Christian/wireguard-reverse-proxy-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Christian
2026-03-16 19:24:19 +00:00
parent 33da10ad28
commit 207e6030c1
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -69,13 +69,13 @@ A self-hosted Gitea instance running on a home server, made publicly accessible
## Design Decisions ## Design Decisions
**WireGuard over Tailscale/Headscale** **WireGuard over Tailscale/Headscale**
Only two endpoints with a fixed public IP on the VPS side a simple point-to-point WireGuard tunnel is sufficient. No need for mesh networking, NAT traversal, or a coordination server. Tailscale/Headscale can be added later if the setup grows. Only two endpoints with a fixed public IP on the VPS side - a simple point-to-point WireGuard tunnel is sufficient. No need for mesh networking, NAT traversal, or a coordination server. Tailscale/Headscale can be added later if the setup grows.
**Caddy over NGINX** **Caddy over NGINX**
Caddy provides automatic TLS certificate provisioning and renewal with zero configuration. The entire reverse proxy config is 6 lines. Caddy provides automatic TLS certificate provisioning and renewal with zero configuration. The entire reverse proxy config is 6 lines.
**Reverse Proxy in separate LXC** **Reverse Proxy in separate LXC**
Keeps the proxy isolated from both the hypervisor and the application. Adding new services only requires editing the Caddyfile no changes to the VPS or tunnel needed. Keeps the proxy isolated from both the hypervisor and the application. Adding new services only requires editing the Caddyfile - no changes to the VPS or tunnel needed.
**TLS termination at home, not on VPS** **TLS termination at home, not on VPS**
The VPS only forwards encrypted traffic. TLS is terminated by Caddy in the home network, keeping certificate management local and the VPS stateless. The VPS only forwards encrypted traffic. TLS is terminated by Caddy in the home network, keeping certificate management local and the VPS stateless.
@@ -97,7 +97,7 @@ No changes to the VPS, tunnel, or firewall needed.
## Security ## Security
- VPS has no application logic it only forwards traffic - VPS has no application logic - it only forwards traffic
- WireGuard provides authenticated, encrypted communication between sites - WireGuard provides authenticated, encrypted communication between sites
- TLS certificates are automatically managed by Caddy (Let's Encrypt) - TLS certificates are automatically managed by Caddy (Let's Encrypt)
- Gitea is not directly exposed to the internet - Gitea is not directly exposed to the internet