I am in the process of rebuilding my personal Certificate Authority using Smallstep on a cloud VPS. My previous VPS was running for a few years but I didn’t document how I got the whole concept working. This time around, I decided to jot my notes down so I can replicate this back in the future if needed. This time, I also decided to make a little change to my setup, that is changing from traefik to caddy, not because traefik doesn’t work but I just wanted consistency across all my public-facing web servers.

This private CA manages custom domains that are not exposed over the global Internet and is only accessible from my wireguard tunnels.

For this setup, I have 4 primary components.

  • wireguard - provides secure tunnel capabilities.
  • AdGuard Home - acts as a DNS server, that returns results for my custom domains and also blocks ads and such for the clients that connect over wireguard.
  • Smallstep CA - issues TLS certificates to the services that need it.
  • Caddy - serves as the reverse proxy for AdGuard Home and Smallstep CA.

I am breaking this guide into 5 parts to cover each area so I don’t miss out on anything important later. While I have an Ansible playbook to automate this now, having a manual record of how I did it would be beneficial when I want to explore new ideas using this same concept.

Smallstep CA Infra
Smallstep CA Infrastructure

In the above diagram, the VPS has a public IP of 1.2.3.4, the wireguard interface has 192.168.200.1 and the webproxy docker network has the IP 192.168.250.1. I have a guide on setting up Wireguard which is crucial for this particular project.

In this setup, I actually created a new docker network with a specific set of IP range so I can have my adguardhome container listening on both the wireguard and webproxy network. Create a new network with the command

docker network create dns --subnet=192.168.250.1/24

This network interface will also be used by caddy that acts as a reverse proxy to forward all requests to the correct container as they would all sit on the same network.

Now we can proceed to Part 2 of the guide, setting up AdGuard Home DNS server.