I have a small homelab that is not open to the internet. I am considering the following setup. Please let me know if there are any glaring issues or if I am over complicating things.

  • I want to setup a reverse proxy in the cloud that will also act as a certificate authority. (I want to limit who can access the server to a small group of people.)

  • I will setup a vpn from a raspberry pi in my home to the reverse proxy in the cloud.

  • The traffic will pass from the raspberry pi vpn to my homelab.

I am not sure if I need the raspberry pi. I like the cloud as the reverse proxy as I do not have a static IP. I would just get a cheap vps from hetzner or something like that.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Doesn’t work if you’re behind CGNAT (which I am), unfortunately.

      To tell, if your public IP matches what your router/modem reports as its WAN IP, you might be golden. If that’s the case, try messing w/ port forwards on your router to see what the ISP lets through. If it’s not the case, you’re behind CGNAT and either need to pay your ISP ($5-10 usually) or use a VPS. I’m behind CGNAT, so I went for the VPS because it’s the same price and I find more value in that vs a publicly routable address.

      • harsh3466@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Ah. Yeah. I think then you’ll want to look into cloudflare tunnels. I believe that should get you through the cgnt and deal with the dynamic IP ll in one go.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Yup, cloudflare should work.

          I personally set up a VPS w/ a WireGuard tunnel, with a reverse proxy at the VPS that sends traffic to connected WireGuard clients. My exact setup is something like this:

          1. VPS w/ HAProxy and WireGuard - routing happens based on SNI
          2. Caddy on homelab to handle TLS trunking
          3. router configured with static DNS routes so I can use public addresses w/o hitting the WAN on my LAN

          This could easily be adjusted to only have HAProxy work over the WireGuard interface so there are no public addresses to worry about.

          But I used Tailscale for a while to solve this problem, and cloudflare tunnels would work as well. Lots of options to work around stupid ISP policies…