Comment on NGINX config for TLS passthrough with multiple services?
MigratingtoLemmy@lemmy.world 1 year agoI don’t have any guide (haven’t looked for one). The concept is simple:
- Configure Wireguard server on the VPS.
- Connect to server using your router/home firewall as a client (I believe you’ve done this already).
- Configure
nftablesoriptablesto forward traffic coming from a certain IP/port through your VPN connection to your router. - Since you have hosted your proxy at home, that’s where TLS termination happens, which means your traffic is encrypted in transit (NAT does not decrypt packets). So yes, you’re (in theory) safe from the VPS provider.
I believe there are ways to encrypt one’s RAM on a VPS but you likely don’t need it here, and that might be beyond the scope of this discussion anyway.
Cheers. I was given this idea by another person on Lemmy, I’m just pushing this wonderful idea forward.
nutbutter@discuss.tchncs.de 1 year ago
I have configured WireGuard server on the VPS, yes. But I am not connecting to it using my router. I am just using a wg config file on my home server to connect to it. And do I configure
nftablesoriptableson the VPS? Because the traffic from my home server is already set to forward to the VPS using wireguard. The proxy is set up on the VPS, not home server. I cannot change any settings on my router because I am behind CGNAT.MigratingtoLemmy@lemmy.world 1 year ago
Well, it doesn’t matter if you configure the wireguard client on the router or the server.
Running your proxy at home instead of on the VPS makes it possible for you to terminate SSL at home, inside your LAN, which means no need for TLS pass-throughs.
nftablesis recommended by Debian, but I suppose either one will work just fine.I’m asking you to configure NAT on your VPS so as to forward traffic from the wider Internet, through your VPS into your wireguard tunnel. Obviously, I’m assuming you’re following security practices on the VPS so as to not compromise your home network. The configuration you have on your server is fine, since that’s meant for outbound traffic.
You can absolutely run a Wireguard client on your router, regardless of whether you are behind CG-NAT or not. It’s a different story if your router doesn’t even let you run extra software on top. That’s a different conversation.
Cheers.
nutbutter@discuss.tchncs.de 1 year ago
Thanks. I understand, now.
And yes, my router does not have any option to configure a VPN.
MigratingtoLemmy@lemmy.world 1 year ago
Hey, sorry if I came across a bit curt in the previous message.
Can you do a DMZ and run your own router behind your ISP’s router?