The original post: /r/selfhosted by /u/ImpressiveAct on 2024-11-10 01:36:21.

Greetings all!

Recently had the chance to upgrade my HomeLab hardware and decided to start fresh security wise. (Previous lab used an amalgamation of open ports, bad firewalls, random VPN’s and other not so secure stuff) Got to start experimenting somewhere right. Since I’m a little more versed in HomeLabbing now I want to do it ‘right’ from the get-go. I plan on exposing some services like websites and game servers to the world. Those services will run on VM’s, no docker involved. Other, internal, services will remain internal and will only be accessible from within my LAN. The whole setup will consist of 1 proxmox server wherein everything will be virtualised.

First I experimented with the following physical proof op concept before doing anything on my lab itself: Traffic destined for the website example.com:80 first hits the VPS which runs Caddy Reverse-Proxy and acts as a WireGuard server. The actual website runs on a raspberry pi with Caddy as a webserver. Caddy listens on port 9123. The pi is connected to the VPN as a WireGuard client. When traffic hits the VPS it reverse-proxies it through the WireGuard tunnel to the pi to the correct port. I did it this way to avoid having to use port forwarding. This proof of concept was done at my girlfriends house with just a normal ISP router.

Now for the actual HomeLab I plan on using the same setup but with an OPNSense VM as router/firewall. I have the following setup in mind. (See added picture of a simple diagram). Traffic should go as follows Internet -> VPS(reverse-proxy, WireguardServer) -> OPNSense -> reverse-proxy -> webserver.

Now I’m asking myself where I should run the WireGuard client for tunneling. Do I run it on OPNsense since that will be the entrypoint of my network or do I run it on the reverse-proxy in my home network? AND When I run it on the reverse-proxy inside my network, does the traffic still go through the firewall? OR

Thanks in advance for any tips! Still pretty new to all of this.

https://preview.redd.it/nbzppfbb8zzd1.png?width=1962&format=png&auto=webp&s=756c498ef8b7d32ac4eecf09ca630f814189d38d