vps-wireguard

WireGuardVPNNetwork SecurityVPS
Image 1

VPS WireGuard VPN Server with Home Network Integration - Security-First Network Architecture

Situation

A production-grade VPN solution was needed to provide secure remote access to home network resources while serving as a self-hosted reverse proxy alternative to Cloudflare Tunnels. The challenge was to deploy a WireGuard VPN server on a cost-effective $7/month VPS that would integrate with a private pfSense router via site-to-site tunnel, enabling bidirectional routing between cloud and on-premises infrastructure.

The solution needed to handle multiple complex networking challenges: Docker's iptables modifications breaking NAT masquerading for WireGuard clients, VPS provider injecting incorrect default gateway on reboot breaking routing, Cloudflare proxy IPs appearing in Nginx logs instead of real visitor IPs causing Fail2Ban to ban legitimate users, VPS unable to reach home LAN devices for reverse proxy functionality, and intermittent connection drops from MTU mismatches across network paths.

Additionally, the solution required defense-in-depth security through Fail2Ban, Cloudflare API integration, and Nginx hardening, while maintaining cost-effectiveness and operational simplicity.

Task

The goal was to design and deploy a production-grade WireGuard VPN server that would:

  • Provide secure remote access to home network resources through road warrior clients
  • Integrate public VPS with private pfSense router via site-to-site WireGuard tunnel
  • Enable bidirectional routing between cloud and on-premises infrastructure
  • Serve as self-hosted reverse proxy alternative to Cloudflare Tunnels
  • Implement defense-in-depth security (Fail2Ban, Cloudflare API, Nginx hardening)
  • Maintain cost-effectiveness ($7/month VPS)
  • Ensure reliability through automated fixes and proper configuration

Success criteria included: reliable VPN connectivity for road warrior clients, bidirectional site-to-site routing between VPS and home network, secure external access without port forwarding, multi-layer security preventing attacks, automated SSL certificate management, and elimination of Cloudflare Tunnel dependency.

Action

WireGuard Server Architecture

Deployed WireGuard server on Ubuntu LTS VPS with three distinct traffic flows:

  1. Road Warrior Clients: Accessing internet and home LAN through VPS
  2. Site-to-Site Tunnel: Between VPS and pfSense router for bidirectional routing
  3. Nginx Reverse Proxy: Forwarding requests through WireGuard interface to home LAN services, replacing Cloudflare Tunnel dependency

Docker Interference with NAT Rules - NFTables Solution

Solved Docker's iptables modifications breaking UFW NAT masquerading:

  • Problem: Docker's iptables modifications broke UFW NAT masquerading for WireGuard clients, preventing internet access
  • Solution: Migrated to NFTables for NAT rules, which operates independently of Docker's iptables chains
  • Result: VPN functionality works regardless of container state, ensuring reliable connectivity

Provider "Ghost Gateway" Routing Issue - Automated Boot Fix

Created automated solution for VPS provider's incorrect default gateway injection:

  • Problem: VPS provider injected incorrect default gateway (100.100.x.x) on reboot, breaking all routing
  • Solution: Automated cron-based script that removes ghost gateway and sets correct route on boot
  • Result: Ensures reliable connectivity after restarts, eliminating manual intervention

Cloudflare Real IP Extraction for Fail2Ban - Multi-Layer Security

Configured multi-layer security with real IP extraction and Cloudflare API integration:

  • Problem: Nginx logs showed Cloudflare proxy IPs instead of real visitor IPs, causing Fail2Ban to ban legitimate users
  • Solution:
    • Configured Cloudflare IP range whitelisting and real IP header extraction
    • Integrated Fail2Ban with Cloudflare API for edge-level blocking
  • Result: Defense at both VPS and CDN layers, blocking attackers before traffic reaches VPS

Bidirectional Site-to-Site Routing - Integrated Network Architecture

Implemented static routing and NAT configuration for bidirectional communication:

  • Problem: VPS couldn't reach home LAN devices for reverse proxy functionality
  • Solution:
    • Implemented static routing on VPS
    • Configured pfSense firewall rules and outbound NAT to masquerade home traffic as router VPN IP
  • Result: Enables seamless bidirectional communication between cloud and on-premises networks

Packet Fragmentation in VPN Tunnel - Standardized MTU Configuration

Standardized MTU configuration across all WireGuard peers:

