I have a small homelab that is not open to the internet. I am considering the following setup. Please let me know if there are any glaring issues or if I am over complicating things.
-
I want to setup a reverse proxy in the cloud that will also act as a certificate authority. (I want to limit who can access the server to a small group of people.)
-
I will setup a vpn from a raspberry pi in my home to the reverse proxy in the cloud.
-
The traffic will pass from the raspberry pi vpn to my homelab.
I am not sure if I need the raspberry pi. I like the cloud as the reverse proxy as I do not have a static IP. I would just get a cheap vps from hetzner or something like that.
I have a similar setup. I use d.rymcg.tech (a configuration manager for Docker, as well as a collection of open source web services and config templates) and have Traefik (reverse proxy) on a Digital Ocean dropet connected to a VM in my home lab through wireguard. This framework allows me to put authentication and authoriation in front of any apps/services I’m hosting (HTTP basic auth, oauth2, mTLS). This setup allows me to control what is allowed access from outside of my home, without opening any ports.
I should add the d.rymcg.tech includes step-ca if you want to host your own CA server, but I agree with @[email protected] : it’s not necessary for securely hosting services, and ir can be dangerous I’d not done carefully.
Have you considered other approaches, such as Tailscale or Cloudflare Tunnels? I think you’re complicating things.
How will running a CA limit access? eg. Do you want to do client side cert validation? That sounds like an overcomplication. Also not ideal to run a CA (have signing keys) on the proxy server.
That sounds like a great plan, and a great way to learn how this sort of thing works.
it might be better to skip the cloud server and use cloudflare for dynamic dns. The standardized way to restrict access to websites is with client certificates or a basic authentication (user/pass) proxy. That would help avoid issues with internet traffic passing through the VPN accidentally.
You can deal with the non-static IP by using duckdns.org
Well if you don’t have a static IP, then your reverse proxy is going to break when your lease changes anyway. Not sure what your intended goal is for access and to what, but this is certainly a more costly and complex setup than needed for whatever it is.
The VPN should keep access to the homelab even when the external IP changes. Assuming the VPN connects from the homelab to the cloud. The reverse proxy would use the VPN local IPs to connect to services.
