Questions about TLS Passthrough.

nutbutter@discuss.tchncs.de to Selfhosted@lemmy.world – 20 points –

Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.

Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.

  1. Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
  2. Is port forwarding required to set up TLS passthough?
  3. Does NPM support TLS passthrough, or should I shift to HAProxy?

If there are any issues with my current setup, or the assumptions I am making, please guide me.

4

  1. The certificate and private key need to be on your home server since that’s where the TLS is decrypted.
  2. You should be able to tunnel TLS traffic through WireGuard, so no port forwarding is needed.
  3. You’d probably want to move Nginx Proxy Manager to your home server as an ingress gateway (and you can keep all the config + TLS certificates). Then on your VPS, you would no longer need the complexity and something like HAProxy, vanilla Nginx, or Traefik would suffice. Seems like NPM has an open issue to add support for TLS passthrough, but in my opinion it’s simpler to just have your VPS forward all traffic to one port on your home server.

For added security, you can make sure the proxy on the VPS only routes traffic for the correct domain using SNI. That way if someone hits your IP randomly, it only goes to your home server if the correct domain name was requested as well.

What you’re doing makes sense to me. Good luck!

Thank you for your response. Just one more question... If I am not forwarding any ports, will I be able to generate and renew certificates on my home server? As far as I know, the domain needs to point to the IP which is generating the certificates, right?

If you’re using Lets Encrypt, look at doing DNS validation instead of HTTP. Bit easier and you don’t need to worry about that side.

Either way, if you’re passing through all of ports 80 and 443 to your home server thru the WireGuard tunnel to the proxy, HTTP validation should still work fine.

Adding onto what TheMrDrProf said: basically LetsEncrypt just wants to know you actually control the domain you’re using to get the certificate. With HTTP challenges, your domain has to resolve to a working HTTP server. With DNS challenges, you need API access to your DNS provider so that Certbot can set a temporary record that proves ownership.

If you’re using NPM to manage your certs, then as TheMrDrProf said as long as the HTTP request from LetsEncrypt can make it to your NPM through the VPS proxy, you should be able to pass the challenge and get a certificate. The IP address of the domain doesn’t really matter as long as the request makes it all the way to the challenge HTTP server, which in this case is NPM.

In NPM, you should see “Use a DNS challenge” option. If you use that and your DNS Provider is supported (if not, I recommend Cloudflare), then your VPS proxy does not even need to be working in order to renew certificates. This has a few advantages such as being able to shut off unencrypted traffic on port 80 completely.