One (potential) downside to running public services on your homelab, is that you expose your IP address. That may, or may not, be a problem — but here are ways around it. The simplest way is to put Cloudflare in front, but this will only handle web traffic, and is a bit of a black box.

Another, more hands-on, approach is to use a VPS (or LXC container); WireGuard and iptables. We will create a secure tunnel between the VPS/container and the homelab HAProxy instance, and forward traffic using iptables.

User --> VPS --> Wireguard tunnel --> Haproxy --> Service
^^^^^^^^^^^^                          ^^^^^^^^^^^^^^^^^^^
  Internet                              The homelab LAN
Table of contents


WireGuard doesn’t have the server/client architecture that other VPN software does (like OpenVPN). Everyone can connect to everyone, it’s just a matter of configuration.


By letting the VPS, or container, be the WireGuard server — we don’t have to open any ports on the home network.

First we need to install WireGuard:

$ sudo apt install wireguard

Then generate the private and public keys:

$ sudo -i
# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey

And make the configuration:

$ sudo vim /etc/wireguard/wg0.conf
PrivateKey = private-key-we-generated-in-previous-step
Address =
ListenPort = 42295
The port doesn’t matter, just pick one 😃

…enable the service:

$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0

Let’s check that the interface is active:

$ sudo wg
interface: wg0
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 42295

$ sudo ip a show wg0
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever

Lastly: make sure your port, 42295 in this example, is open for UDP traffic.


Now we need to repeat the process, but for the client.


$ sudo apt install wireguard

Generating private and public keys:

$ umask 077; wg genkey | tee privatekey | wg pubkey > publickey


$ sudo vim /etc/wireguard/wg0.conf
Address =
ListenPort = 42295
PrivateKey = private-key-we-generated-in-previous-step

PublicKey = public-key-of-the-server
AllowedIPs =
Endpoint = server-ip:42295
PersistentKeepalive = 15


$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0


$ sudo wg
$ sudo ip a show wg0

Now we need to add the client public key to the server configuration, to allow the client to connect:

$ sudo vim /etc/wireguard/wg0.conf
# existing server configuration

PublicKey = public-key-of-the-client
AllowedIPs =

You should now have a tunnel between your local HAProxy and the VPS, the next step is to forward some traffic through it.


On the server (VPS/container) — we need to define some rules to forward traffic though our WireGuard tunnel:

$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination
$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE

This will route traffic on TCP port 80 and 443 to IP, which is our WireGuard client.

iptables rules are not restored on boot, but there are ways to do this:

I used iptables-persistent.

Enabling packet forwarding:

$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
To make this permanent, you can edit /etc/sysctl.conf. Look for net.ipv4.ip_forward.

Wrapping up

Any incoming traffic on our VPS, or container, on port 80 or 443 — will now be forwarded through the WireGuard tunnel to the HAProxy instance in our homelab.

This will work for all TCP and UDP ports, just change your iptables rules accordingly.

Instead of iptables; it is also possible to use HAProxy. This has some advantages, and some drawbacks:

HAProxy > iptables:

  • SSL termination
  • Forward IPv6 traffic to IPv4
  • Hostname based rules

iptables > HAProxy:

  • Simpler configuration
  • Can forward UDP packages

I chose iptables because I’d like all the configuration to be done on my homelab HAProxy, and I needed to forward UDP packages.

Last commit 2024-04-05, with message: Tag cleanup.