Hi,
I want to make some of my services (like Nextcloud, Immich, Komga, Jellyfin and FreshRSS for example) on my home server easier accessible from remote. For that I want to use a VPS where I install Nginx and Wireguard on it and establish a VPN connection between it and my homeserver. So far so good.
My first question: For the services that I don’t want to expose for remote access over that setup, can I just keep my Nginx instance that I have running now for these services. For example my budgeting service is available under finance.example.com as long as I’m in the same network as my home server right now. Would that still be possible when I have 2 Nginx instances running (one on the VPS and one on the home server directly) or would I need to configure it differently for that to work?
My second question:
Do I need to install Fail2Ban on my VPS or can I also install it on my homeserver?
I do this currently. I have a Hetzner VPS with Pangolin, giving access to family services like Immich etc, and my own nerdy services I keep locked to my home IP, and if I’m away from home, I tunnel in with Wireguard and hence then the home IP kicks in and they work.
You can issue traefik IP rules with Pangolin as well to limit what IPs can access services.
I have Pangolin and all family services behind Pocket ID with passkey only auth.
The VPS I protect with Hetzner’s firewall, so only SSH is allowed from my home IP.
The whole setup is as secure as I can make it. My family would just roll their eyes at any VPN I asked them to use, so it has to be publicly accessible for some things annoyingly.
I also have private services coming direct to my home firewall away from the VPS (for speed efficiency), and for truly public services (websites), I have those tunneled through a Cloudflare tunnel that can handle Google Auth for WordPress login pages etc.
It made me uncomfortable to start with using the VPS, but in time, confidence grows.
Is they’re a reason you don’t want to just use tailscale for this? it’s incredibly easy to set up and does exactly what you’re trying to do.
Look into Pangolin with crowdsec. It’s basically the all in one tested solution for your plans.
This. I just moved from Nginx Proxy Manager + Headscale/Tailscale to Pangolin and it’s incredibly easy.
I would say if you need to ask this, you might not be ready to expose your home sever to the internet. Please be VERY careful about this.
With that being said, setting up reverse proxy (nginx) on the VPS should not affect the reverse proxy on your home server in any way.
In the proposed setup, the VPS will be directly exposed to the internet - it’s the “gateway” to your network. If someone gains access to the VPS, they have access to your home server and probably other devices in your network. So yes, you need to secure the VPS as much as you can. Fail2ban or Crowdsec are a good idea. Setting them up on the home server wouldn’t really do anything against an attacker with access to the VPS.
When I looked into this configuration a few years ago the security improvements seemed minimal. Adding yet another provider to the mix plus the additional risk of a server misconfiguration didn’t seem to be worth the trouble unless I was dealing with CGNAT.
Besides hiding endpoints from your ISP and exposing them to the VPS, how much security does this really add?
It’s not about security for me. I just don’t want to have the hassle for other people to have to install and configure VPN to my server and I can’t and don’t want to expose ports 80 and 443 (I can only open like ports 21000-22000 in my router and I don’t have a IPv4 address)
Configure the VPN route for only that one address, not the whole subnet.
If you only have the VPN, nothing exposed directly, you don’t need fail2ban at all. I suppose you could configure it for the VPN service, but that seems unnecessary to me.
Well, that’s good and all, but if you want to reach some services like Jellyfin without a VPN, then you need to go this route. Because if you have some folks like your parents or friends who you want to give access to these services but they don’t want to have a VPN Then I can only think of two routes to go. The one is opening ports on your router or the second is VPN to an VPS. Or maybe have a cloudflaredtunnel setup.
Sure, but OP doesn’t want to do that.
or the second is VPN to an VPS
is what I want to do
I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?..), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.
And you can access any device from your VPN in your LAN.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TCP Transmission Control Protocol, most often over IP VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
9 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #130 for this comm, first seen 2nd Mar 2026, 21:10] [FAQ] [Full list] [Contact] [Source code]
