Network
Not having a static IPv4 at home, I resorted to a different architecture to be able to host services from my home server in a secure and convenient way.
Simply explained:
I use subdomains per service, each subdomain points to a VPS static IPv4 which then routes the traffic through wireguard to my home network where it will be received by Kubernetes Nginx Ingress controller where it will be forwarded to the correct service and ultimately pod.
A more detailed representation would be:
%%{
init: {
'theme': 'base',
'themeVariables': {
'fontSize': '16px',
'fontFamily': 'arial'
},
'flowchart': {
'htmlLabels': true,
'curve': 'basis'
}
}
}%%
graph TD
CLIENT((Client)) -->|HTTPS| DNS[Cloudflare DNS]
DNS -->|CNAME subdomain.domain.com| VPS[VPS I rent for 5$ month]
VPS --> NFT{nftables}
NFT -->|Port 443->32443| WG[WireGuard 10.10.10.0/24]
WG --> FW[OpenWrt Firewall Internet/WireGuard/Home LAN]
FW -->|HAProxy| MLB[MetalLB floating IP 192.168.1.80]
MLB --> NGINX[NGINX Ingress Controller]
NGINX -->|Port 32443->443| PODS[K3s Pods/Services]
CERT[cert-manager] -.->|TLS certificates| NGINX
style CLIENT fill:#FFF2CC,stroke:#000000,stroke-width:2px
style DNS fill:#D4E5FF,stroke:#000000,stroke-width:2px
style VPS fill:#D4E5FF,stroke:#000000,stroke-width:2px
style NFT fill:#FFE6F2,stroke:#000000,stroke-width:2px
style WG fill:#FFE6F2,stroke:#000000,stroke-width:2px
style FW fill:#E6FFCC,stroke:#000000,stroke-width:2px
style MLB fill:#E6D9FF,stroke:#000000,stroke-width:2px
style NGINX fill:#E6D9FF,stroke:#000000,stroke-width:2px
style PODS fill:#E6D9FF,stroke:#000000,stroke-width:2px
style CERT fill:#E6D9FF,stroke:#000000,stroke-width:2px
While it may look complicated this setup has a few benefits:
- I can change the VPS anytime and need to update just one A record since all my subdomains are CNAME pointing to a single A record
- I can change my home lab location or have a dynamic home IP as routing is not tied to my home IP address
- No traffic is routed directly to my home
- I only allow selected ports to flow through nftables to my wireguard network
- The normal ports 22, 80, 443, etc. are not used in any of my home machines as I remap all ports to higher ones
- The traffic is balanced between all nodes with high availability
- All networking tools used are either close to the kernel or known to be performant: nftables, wireguard, haproxy, etc.