Christian/wireguard-reverse-proxy-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
33da10ad28ed1ecae234b1a9e167201ee0a30932
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Christian 33da10ad28 Update README.md
2026-03-16 19:19:24 +00:00
README.md
Update README.md
2026-03-16 19:19:24 +00:00

README.md

Self-Hosted Git Service Public Architecture

Overview

A self-hosted Gitea instance running on a home server, made publicly accessible via a cheap VPS (1 vCPU, 1 GB RAM, 10 GB SSD) acting as a secure entry point.

Architecture

                        Internet
                           │
                           ▼
                ┌─────────────────────┐
                │   VPS (Debian)      │
                │   Public IPv4       │
                │                     │
                │   WireGuard Tunnel  │
                │   iptables NAT      │
                │   (Port 80/443 →)   │
                └─────────┬───────────┘
                          │
                    WireGuard Tunnel
                    (encrypted, UDP)
                          │
                          ▼
          ┌───────────────────────────────┐
          │  Home Network                 │
          │                               │
          │  ┌─────────────────────────┐  │
          │  │ LXC: Reverse Proxy      │  │
          │  │                         │  │
          │  │ Caddy                   │  │
          │  │ - Auto TLS (Let's Enc.) │  │
          │  │ - Reverse Proxy → Gitea │  │
          │  └────────────┬────────────┘  │
          │               │               │
          │          LAN Bridge           │
          │               │               │
          │  ┌────────────▼────────────┐  │
          │  │ LXC: Gitea              │  │
          │  │                         │  │
          │  │ Git Hosting (HTTPS)     │  │
          │  │ Web UI + API            │  │
          │  └─────────────────────────┘  │
          │                               │
          │        Proxmox VE Host        │
          └───────────────────────────────┘

Traffic Flow

  1. User visits https://git.example.com
  2. DNS resolves to VPS public IP
  3. VPS forwards port 80/443 through WireGuard tunnel via iptables NAT
  4. Caddy (in LXC) terminates TLS with auto-provisioned Let's Encrypt certificate
  5. Caddy reverse-proxies request to Gitea (LXC) over LAN
  6. Gitea serves the response back through the same path

Components

Component Role Environment
VPS (1€/month) Public entry point, WireGuard endpoint, port forwarding Debian, cloud-hosted
WireGuard Encrypted site-to-site tunnel between VPS and home network Both sides
Caddy Reverse proxy with automatic HTTPS (Let's Encrypt) LXC on Proxmox
Gitea Self-hosted Git service (web UI, API, HTTPS clone) LXC on Proxmox
Proxmox VE Hypervisor managing all local containers Bare-metal, home server

Design Decisions

WireGuard over Tailscale/Headscale Only two endpoints with a fixed public IP on the VPS side a simple point-to-point WireGuard tunnel is sufficient. No need for mesh networking, NAT traversal, or a coordination server. Tailscale/Headscale can be added later if the setup grows.

Caddy over NGINX Caddy provides automatic TLS certificate provisioning and renewal with zero configuration. The entire reverse proxy config is 6 lines.

Reverse Proxy in separate LXC Keeps the proxy isolated from both the hypervisor and the application. Adding new services only requires editing the Caddyfile no changes to the VPS or tunnel needed.

TLS termination at home, not on VPS The VPS only forwards encrypted traffic. TLS is terminated by Caddy in the home network, keeping certificate management local and the VPS stateless.

Extensibility

Adding a new public service requires three steps:

  1. Deploy the service on Proxmox (VM or LXC)
  2. Add a DNS A-record pointing to the VPS
  3. Add a reverse_proxy block to the Caddyfile: 
    newservice.example.com {
    reverse_proxy <local-ip>:<port>
}

No changes to the VPS, tunnel, or firewall needed.

Security

  • VPS has no application logic it only forwards traffic
  • WireGuard provides authenticated, encrypted communication between sites
  • TLS certificates are automatically managed by Caddy (Let's Encrypt)
  • Gitea is not directly exposed to the internet
  • SSH hardened: key-only authentication, no root login
  • VPS firewall managed at provider level (only SSH, HTTP, HTTPS, WireGuard open)
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 28 KiB