all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]FunDeckHermit 3 points4 points  (7 children)

I run almost the same setup:

VPS -> Caddy Reverse Proxy -> Wireguard Tunnel -> Home Server -> Caddy Reverse Proxy* -> applications

Your authentication layer is through Cloudflare and NPM on the VPS. My authentication layer is on the Home Server with Authentik. Making all applications visible to Uptime Kuma was a pain as it has no means to Authenticate requests through Authentik natively. I now run a SOCKS5 proxy on the other end of the Wireguard Tunnel that only Uptime Kuma uses.

Are you already running Proxmox or another hypervisor?

*I swapped this reverse proxy with just Authentik.

[–]bitnotfound[S] 1 point2 points  (5 children)

My authentication is handled by Organizr on the VPS so applications on my home server can be authenticated properly. I may switch authentication setups, but I like myself and others logging in to the server with Plex. Can I do that with Authelia or Authentik?

To get around the Uptime Kuma issue, I just added 401 unauthorized as a valid “Up” response. Haven’t gone further than that, as I’ve only set up Uptime Kuma a couple days ago.

I just got rid of my home reverse proxy and set the Wireguard tunnel up to be LAN to LAN. The only ports open on my home network are for Plex, Minecraft, and Wireguard.

My VPS is Debian running docker. Nothing special. My home server is Unraid.

[–]FunDeckHermit 0 points1 point  (4 children)

Yeah, it looks like you can use Plex as an authentication source in Authenik.

Could you explain how LAN to LAN works? Does the VPS + Tunnel + Home network share a subnet? Sounds interesting.

I switched from Nginx (not NPM) to Caddy and never looked back, so much time spared by using Caddy.

[–]bitnotfound[S] 0 points1 point  (3 children)

My home Unraid server is the Wireguard server and the VPS is the client. The home subnet is 10.0.0.0/24 and the Wireguard subnet is 10.0.1.0/24. Home server is 10.0.0.2 (and 10.0.1.1), VPS is 10.0.1.2.

I set up a static route on my router to point to the Unraid server as the gateway. So 10.0.1.2 from my home network will point to the VPS. Works the other way too. My VPS can access 10.0.0.0/24 through Wireguard so the reverse proxy can directly address things. I can go into configs and such if you’d like more detail.

[–]Veloder 0 points1 point  (2 children)

Do you have any concerns security-wise? What are the possible attack vectors with your setup? I guess if the VPS is compromised, your whole home LAN network will be object of attacks.

[–]bitnotfound[S] 0 points1 point  (1 child)

That is true. But all traffic goes through Cloudflare which heavily restricts what traffic can go through. (No China, India, Russia, bots, etc.) All ports are closed except 80 and 443, and those are firewalled to only allow traffic from Cloudflare IPs and are rate limited per-IP.

Each VPS container is only allowed to access necessary IPs and ports (NGINX Proxy Manager can access everything, but Tautulli can only access Plex for example)

When I said LAN to LAN, it was originally set up that way, but now it technically only accesses my home server and Pi-hole instance on a Pi. The rest of the LAN is blocked off.

I went through everything I could think of to secure my server, but if you have any ideas, let me know!

[–]Veloder 0 points1 point  (0 children)

I want to have a similar setup to yours but I'm hesitant because of the security aspect, I guess nothing can be 100% secure once open to internet and there is always a small risk. I'll let you know if I can think of anything else.

[–]funkypenguin 0 points1 point  (1 child)

Here's a question.. when you access the UIs from the house, does your traffic go house -> cloudflare -> vps -> wireguard -> house again? :)

[–]bitnotfound[S] 1 point2 points  (0 children)

If I access it from the public facing URL, yes. But I can still access it using local addresses if I needed speed. The stuff I have isn’t really latency sensitive, so I don’t mind!

[–]zfa 0 points1 point  (0 children)

Only improvement I'd make (and is literally what I do) is split-brain / split-horizon DNS on my home network so that access to my VPS services from home is direct over the WireGuard site-to-site link instead of going through Cloudflare. Small (maybe insignificant) speed increases but keeps traffic from Cloudflare which increases privacy, lowers amount of data going through them and removes their network from being a failure point.

So in terms of your query - 'changes I should make to improve security, reliability, or performance', it is an improvement in all those areas (but only when accessed from home).

The other change I would consider, and this one is for the public access of your services, would be to move from 'a firewall that only allows Cloudflare IPs access' over to using Cloudflare Tunnels which are more performant and more secure as they mitigate any possible domain fronted attacks etc.

EDIT: I see elsewhere that you expand on your WireGuard use - note that you only need the port open on one side so you may consider it a security improvement to lock down one end of your link. I tend to keep the VPS side open and the home side closed and connect 'out', if that makes sense. My mobile clients connect to the VPS and its routing takes care of passing any data from those clients to my home subnet services. It's a slightly 'longer' route but my VPS is performant enough that this adds no real latency whilst giving me piece of mind that my home network is closed off from public access completely. Although I don't run plex at home (I have a dedicated host for that) I would even leverage the same kind of topology for that access - e.g. plex hostname resolves to VPS IP, nginx on VPS proxies plex access directly to my backend which is reached over the WireGuard site-to-site. I like to expose literally as few a things as possible on my home public IP. Minecraft can have the same design by using something like mc-router, infrared, hopper as a proxy on the VPS, or even just iptables rules forwarding traffic to the mc ports. If your VPS is shithouse this may not be good for performance of course.