Help! Pfsense, Pihole, Wireguard tunnels, VPSes, HAProxy, etc

Hardware Hub Networking
,
1

Hello! New here, but I think I’ve stumbled upon an amazing community!

I’m asking for help, like so many others. I’ll start by outlining my goals and providing a diagram of what I’m trying to achieve, since many (many) hours of research have led me to believe I may be over-complicating things. I’m finding myself riddled with self doubt!

The Goal:

  • A home network that is privacy-preserving (Traffic routed over VPN + Pihole by default for all devices)
    • Longer-term, I’d also like to use something like wstunnel on pfsense to mask the Wireguard traffic, but that’s out-of-scope for now :wink:
  • Home servers whose services are accessible over clearnet (on domains I own, with SSL) for others, without doxing my public IP (using VPSes and Wireguard tunnels)
  • A secure home network, where the home servers accessible over clearnet are walled-off (through VLANs) from other devices to limit blast radius/damage potential
  • A remote-accessible network (using Tailscale/Wireguard) whereby I am always able to connect to my home network, including benefitting from the Pihole for DNS/ad blocking

Here is the diagram:

Man with a LAN
Man with a LAN1920×1188 209 KB

After reading around a lot, it seems I’m not alone in this goal, but I read many conflicting takes on this and have wound up confused + lacking a real understanding of how best to achieve this.

This diagram is based on reading Wendell’s guide on this very site, amongst other places.

Ideally, from an administrative perspective, if I add a new service to one of my home servers, I’d like to be able to make it available to clearnet from pfSense vs. having to ssh between my VPSes and doing things in command line, but if this isn’t sensible/is massively overcomplicating things, then I’m open to doing things through the VPSes.

I’ve got to a place where the last remaining goals are to expose the home servers to clearnet and allow remote inbound connections. I am getting stuck on either:

  • Port forwarding across Pfsense, the Wireguard tunnels and the VPS [seems like most people recommend against this route in the Wireguard + VPS era]
  • Using HAProxy on pfSense and then doing one (or two? idk) simple port forwards on the WAN interface to handle things
  • Running the reverse proxy on the VPS (and then…? I’m not sure here)

I have not been able to get either the port forwarding or HAProxy routes to work—I suspect this is due to my own lack of understanding, more than anything (I find forwarding across interfaces and tunnels confusing). I’ve not tried the reverse proxy on the VPS route, as it’s going to mean figuring out Nginx, I suppose, which I’ve never used before.

I’m also aware I may not be getting the IP tables in my Wireguard confs right on the VPS side of things, as well as UFW settings.

I’m learning a lot as I go, and recognise I’m trying to do quite an elaborate set up. Part of this is because I am a privacy nerd and enjoy the challenge; the other part is because… well, this is what I want to do!

I’d be grateful for help and pointers here. I have a full dump of both my pfsense settings and VPS Wireguard + UFW settings per server, which I can provide, but right now I can’t post links on this forum.

Given how many articles I’ve come across that are attempting to do this, each without a consistent response, I thought I’d add my article here, so that others may be able to achieve the same (I know you’re all out there!)

1 Like
2

Hi, welcome.

Lots of people around these parts have those things you listed, there’s no clear consistent guide/answer because people usually ask questions when something is broken, and it’s usually a different thing broken for someone.

There’s also no single right way of doing those things.

For example I just use a Debian Linux system as my router/firewall and diy all the routing/firewalling - no GUI or webui, other folks use pfSense, or pfSense in Proxmox or RouterOS on Mikrotik hardware, or …

Whatever combination of “stuff” you choose, someone here is probably using each of the parts, but nobody’s doing everything the same.

There’s a few generic troubleshooting command line tools I’d recommend everyone used, ping , tcpdump , curl -vvv, dig, mtr are all incredibly useful. They all have manuals which I’d recommend you spend a bit of time glancing over, just to familiarize yourself with the structure of the text, you might need to reach for it later.

There’s also a few generic troubleshooting techniques. E.g. “divide-and-conquer” is useful, “differential diagnosis” is another one.

Armed with those tools and strategies, you can kind of get yourself out of any kind of network related problem.

To start with, you seem unsure as to whether you actually need a VPS. People get VPS-es to a) get around their ISP not giving them a public world routable IP that they’d like anyone to be able to use to access the services they’re running from home, b) get a bit of extra privacy due to ISPs, particularly in the US, helping to make public routable precisely geo locatable.

You don’t need I’d you want to use e g. Tailscale to access your own stuff.

Regarding port forwarding, if you’re tunneling, you don’t need it, but … if you want to run haproxy, it’s often helpful to not run it on a VPS, but run it at home, in which case your VPS would be doing port forwarding/destination nat work.

Have a look at various network interfaces along the way with tcpdump while trying to contact one of your services, and see try to see whether any if tcp ACK packages are coming back to you - my bet is either on routing policies not working correctly, or MTU trouble - but a closer look is needed.

1 Like