Hello! New here, but I think I’ve stumbled upon an amazing community!
I’m asking for help, like so many others. I’ll start by outlining my goals and providing a diagram of what I’m trying to achieve, since many (many) hours of research have led me to believe I may be over-complicating things. I’m finding myself riddled with self doubt!
The Goal:
- A home network that is privacy-preserving (Traffic routed over VPN + Pihole by default for all devices)
- Longer-term, I’d also like to use something like wstunnel on pfsense to mask the Wireguard traffic, but that’s out-of-scope for now
- Home servers whose services are accessible over clearnet (on domains I own, with SSL) for others, without doxing my public IP (using VPSes and Wireguard tunnels)
- A secure home network, where the home servers accessible over clearnet are walled-off (through VLANs) from other devices to limit blast radius/damage potential
- A remote-accessible network (using Tailscale/Wireguard) whereby I am always able to connect to my home network, including benefitting from the Pihole for DNS/ad blocking
Here is the diagram:
After reading around a lot, it seems I’m not alone in this goal, but I read many conflicting takes on this and have wound up confused + lacking a real understanding of how best to achieve this.
This diagram is based on reading Wendell’s guide on this very site, amongst other places.
Ideally, from an administrative perspective, if I add a new service to one of my home servers, I’d like to be able to make it available to clearnet from pfSense vs. having to ssh between my VPSes and doing things in command line, but if this isn’t sensible/is massively overcomplicating things, then I’m open to doing things through the VPSes.
I’ve got to a place where the last remaining goals are to expose the home servers to clearnet and allow remote inbound connections. I am getting stuck on either:
- Port forwarding across Pfsense, the Wireguard tunnels and the VPS [seems like most people recommend against this route in the Wireguard + VPS era]
- Using HAProxy on pfSense and then doing one (or two? idk) simple port forwards on the WAN interface to handle things
- Running the reverse proxy on the VPS (and then…? I’m not sure here)
I have not been able to get either the port forwarding or HAProxy routes to work—I suspect this is due to my own lack of understanding, more than anything (I find forwarding across interfaces and tunnels confusing). I’ve not tried the reverse proxy on the VPS route, as it’s going to mean figuring out Nginx, I suppose, which I’ve never used before.
I’m also aware I may not be getting the IP tables in my Wireguard confs right on the VPS side of things, as well as UFW settings.
I’m learning a lot as I go, and recognise I’m trying to do quite an elaborate set up. Part of this is because I am a privacy nerd and enjoy the challenge; the other part is because… well, this is what I want to do!
I’d be grateful for help and pointers here. I have a full dump of both my pfsense settings and VPS Wireguard + UFW settings per server, which I can provide, but right now I can’t post links on this forum.
Given how many articles I’ve come across that are attempting to do this, each without a consistent response, I thought I’d add my article here, so that others may be able to achieve the same (I know you’re all out there!)