diff --git a/Guides/reverse_proxy.md b/Guides/reverse_proxy.md new file mode 100644 index 0000000..36b2678 --- /dev/null +++ b/Guides/reverse_proxy.md @@ -0,0 +1,177 @@ +--- +title: Reverse Proxy using a VPS +description: Self hosted VPS as a Reverse Proxy +published: true +date: 2025-12-13T12:40:45.683Z +tags: public, networking +editor: markdown +dateCreated: 2023-10-18T18:42:56.780Z +--- + +This is a guide to create a reverse proxy using a Virtual Private Server, or VPS so that you can access internally hosted services.  + +# My Situation + +I host some services from my home lab that I access remotely, such as Home Assistant.  + +In my previous house, I was the account owner for the internet. I was able to get a static IP, and have the ISP open incoming ports 80 and 443 for web traffic. + +Now I lived in shared accommodation which has an included internet connection, in the form of an Ethernet cable coming out the wall. Everyone just uses the same LAN. +I do have access to the router, but to maintain an environment that I can ‘home lab freely' in, I wanted to set up my own LAN.  + +I can do this while still utilising the shared connection. We have fiber and my services are not bandwidth heavy.  + +I have configured a router of my own with, with all traffic sent via [Mullvad VPN](https://mullvad.net/en). + +Now I need to be able to access my internal services externally, using this same internet connection. + +# The Plan + +There are some ways I can do this: + +- A VPN to my network, such as OpenVPN, SSL VPN, WireGuard, or even an overlay network such as TailScale. + This however this would mean I have to install a VPN app first and configure it. What if someone else wants to watch videos too? They now have to install some VPN app on their TV. Too much work! I just want to be able to browse to a domain to access the site. +- Get a VPN provider with a static IP. This is not ideal as most VPN providers do not provide static IPs, and if they do, they are quite costly. +- Use a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/). I have used this in past, it is free, however it is not overly well suited for streaming video.  + I am working towards a goal of being able to stream 4k video remotely. + +Instead, I am going to build my own cloud reverse proxy host. + +This makes use of a Virtual Private Server (VPS) to run Nginx Reverse Proxy Manager. The VPS will have access to the services running on my internal network via a WireGuard VPN. + +This will connect to my home network with a WireGuard VPN, and will run Reverse Proxy Manager to manage incoming web connections.  + +To make this, I need a few things: + +1. A VPS. There are many to choose from. In the end I went with a server from [OVHcloud](https://www.ovhcloud.com/en/). + - WireGuard is efficient compared to other VPN protocols, so the server does not have to be too powerful. + - Be sure to check how much network traffic the VPS allows. Lots have limits, which may or may not be enough for your use case. I am streaming 4k video so I am looking for unlimited bandwidth. +2. A router that allows for new VPN interfaces to be created. I use [opnSense](https://opnsense.org/) for my router which does allow this. + +# VPS Setup + +First I need to find a VPS provider. As I said before, I went with a server from [OVHcloud](https://www.ovhcloud.com/en/). + +The server I chose (VLE-4) costs $11 US per month. + +- 4 vCores +- 4GB RAM +- 80 GB NVMe SSD +- 1 Gbps unmetered connection +- 1x Static IPv4 address +- Anti-DDoS Protection Included +- Ubuntu 23.04 + +Once I purchased the server and it had provisioned, I connected and set up a few things.  + +1. Updated to Ubuntu 23.10 +2. Enabled Key-Based only login: See this guide: [How To Configure SSH Key-Based Authentication on a Linux Server](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server) +3. Enable UFW Firewall + - Allow port 22(SSH), 51820/UDP(WireGuard), 443(HTTPS) + `sudo ufw allow ` + - Enable UFW + `sudo ufw enable` +4. Enabled the edge firewall on my hosting provider.  + +# VPN Setup + +After this it is time to install WireGuard VPN on the VPS. + +For this, I mostly followed this guide: [How To Set Up WireGuard on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04) + +I recommend reading that guide as there are some decisions I made that I do not explain, but at a high level, I followed through the steps up to the end of step 6: + +- Install WireGurad +- Create a new WireGuard private and public key pair:  + `wg genkey | sudo tee /etc/wireguard/private.key` + `sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key` +- Chose a new IP range, I chose 10.0.20.0/24 +- Created a new WireGuard Configuration file:  + `/etc/wireguard/wg0.conf` + +I was then able to start the WireGuard server, however I have still not yet added any peers. The guide explains how to do this on another Linux server, but in this case, I do not want to do that. Instead of step 7: + +This is done in the WireGuard Instance settings in my Router: + +![](/screenshot_2024-03-23_132217.png) + +![](/screenshot_2024-03-31_175906.png) + +Be sure to check the ‘Disable routes’ option in the Instance, as I will do this manually +For the gateway, it does not matter, just as long as it is unique. + +Then in the Peers tab: + +The Pubic Key is the Public key from the WireGuard Server on the VPS + +The Endpoint Address is the public IP of the VPS. + +![](/screenshot_2024-03-23_132626.png) + +After this we can continue with the [Digital Ocean guide](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04) from step 8. + +The below command is then run to add the new opnSense peer to the Wireguard server. + +`sudo wg set wg0 peer allowed-ips 10.0.20.2` + +After doing this, I can see the VPN connection is up: + +![](/screenshot_2024-03-23_132057.png) + +In the end, my /etc/wireguard/wg0.conf file looked like: + +```plaintext +[Interface] +Address = 10.0.20.1/24 +SaveConfig = true +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +ListenPort = 51822 +PrivateKey = + +[Peer] +PublicKey = +AllowedIPs = 10.0.20.0/24, 10.0.10.0/24 +PersistentKeepalive = 25 +``` + +# Network Setup + +Now an interface needs to be created on my router for the new VPN connection so that I can configure firewall rules to allow and deny access.  + +For opnSense, this is as simple as going to Interfaces > Assignments, and adding the new interface  + +![](/screenshot_2024-03-23_133915.png) + +Then configure the settings as below: + +![](/screenshot_2024-03-23_133945.png) + +You do not need to configure a IPv4 address, as this will automatically get the IP address specified of the Instance Tunnel Address. + +After this, I created the below firewall rule so that the new WireGuard interface could access the LAN. + +![](/screenshot_2024-03-23_221508.png) + +If you have any strange issues, check the routing table (System > Routes > Status) to see if there are any old entries that need to be deleted.  + +# Reverse Proxy + +For the reverse Proxy I am using [Nginx Reverse Proxy Manager](https://nginxproxymanager.com/) running in a Docker container. + +First, install Docker: [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/) + +Then I installed Portainer to give a nice webUI to manage Docker: [Install Portainer CE with Docker on Linux](https://docs.portainer.io/start/install-ce/server/docker/linux) + +Then in Portainer I made a new stack (docker compose).  + +![](/screenshot_2024-03-23_222702.png) + +I was then able to log into Reverse Proxy Manager and create the my domains in Reverse Proxy Manager + +![](/screenshot_2024-03-23_222930.png) + +I also needed to point these domains to the public IP of my VPS.  + +Once this was done, I was able to access the internal services via my domain name.  +For example, this website! \ No newline at end of file