Network Configuration¶
Network Topology¶
flowchart LR
subgraph External
Internet((Internet))
DNS[DNS<br/>*.mdhmedia.uk]
end
subgraph DMZ
Caddy[Caddy<br/>Reverse Proxy]
WG[WireGuard<br/>192.168.1.236]
end
subgraph Internal
PVE1[Proxmox 1<br/>192.168.1.199]
PVE2[Proxmox 2<br/>192.168.1.151]
Holly[Unraid<br/>192.168.1.200]
Docker1[Docker 1<br/>192.168.1.241]
Docker2[Docker 2<br/>192.168.1.242]
end
Internet --> DNS
DNS --> Caddy
Internet --> WG
Caddy --> PVE1
Caddy --> PVE2
Caddy --> Holly
Caddy --> Docker1
Caddy --> Docker2Reverse Proxy (Caddy)¶
Caddy runs as the main reverse proxy handling all external traffic for *.mdhmedia.uk.
Configuration Location¶
The Caddyfile is stored in this repository at caddy/Caddyfile.
Features¶
- Automatic HTTPS with Let's Encrypt
- Log rotation (10MB, keep 5 files, 14 days)
- TLS termination for all services
Subdomain Routing¶
| Subdomain | Internal Target | Service |
|---|---|---|
| mdhmedia.uk | 192.168.1.242:3000 | Homepage |
| pve1.mdhmedia.uk | 192.168.1.199:8006 | Proxmox 1 |
| pve2.mdhmedia.uk | 192.168.1.151:8006 | Proxmox 2 |
| holly.mdhmedia.uk | 192.168.1.200:80 | Unraid |
| portainer.mdhmedia.uk | 192.168.1.241:9443 | Portainer |
DNS¶
DNS is managed externally with wildcard records pointing to the Caddy host.
VPN (WireGuard)¶
WireGuard VPN server runs at 192.168.1.236 providing secure remote access to the homelab.
Access Points¶
| Service | URL | Port | Purpose |
|---|---|---|---|
| VPN Endpoint | wg.mdhmedia.uk | 51820/UDP | WireGuard tunnel |
| Admin Dashboard | wgadmin.mdhmedia.uk | 10086 | Peer management |
Network Configuration¶
| Setting | Value |
|---|---|
| Server IP | 192.168.1.236 |
| VPN Subnet | 10.8.0.0/24 (typical) |
| Listen Port | 51820 |
| Protocol | UDP |
Client Setup¶
Adding New Peers
Use the admin dashboard at wgadmin.mdhmedia.uk to:
- Create a new peer/client configuration
- Download the configuration file or scan QR code
- Import into WireGuard client on your device
Supported Clients¶
| Platform | Client |
|---|---|
| Windows | WireGuard for Windows |
| macOS | WireGuard for macOS |
| iOS | WireGuard for iOS |
| Android | WireGuard for Android |
| Linux | apt install wireguard or equivalent |
Split Tunnel vs Full Tunnel¶
Routing Options
- Split Tunnel: Only homelab traffic (192.168.1.0/24) routes through VPN
- Full Tunnel: All traffic routes through VPN (use
AllowedIPs = 0.0.0.0/0)
Split tunnel is recommended for better performance when only accessing local services.
Firewall Rules¶
Ensure the following ports are forwarded to the WireGuard server:
| Port | Protocol | Purpose |
|---|---|---|
| 51820 | UDP | WireGuard tunnel |
Troubleshooting¶
Connection Issues
- Verify UDP port 51820 is forwarded on your router
- Check that the endpoint hostname resolves correctly
- Ensure client private key matches server's peer public key
- Verify the AllowedIPs configuration on both ends
- Check firewall rules on the WireGuard container/host