  • Problem: Intermittent connection drops caused by MTU mismatches across network paths
  • Solution:
    • Standardized MTU = 1280 across all WireGuard peers (server, clients, pfSense router)
    • Adjusted kernel reverse path filtering to allow asymmetric routing
  • Result: Ensures reliable packet traversal, eliminating connection drops

Defense-in-Depth Security Architecture

Implemented comprehensive security layers:

  • UFW Firewall: Only 4 ports open (SSH, WireGuard, HTTP, HTTPS)
  • SSH Hardening: SSH key-only authentication on custom port
  • Fail2Ban Jails:
    • SSH jail with infinite bans
    • Nginx jail with 4-24 hour bans
  • Cloudflare API Integration: Edge-level IP blocking for additional security layer
  • Nginx Hardening:
    • Security headers
    • Rate limiting
    • SSL/TLS 1.2+ only
    • Anti-scan default server
  • Automated SSL Management: Certbot for automatic certificate provisioning and renewal

Automation & Reliability Infrastructure

Created automation tools for operational efficiency:

  • Client Generation Scripts: Rapid peer provisioning (<5 minutes)
  • Automated Backup System: Using Restic via SSHFS mount
  • Daily Maintenance Scripts: For updates and logging
  • Systemd Service Coordination: WireGuard UI config changes trigger automatic service restarts

Network Integration Solutions

Solved complex routing challenges demonstrating holistic network understanding:

  • Provider-Specific Gateway Issues: Automated boot fix for ghost gateway
  • Docker Compatibility: NFTables solution for NAT rules
  • MTU Standardization: Consistent MTU across all peers
  • Bidirectional NAT Configuration: Between VPS and pfSense router
  • Result: Demonstrates understanding of network stack from physical interface to application layer

Result

Eliminated Cloudflare Tunnel Dependency

Replaced multiple cloudflared container instances with single VPS reverse proxy, reducing complexity and operational overhead. The Nginx reverse proxy forwarding requests through WireGuard interface to home LAN services provides the same functionality with better control and cost-effectiveness.

Zero-Downtime Security Hardening

Implemented multi-layer security (VPS + Cloudflare edge) with automated Fail2Ban integration, blocking attackers before traffic reaches VPS. The defense-in-depth approach with UFW, Fail2Ban, Cloudflare API, and Nginx hardening provides comprehensive protection while maintaining service availability.

Cost-Effective Infrastructure Achievement

Achieved production-grade VPN and reverse proxy capabilities for $7/month, with automated SSL certificate management and comprehensive backup strategy. The solution demonstrates how systematic infrastructure engineering can deliver enterprise-grade capabilities at minimal cost.

Network Integration Excellence

Solved complex routing challenges including provider-specific gateway issues, Docker compatibility requirements, MTU standardization, and bidirectional NAT configuration between VPS and pfSense router. This demonstrates holistic understanding of network stack from physical interface to application layer, showcasing the "full-stack" infrastructure view.

Reliability Through Automation

Automated solutions for boot fixes, client provisioning, backup management, and service coordination ensure reliable operation with minimal manual intervention. The infrastructure is self-healing and self-maintaining, reducing operational overhead.

Technical Stack

Ubuntu LTS, WireGuard, NFTables, Nginx, Fail2Ban, Cloudflare API, Let's Encrypt/Certbot, pfSense, UFW, systemd, Restic, SSHFS

Conclusion

The VPS WireGuard VPN Server project demonstrates security-first network architecture with holistic infrastructure view spanning cloud VPS to on-premises router. By solving complex networking challenges including Docker compatibility, provider-specific routing issues, MTU standardization, and bidirectional NAT configuration, the project showcases deep understanding of network architecture. The defense-in-depth security approach with multi-layer protection (VPS + Cloudflare edge) ensures robust security while maintaining cost-effectiveness. The automated solutions for boot fixes, client provisioning, and backup management demonstrate replicable & resilient systems engineering. This infrastructure investment—doing it right the first time—eliminates technical debt and provides reliable, secure remote access capabilities, transforming VPN and reverse proxy infrastructure from complex, error-prone setups into automated, secure, and cost-effective systems. The project exemplifies how systematic infrastructure engineering can deliver enterprise-grade capabilities while maintaining operational simplicity and cost-effectiveness.