logo

Vick's Hangout

Part 4 - Setting up Caddy Reverse Proxy

Following Part 3 of the series, the final component to be set up is the Caddy reverse proxy. I previously used traefik and while it worked, there were a few hiccups I encountered. I can’t recall the exact issues I ran into, but they were enough for me to switch things up this time. On this particular VPS, I won’t be running many services so auto-discovery is irrelevant. I’m binding each service to a specific IP and port, then using Caddy to reverse proxy to them, which simplifies a lot of the management and admin. Caddy also handles automatic certificate renewal with my custom CA using the ACME endpoint I set up earlier, so that’s an added bonus.
3 minutes to read

Part 3 - Setting up Smallstep CA

Following Part 2 of the series, the second component to be set up is the Smallstep Certificate Authority server. Smallstep is a lightweight CA I use to issue and manage TLS certificates for my internal services. It makes it easy to automate cert handling without relying on external CAs such as Let’s Encrypt, nor do I have to reveal details about my domain names to the public.

Docker Compose

The Docker Compose file and configuration of Smallstep is located in /containers/smallstep base folder.

6 minutes to read

Part 2 - Setting up AdGuard Home

Following Part 1 of the series, the first component to be set up is the AdGuard Home DNS server. I chose this because it also blocks ads and unwanted services which enables my VPN clients to have a better web browsing experience. Aside from this, I get a useful GUI to view resolutions requests and to configure custom domains in an easy-to-use manner. I did contemplate utilizing dnsmasq but finally decided on AdGuard Home.
4 minutes to read

Part 1 - Custom CA with Smallstep on a VPS

I am in the process of rebuilding my personal Certificate Authority using Smallstep on a cloud VPS. My previous VPS was running for a few years but I didn’t document how I got the whole concept working. This time around, I decided to jot my notes down so I can replicate this back in the future if needed. This time, I also decided to make a little change to my setup, that is changing from traefik to caddy, not because traefik doesn’t work but I just wanted consistency across all my public-facing web servers.
2 minutes to read

SSH Certificates

I’ve been using SSH certificates for years to connect to my servers no matter where they are, and they’ve always worked perfectly. I’ve used both client and server certificates, but since I automated the setup I sometimes forget the steps. This guide records the process for future reference.

What are SSH Certificates?

Just as HTTPS certificates verify our websites, SSH certificates confirm the identity of both server and user before any connection begins. When you first connect to a new SSH server, you’ve no doubt seen that warning about an unknown host key and clicked “yes” because you just created the machine and assume it’s safe. SSH certificates remove that guesswork. A trusted authority signs the server’s public key in advance, and your client automatically checks that signature on every connection. On the flip side, the server only accepts user keys that carry a valid signature from the same authority. Certificates can include expiration dates and be revoked if necessary, giving you precise control over who can connect and for how long. With SSH certificates in place, there’s no need to blindly trust that initial prompt.

5 minutes to read

Wireguard Peer

Once your server is up and running, you can configure a peer. The process is nearly identical to setting up the server—allowing you to easily replicate these steps for adding multiple peers. As always, ensure that all commands are executed as the root user.

Generate keys

Each peer requires a unique public/private key pair to establish identity and secure connections, just like the server . Run the following commands to create the required files:

4 minutes to read

Wireguard Server

Refer to this article for a brief overview, prerequisites, and server details. Ensure you run all commands as the root user.

Generate keys

Each server requires a unique public/private key pair to establish identity and secure connections. Run the following commands to create the required files:

(umask 0077; wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey)
wg genpsk   # Generates a preshared key for Peer A (adds an extra layer of encryption)

Create configuration file

Create a configuration for the new interface. In Wireguard, the configuration file’s name determines the interface name. For example, if you create /etc/wireguard/wg0.conf, the interface will be named wg0.

4 minutes to read

Wireguard

For my VPN setup, I lean towards using Wireguard because it’s straightforward to configure and delivers great performance. This guide serves as a personal reference for when I need to set up Wireguard again—whether as a server or a client. While I typically run Ubuntu on my production servers, my personal homelab runs Archlinux. Although this guide is focused on Archlinux, the process is essentially the same on Ubuntu, aside from the installation details.
2 minutes to read