lucas-wiki/home/Public/Guides/reverse_proxy.md

---
title: Reverse Proxy using a VPS
description: Self hosted VPS as a Reverse Proxy
published: true
date: 2025-12-13T12:40:51.346Z
tags: public, networking
editor: markdown
dateCreated: 2023-10-18T18:42:56.780Z
---

This is a guide to create a reverse proxy using a Virtual Private Server, or VPS so that you can access internally hosted services. 

# My Situation

I host some services from my home lab that I access remotely, such as Home Assistant. 

In my previous house, I was the account owner for the internet. I was able to get a static IP, and have the ISP open incoming ports 80 and 443 for web traffic.

Now I lived in shared accommodation which has an included internet connection, in the form of an Ethernet cable coming out the wall. Everyone just uses the same LAN.  
I do have access to the router, but to maintain an environment that I can ‘home lab freely' in, I wanted to set up my own LAN. 

I can do this while still utilising the shared connection. We have fiber and my services are not bandwidth heavy. 

I have configured a router of my own with, with all traffic sent via [Mullvad VPN](https://mullvad.net/en).

Now I need to be able to access my internal services externally, using this same internet connection.

# The Plan

There are some ways I can do this:

-   A VPN to my network, such as OpenVPN, SSL VPN, WireGuard, or even an overlay network such as TailScale.  
    This however this would mean I have to install a VPN app first and configure it. What if someone else wants to watch videos too? They now have to install some VPN app on their TV. Too much work! I just want to be able to browse to a domain to access the site.
-   Get a VPN provider with a static IP. This is not ideal as most VPN providers do not provide static IPs, and if they do, they are quite costly.
-   Use a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/). I have used this in past, it is free, however it is not overly well suited for streaming video.   
    I am working towards a goal of being able to stream 4k video remotely.

Instead, I am going to build my own cloud reverse proxy host.

This makes use of a Virtual Private Server (VPS) to run Nginx Reverse Proxy Manager. The VPS will have access to the services running on my internal network via a WireGuard VPN.

This will connect to my home network with a WireGuard VPN, and will run Reverse Proxy Manager to manage incoming web connections. 

To make this, I need a few things:

1.  A VPS. There are many to choose from. In the end I went with a server from [OVHcloud](https://www.ovhcloud.com/en/).
    -   WireGuard is efficient compared to other VPN protocols, so the server does not have to be too powerful.
    -   Be sure to check how much network traffic the VPS allows. Lots have limits, which may or may not be enough for your use case. I am streaming 4k video so I am looking for unlimited bandwidth.
2.  A router that allows for new VPN interfaces to be created. I use [opnSense](https://opnsense.org/) for my router which does allow this.

# VPS Setup

First I need to find a VPS provider. As I said before, I went with a server from [OVHcloud](https://www.ovhcloud.com/en/).

The server I chose (VLE-4) costs $11 US per month.

-   4 vCores
-   4GB RAM
-   80 GB NVMe SSD
-   1 Gbps unmetered connection
-   1x Static IPv4 address
-   Anti-DDoS Protection Included
-   Ubuntu 23.04

Once I purchased the server and it had provisioned, I connected and set up a few things. 

1.  Updated to Ubuntu 23.10
2.  Enabled Key-Based only login: See this guide: [How To Configure SSH Key-Based Authentication on a Linux Server](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server)
3.  Enable UFW Firewall
    -   Allow port 22(SSH), 51820/UDP(WireGuard), 443(HTTPS)  
        `sudo ufw allow <PORTS>`
    -   Enable UFW  
        `sudo ufw enable`
4.  Enabled the edge firewall on my hosting provider. 

# VPN Setup

After this it is time to install WireGuard VPN on the VPS.

For this, I mostly followed this guide: [How To Set Up WireGuard on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04)

I recommend reading that guide as there are some decisions I made that I do not explain, but at a high level, I followed through the steps up to the end of step 6:

-   Install WireGurad
-   Create a new WireGuard private and public key pair:   
    `wg genkey | sudo tee /etc/wireguard/private.key`  
    `sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key`
-   Chose a new IP range, I chose 10.0.20.0/24
-   Created a new WireGuard Configuration file:   
    `/etc/wireguard/wg0.conf`

I was then able to start the WireGuard server, however I have still not yet added any peers. The guide explains how to do this on another Linux server, but in this case, I do not want to do that. Instead of step 7:

This is done in the WireGuard Instance settings in my Router:

![](screenshot_2024-03-23_132217.png)

![](screenshot_2024-03-31_175906.png)

Be sure to check the ‘Disable routes’ option in the Instance, as I will do this manually  
For the gateway, it does not matter, just as long as it is unique.

Then in the Peers tab:

The Pubic Key is the Public key from the WireGuard Server on the VPS

The Endpoint Address is the public IP of the VPS.

![](screenshot_2024-03-23_132626.png)

After this we can continue with the [Digital Ocean guide](https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04) from step 8.

The below command is then run to add the new opnSense peer to the Wireguard server.

`sudo wg set wg0 peer <PUBLIC KEY> allowed-ips 10.0.20.2`

After doing this, I can see the VPN connection is up:

![](screenshot_2024-03-23_132057.png)

In the end, my /etc/wireguard/wg0.conf file looked like:

```plaintext
[Interface]  
Address = 10.0.20.1/24  
SaveConfig = true  
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE  
ListenPort = 51822  
PrivateKey = <SERVER PRIVATE KEY>

[Peer]  
PublicKey = <PEER PUBLIC KEY>
AllowedIPs = 10.0.20.0/24, 10.0.10.0/24  
PersistentKeepalive = 25
```

# Network Setup

Now an interface needs to be created on my router for the new VPN connection so that I can configure firewall rules to allow and deny access. 

For opnSense, this is as simple as going to Interfaces > Assignments, and adding the new interface 

![](screenshot_2024-03-23_133915.png)

Then configure the settings as below:

![](screenshot_2024-03-23_133945.png)

You do not need to configure a IPv4 address, as this will automatically get the IP address specified of the Instance Tunnel Address.

After this, I created the below firewall rule so that the new WireGuard interface could access the LAN.

![](screenshot_2024-03-23_221508.png)

If you have any strange issues, check the routing table (System > Routes > Status) to see if there are any old entries that need to be deleted. 

# Reverse Proxy

For the reverse Proxy I am using [Nginx Reverse Proxy Manager](https://nginxproxymanager.com/) running in a Docker container.

First, install Docker: [Install Docker Engine on Ubuntu](https://docs.docker.com/engine/install/ubuntu/)

Then I installed Portainer to give a nice webUI to manage Docker: [Install Portainer CE with Docker on Linux](https://docs.portainer.io/start/install-ce/server/docker/linux)

Then in Portainer I made a new stack (docker compose). 

![](screenshot_2024-03-23_222702.png)

I was then able to log into Reverse Proxy Manager and create the my domains in Reverse Proxy Manager

![](screenshot_2024-03-23_222930.png)

I also needed to point these domains to the public IP of my VPS. 

Once this was done, I was able to access the internal services via my domain name.   
For example, this website!