I currently have an Intel NUC connected to the internet using the ISP provided modem/router combo, the device has a dynamic IP address. I installed Proxmox onto my NUC and have only 1 virtual machine running on it: hassio. At the moment I port forwarded the Proxmox port (8006) on my router
so I can access it from outside my local network. I don’t want to expose these ports to the outside world so I am looking into Caddy but I do have some questions:
Where should I install the caddy reverse proxy
- As a seperate vm?
- As an addon within home assistant, will I be able to use this reverse proxy to access other VM’s? running on Proxmox
Are there any resource that I could follow? What is the recommended setup?
Any help to get me going would be greatly appreciated!
I got it running on an LXC container so I can keep it scalable like you mentioned, why wouldn’t I make it accessible from the outside? Don’t you somethings access your Proxmox or home assistant setup (camera’s,…) from outside your local network?
Any benefits from running it inside docker in a VM instead of LXC?
If you want your HA and other services available outside your network, you can run both. If you want to use Google Assistant/Alexa (without HA Cloud), then you need to have your HA exposed.
What do you mean? It’s 2 different services running on your network. One doesn’t rely on the other.
I was indeed wondering about exposing my HA for google assistant as I wont be using nabucasa for now. I would like to use the assistant + send location updates So I guess it needs to be exposed to the internet?. Could I for example setup the caddy server to provide access to my HA and a nas storage but keep other devices behind a vpn?
If you want it to connect to Google Assistant, yes.
DO NOT EXPOSE a NAS to the internet!
You can use your reverse proxy to expose HA.
When you say keep other devices behind a vpn, it sounds like you think I am referring to a hosted VPN SERVICE, which I am not. Basically you just keep your other devices LOCAL to your network only. You run a VPN server on your network (I love wireguard) and connect to YOUR VPN, not a provider VPN.
Ok so I’ll look into wireguard or another locally hosted vpn solution for all devices other than HA. Access to the NAS could also be enabled over a vpn I guess
Update: I got WireGuard up and running in an lxc container within Proxmox. I do have some questions left and you might be able to answer them as you have a similar setup I guess.
My modem/router has a dynamic IP address. Do you have the same issue? Do you use Duck DNS to ‘solve’ this issue? Where in the Proxmox setup would it be sensible to keep the script running?
The WireGuard android app doesn’t have the option to exclude using the vpn when connected to my home wifi, the ios app does seem to have this feature, am I missing something?
It seems that the ‘AllowedIPs’ client option can be used to filter out traffic, at the moment it is set to the following: Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 ( 0.0.0.0/0 ) and IPv6 ( ::/0 ) traffic over the VPN. When connected to 4G it seems sensible to only route my actual request that are intended for my local network to be tunneled over the vpn. How would that look?
No. I own several domains and just use the dynamic DNS client on my router. It only needs to update your public IP. If you’re already using duckdns for HA, you’re already updating the IP.
I run a DNS in my home network. In my DNS I point my public “VPN” subnet to the LAN IP address of my router.
Instead of 0.0.0.0/0 put in your actual home subnet. If you are on 192.168.1.0 you would put in 192.168.1.0/24
I have it now set to 192.168.0.0/24 but now only my local network request succeed and for example https://google.com stopped working. Isn’t there a way to just skip the vpn in those cases?
@flamingm0e I found the culprit! It was set to AllowedIPs = 192.168.0.0/24, ::/0 and the second argument (I think it is used for ipv6) caused it to not work. I removed it for now.
