L115

[ModProg]

One feature of this over, e.g., Cloudflare is support for publishing UDP ports to the internet, I learned this in the middle of actually trying to migrate away from a similar setup to Cloudflare because I felt like I could drop the VPS then.

I guess I have to keep running a custom solution to be able to host UDP based game servers

[pnxl]

Hey i need some help please! I don't understand what you mean by the DMZ config? do i need another server for that or?

[FuzzyMistborn]

A "DMZ" is a "demilitarized zone" of your network. IE it's something that is more accessible to the internet/the outside world, but is both hardened against attack and also has more limited access to thing inside your network. It is not necessary though. You do need some kind of server in your home network though that has the wireguard connection to your VPS.

[Nabstar3]

Is your apps still accessible over your LAN if everything is being tunelled with wireguard?

[FuzzyMistborn]

Yep! Either via the IP address, or I have a rule in my adguard instance that redirects my domain to the local Caddy instance. So when I'm at home my data isn't proxied through the VPS.

[Nabstar3]

Sorry if I sound confused, you have a caddy instance on both your VPS and your local server?

[FuzzyMistborn]

Yes. You can see it in the only image of the post. Second/local instance routes traffic that comes down the VPN as I run several LXC/VMs. So the 2nd instance is necessary to route the traffic locally to the appropriate place.

[dmspils]

I have just been implementing a similar setup with wireguard bridging my VPS and my opnsense server but using nginx instead of caddy. However, I've run in to some weirdness with home assistant which is what lead me to your blog. My VPS correctly terminates the client TLS session and I'm able to access the main auth page of home assistant; I'm able to enter my credentials and get prompted for my MFA OTP but then get a response saying that home assistant can't connect. I also get a notification in home assistant telling me that a device has just failed to authenticate (and I see the correct external IP of the client). It's really baffled me how I can access the auth pages of home assistant via this route but then get bounced following successful auth with the unable to connect message; at a guess I think it's down to opnsense policy based routing as I have multi WAN rules in place but wanted to float my problem in case it's something you saw and have an obvious answer to (or anything springs to mind that I've missed).

[dmspils]

Fixed this issue by moving to caddy on my VPS!