WireGuard VPN + Nginx Reverse Proxy

Secure Remote Access to Home Lab Services

Introduction

In today’s distributed and remote-first world, securely accessing home lab services from anywhere is no longer a luxury—it’s a necessity. Whether you’re running GitLab for CI/CD, Jenkins for automation, or internal dashboards, exposing services directly to the internet can be risky and hard to manage.

This guide demonstrates a clean, secure, and production-style setup using WireGuard VPN and Nginx reverse proxy to provide controlled access to home lab services through a public VPS. The result is a solution that’s fast, encrypted end-to-end, and easy to extend as your lab grows.

Why Combine WireGuard and Nginx?

WireGuard and Nginx solve different problems—but together they form a powerful access layer.

• WireGuard provides a secure, private network between your VPS and your home lab.
• Nginx exposes selected services over HTTPS with proper routing, certificates, and security controls.

This approach avoids opening ports on your home network while still giving you a clean, domain-based access experience.

---

WireGuard Advantages

1. Modern Cryptography & Performance

WireGuard is built with modern cryptographic primitives by default:

• Curve25519 for key exchange
• ChaCha20-Poly1305 for encryption
• BLAKE2 for hashing

Compared to OpenVPN or IPSec, WireGuard delivers:

• Lower latency
• Higher throughput
• Faster connection establishment

Its minimal codebase (≈4,000 lines vs OpenVPN’s 100,000+) also reduces the attack surface and makes audits more realistic.

2. Simple and Predictable Configuration

WireGuard favors simplicity:

• Static configuration files
• No certificate authorities
• No renegotiation storms
• Easy key rotation

It works consistently across platforms:
Linux, Windows, macOS, Android, and iOS—making it ideal for both servers and personal devices.

3. Security by Design

WireGuard enforces security at the protocol level:

• Cryptokey routing ensures peers can only send traffic to explicitly allowed IPs
• Perfect Forward Secrecy protects past sessions
• Built-in roaming allows peers to change networks without reconnecting

---

Nginx Reverse Proxy Benefits

1. SSL/TLS Termination

Nginx handles HTTPS for all backend services:

• Centralized TLS management
• Let’s Encrypt automation
• HTTP → HTTPS redirection
• Reduced load on backend applications

Your internal services remain private, while the VPS manages public-facing encryption.

2. Smart Routing and Scalability

With Nginx, you can:

• Route traffic based on domain names
• Map multiple services to different subdomains
• Add caching, compression, or load balancing later

This mirrors how real production environments are designed.

3. Security Controls at the Edge

Nginx acts as a security buffer:

• Rate limiting and basic DDoS mitigation
• Header sanitization
• Request filtering
• Optional Web Application Firewall (WAF)

Only validated, proxied traffic ever reaches your home lab.

Internet
↓
VPS (Public Server)
rebelstack
├── WireGuard Hub (10.200.200.1/24)
├── UFW Firewall
└── Nginx Reverse Proxy
├── gitlab.rebelstack.fun → 10.200.200.2:80
└── jenkins.rebelstack.fun → 10.200.200.2:7070

    ↓ Encrypted WireGuard Tunnel

Home Lab (Private Network)
IP: 192.168.5.104
├── WireGuard Spoke (10.200.200.2/32)
├── GitLab (port 80)
└── Jenkins (port 7070)

What’s Happening Here?

1. Public DNS points to the VPS
2. Nginx receives HTTPS requests
3. Traffic is forwarded over WireGuard
4. Services remain completely private at home

No inbound ports are opened on the home router.

---

Hub-and-Spoke VPN Topology

Instead of a peer-to-peer mesh, this setup uses a hub-and-spoke model.

Hub (VPS)

• Publicly reachable
• Always online
• Central routing point
• Hosts Nginx and WireGuard

Spoke (Home Lab)

• Initiates outbound VPN connection
• Works behind NAT or firewalls
• No public IP required
• Maintains a persistent encrypted tunnel

This model is simple, scalable, and ideal for home labs or small teams.

---

Final Thoughts

Using WireGuard as a private transport layer and Nginx as a public access gateway gives you the best of both worlds: security and usability. This architecture scales from a simple home lab to a small production environment without major redesign.

https://jenkins.rebelstack.fun/

https://gitlab.rebelstack.fun/