Setting up Wireguard + Reverse Proxies

Running a VPS tunnel connection to my home server so that domain name connections work

Background

I used to simply run my servers and connect through them with a vpn allowing me to jump right into my homeserver. I usually used it with tailscale which was really convenient and connecting it with pihole (acting as a local dns server) allowed me to connect to my homeserver anywhere I go. However, it was really hard for me to connect to my homeserver if I am on a foreign device as tailscale only allows for me to login via the app using my google account.

The free version also did not have many features like account sharing. So I'm stuck with all my services in one account. That's why I decided to explore more options.

Here's a diagram of what I am trying to set up:

Setting up Wireguard on a VPS

I decided to rent a cheap vps from Ionode which was around $2/month. After setting up the connection I installed wireguard on the VPS and my homeserver. For simplicity and allowing my wireguard to connect to various networks, I installed both without docker.

On Both:

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt install wireguard -y

Generate the public and private key on both VPS and Homeserver:

(umask 077 && printf "[Interface]\nPrivateKey= " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Save the public keys you received on both servers. Then setup /etc/wireguard/wg0.conf

[Interface]
PrivateKey = (Your private key is displayed here do not copy or paste it anywhere)
ListenPort = 55107
Address = 192.168.1.1
[Peer]
PublicKey = (public key from the other server here)
AllowedIPs = 192.168.1.1/32

Now we need to setup ipv4 forwarding to allow for traffic forwarding on the VPS. Open /etc/systl.conf and add:

net.ipv4.ip_forward=1

Save the file and apply changes using:

sudo sysctl -p
sudo sysctl --system

Now start the wireguard services on both sides:

sudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0

Check the status of the wireguard service using and pinging:

wireguard show 
ping 192.168.1.2 # pinging your homeserver from VPS
ping 192.168.1.1 # pinging your VPS from homeserver

After making sure the connection is working its now time to setup the reverse proxy. Its also okay to do this using IPTables and directly forwarding the from 80 and 443 ports to wg0 network and through to homeserver but I feel more safe and comfortable with a reverse proxy sitting and parsing logs. It also allows for other additional setups like fail2ban and crowdsec to be added later!

Setting up Reverse Proxy

For this, I went with Nginx but Apache is fine too. First, install nginx on your VPS:

sudo apt update
sudo apt install nginx

Next, open the configuration file:

sudo nano /etc/nginx/sites-available/default

Here, you will put a simple html file at the end. We do this to first get SSL certs first before pointing at our homeserver.

server {
    listen 80;

    server_name *.yourdomain.com;

    location / {
        root /var/www/html;
        index index.html;
    }
}

Note: This only applies if you make a new file. Link the site-available new file with sites-enabled default so that any changes is applied to both

sudo ln -s /etc/nginx/sites-available/yourfile /etc/nginx/sites-enabled/

Now, you point your bought domain name to the VPS ip address. Make sure you point your domain and all subdomains too by using the wild card *.yourdomain.com so that it forwards all subdomains related to this VPS. Note that in your config file, we also have a similar setup with all *.yourdomain.com pointing to the html file (for now) in the nginx file.

Restart nginx to apply changes and try accessing your site:

sudo systemctl restart nginx

Now we use LetsEncrypt to get wildcard certs for your domain. Install LetsEncrypt:

sudo apt update
sudo apt install certbot

Next, install the dns provider certbot (check your own dns provider first), here's a few examples:

sudo apt install python3-certbot-dns-cloudflare
sudo apt install python3-certbot-dns-route53
sudo apt install python3-certbot-dns-digitalocean
sudo apt install python3-certbot-dns-google

After this, you will need your dns provider token (Digital Ocean, Cloudflare), create a file at /etc/letsencrypt/cloudflare.ini (digitalocean.ini, or whatever name you want) and add the token:

dns_cloudflare_api_token = your_cloudflare_api_token

Tighten the permissions for the file:

sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Then request ssl certs:

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d *.example.com \
  -d example.com

Once complete, modify your /etc/nginx/sites-available/default file:

default

server {
    listen 443 ssl;
    server_name *.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        root /var/www/html;
        index index.html;
    }
}

 server {
     listen 80;
     server_name *.yourdomain.com;
 
     location / {
         return 301 https://$host$request_uri;
     }
 }

Now, restart nginx and try accessing your site to ensure that it's loaded in https. After it's working its time to point it to your homeserver.

After setting up your homeserver, its time to rewrite the VPS nginx configuration so that it points to the wireguard network:

default

server {
    listen 443 ssl;
    server_name yourdomain.com *.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/fullchain1.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

    location / {
        proxy_pass https://192.168.1.2;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Additional proxy settings
        proxy_ssl_name $host;
        proxy_ssl_server_name on;
        proxy_ssl_verify off;  # If you want to ignore SSL verification of the backend
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
    }
}

server {
    listen 80;
    server_name *.yourdomain.com;

    location / {
        return 301 https://$host$request_uri;
    }
}

Now it's time to change the Iptables so that traffic from the wireguard tunnel from in your homeserver is passing through the network you want. I prefer a reverse proxy also sitting behind accepting the traffic so I will reroute it to pass through 80 and 443

Setup your reverse proxy, use the any configuration but I recommend you test with a sample html file first. Also, instead of using LetsEncrypt to find a new SSL certificate, use the same one from your VPS.

If your reverse proxy is setup on the bare metal (the machine itself) use eth0 as your network id. If you reverse proxy is on a docker container network, check your docker container network id using the commmand: ip a

iptables -A FORWARD -i wg0 -o [network_id] -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o [network_id] -p tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i wg0 -o [network_id] -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i [network_id] -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Now finally, you need to make sure the iptables are persistent so that it would be preserved even after a reboot. Install:

sudo apt-get update
sudo apt-get install iptables-persistent

Then run this to save the current iptables:

sudo netfilter-persistent save

You can also save your current iptables to a file for backups:

sudo iptables-save > /path/to/backup/iptables-backup.txt

Now you're done! You have connection that is running from your VPS reverse proxy, through wireguard, to your home reverse proxy!

PreviousSet up local domains with Tailscale and PiHole NextMonitoring your machines

Last updated 1 year ago

hashtagBackground

hashtagSetting up Wireguard on a VPS

hashtagSetting up Reverse Proxy

Background

Setting up Wireguard on a VPS

Setting up Reverse Proxy