UPDATE(2023-01-09): I no longer use OpnSense anymore, instead I am using OpenWrt now.
In this post I will show you how to expose the homelab services through HAPROXY as a reversed proxy, but keep in mind this is dangerous because anyone knows the domains you set up will be able to connect your homelab directly, and if you not securely setup your firewall they can hack you and your families devices.
- A domain, the provider supports wildcard domains(I use cloudflare)
- Wildcard TLS cert and privkey
- Public IP address provided by your ISP
- OpnSense with os-ddclient and os-haproxy plugins installed
As a home internet service, ISP will only provide dynamic IP(At least in China), so you need to setup ddns service to update the IP address when changing.
Services / Dynamic DNS / Settings and create one with the inputs:
<Cloudflare Global Token>
- Check ip method:
- Force SSL:
- Interface to monitor:
certbot acme.sh to create and rotate my certs, after the certs created and upload save to the OpnSense system in
System / Trust / Certificates
You will need to select a primary port for all the services(e.g. 1234), this will be listened to by a frontend service. For a simple homelab with not too much and complex services, one public service can serve all the services. In this post, I will create only one.
You may need to create an alias of the custom port in
Firewall / Aliases, if you are not using a standard HTTPS port for exposing because some ISP not allowing the opening 80 or 443 ports.
Firewall / NAT / Port Forward and create a new rule as:
- Destination port range:
- Redirect target IP:
- Redirect target port:
- NAT reflection:
You will also need to set
Firewall / Settings / Advanced` on the below field to enable NAT reflection:
- Reflection for port forwards:
- Automatic outbound NAT for Reflection:
The sequence for setup each service in HAProxy is this chart, each service has a detailed explanation on the configuration page.
I will show an example to expose code-server service with port
8080 on a local machine with ip
- Name or Prefix:
- FQDN or IP:
- SSL: According to your service
- Condition type:
<Host starts with>(Select depends on your real needs)
- Host Prefix:
- Select conditions:
- Use backend pool:
As said, you will only create one public service
- Listen Addresses:
- Default Backend Pool:
- Enable SSL offloading: true
<The one created earlier>
- Default certificate:
<Same as Certificates>
- Enable HTTP/2: true
<Select in the dropdown>