I am in the process of rebuilding my personal Certificate Authority using Smallstep on a cloud VPS. My previous VPS was running for a few years but I didn’t document how I got the whole concept working. This time around, I decided to jot my notes down so I can replicate this back in the future if needed. This time, I also decided to make a little change to my setup, that is changing from traefik
to caddy
, not because traefik
doesn’t work but I just wanted consistency across all my public-facing web servers.
This private CA manages custom domains that are not exposed over the global Internet and is only accessible from my wireguard
tunnels.
For this setup, I have 4 primary components.
wireguard
- provides secure tunnel capabilities.- AdGuard Home - acts as a DNS server, that returns results for my custom domains and also blocks ads and such for the clients that connect over
wireguard
. - Smallstep CA - issues TLS certificates to the services that need it.
- Caddy - serves as the reverse proxy for AdGuard Home and Smallstep CA.
I am breaking this guide into 5 parts to cover each area so I don’t miss out on anything important later. While I have an Ansible playbook to automate this now, having a manual record of how I did it would be beneficial when I want to explore new ideas using this same concept.

In the above diagram, the VPS has a public IP of 1.2.3.4, the wireguard
interface has 192.168.200.1
and the webproxy
docker network has the IP 192.168.250.1
. I have a guide on setting up Wireguard
which is crucial for this particular project.
In this setup, I actually created a new docker network with a specific set of IP range so I can have my adguardhome
container listening on both the wireguard
and webproxy
network. Create a new network with the command
docker network create dns --subnet=192.168.250.1/24
This network interface will also be used by caddy
that acts as a reverse proxy to forward all requests to the correct container as they would all sit on the same network.
Now we can proceed to Part 2 of the guide, setting up AdGuard Home DNS server.