Ben's Website

Making a homelab remotely accessible

Hello everyone,

I guess this could be considered my first actual post on my website, but I’m writing this to say that I’m now running my website from my own PERSONAL Server, without using port forwarding.

But, wait, how am I accessing your website?

Good Question! You’re able to access my site through what is called a reverse proxy. Simply put, my personal server is connected to a server that faces the internet, and then any requests for my website get forwarded from the public server to my personal server.

This also allows me to run other services locally and make them accessible remotely, for instance I could run a mail server locally, and make only the ports for receiving mail public, limiting the ability to login into my mail server to anyone who is connected to either my local network or reverse proxy network.

How can I do this myself?

To make local network services accessible through a reverse proxy is relatively straight-forward. You simply need to get a subscription to a VPS, preferrably through a low-cost provider like Vultr, then set up either a VPN server or SSH tunnel connecting your local server to your VPS, a VPN connection is slightly more difficult to set up, but it’s preferrable since it creates a custom intranet. Then after you set up this connection you can now forward, using iptables, nginx, apache, etc., traffic hitting your public server to your local server.

Setting up a VPS

Personally, when it comes to using a VPS, I’d recommend Vultr since they have cheap offerings, and it’s relatively easy to spin up a server. To start with, after you’ve signed up, go to products and hit the ‘+ deploy’ button, for your server type choose shared CPU, pick whatever location is closest to you, and for plan type I’d select vc2-1c-0.5gb, DO NOT PICK vc2-1c-0.5gb-v6, the former gives you both an IPv4 and IPv6 address, but the latter only gives you an IPv6 address.

after you’ve spun up your server you’ll want to generate a pair of SSH keys, to do this run:

ssh-keygen

then to share your keys with the server you’ll want to run:

ssh-copy-id -i ~/.ssh/your_key.pub root@your_server_ip

After this you’ll want to login in using SSH, and make the following changes to your /etc/ssh/sshd_config:

PermitRootLogin prohibit-password

PubkeyAuthentication yes

PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
ChallengeResponseAuthentication no

Then once you’ve made these changes restart the SSH daemon by running:

systemctl restart sshd

Setting up the reverse proxy

In order to setup the reverse proxy connection to the homelab, we’ll be using WireGuard. To start off, install WireGuard on both your homelab and VPS. For installation instructions I’ll defer you to WireGuard’s install guide here.

Once installed you’ll need to generate a set of private and public keys for both your server and client.

First, on your server (VPS) run the following command:

umask 077 ; wg genkey > /etc/wireguard/server_priv.key && wg pubkey < /etc/wireguard/server_priv.key > /etc/wireguard/server_pub.key

Then, on your client machine (homelab) run the following:

umask 077 ; wg genkey > /etc/wireguard/client_priv.key && wg pubkey < /etc/wireguard/client_priv.key > /etc/wireguard/client_pub.key

After this is done you’ll need to configure wireguard, so that way you can connect your homelab to your VPS. Firstly, on your VPS you’ll have to enable ipv4 forwarding, do this by going into /etc/sysctl.d/99-sysctl.conf and uncommenting the following line:

net.ipv4.ip_forward=1

then run the following commmand:

sysctl -w net.ipv4.ip_forward=1

Next, we need to create a wireguard interface for our client to connect to. to start with create a file in /etc/wireguard called wg0.conf and paste the following config:

[Interface]
Address = 172.16.0.1/24
ListenPort = 51820
PrivateKey = your_server_private_key
# Firewall rules
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = your_client_public_key
AllowedIPs = 172.16.0.2/32
PersistentKeepalive = 25

Then run the following command to start WireGuard:

systemctl enable --now wg-quick@wg0

After this on your home lab you’ll want to create an interface for your home lab to connect to your VPS To do that create wg0.conf and then paste the following config:

[Interface]
Address = 172.16.0.2/24
PrivateKey = your_client_private_key

[Peer]
PublicKey = your_server_public_key
Endpoint = your_server_ipv4:51820
AllowedIPs = 172.16.0.0/24

Note that allowed IPs is not 0.0.0.0/0, ::/0, this is because we don’t want to forward all our services through to the internet, and we only forward traffic meant for the home lab. Finally, after creating our wg0.conf on our home lab, we can connect it by running the same systemctl command that we used to enable it on out VPS.

Conclusion

Now that you’ve successfully configured and connected your home lab to a private VPS, you’re now ready to start forwarding your services through a private network, giving you the safety and flexibility to self host without having to expose your home network to the internet.