Hi,
I want to make some of my services (like Nextcloud, Immich, Komga, Jellyfin and FreshRSS for example) on my home server easier accessible from remote. For that I want to use a VPS where I install Nginx and Wireguard on it and establish a VPN connection between it and my homeserver. So far so good.
My first question: For the services that I don’t want to expose for remote access over that setup, can I just keep my Nginx instance that I have running now for these services. For example my budgeting service is available under finance.example.com as long as I’m in the same network as my home server right now. Would that still be possible when I have 2 Nginx instances running (one on the VPS and one on the home server directly) or would I need to configure it differently for that to work?
My second question:
Do I need to install Fail2Ban on my VPS or can I also install it on my homeserver?
You can totally do that yeah!
We have our stuff set up so inbound VPS traffic (for HTTPS) comes in on port 4430, while LAN traffic is on 443. It’s not done for firewall reasons, it’s so we can pass the client’s IP through with Nginx’s proxy_protocol feature, but you could just make your local-only services not listen on 4430. Boom, done.
Fail2Ban on the VPS is probably good. On the home server, it might just lock out the VPS (since everything comes from there).
Anyway yeah, I’ve got a whole guide on this sort of setup! https://frost.brightfur.net/blog/selfhosting-with-a-bounce-vps-part-1/
– Frost