The Concept

Home / Homelab (CGNAT)

No inbound ports. Everything starts outbound.

Services Jellyfin · NAS · VMs CGNAT Constraints Why inbound traffic can’t reach home

Home → Tunnel → VPS

WireGuard Tunnel Encrypted link across CGNAT

Public Access ⇄ Encrypted Tunnel

Public VPS (Internet)

Public entry point + controlled exposure.

Gateway / Router Routes traffic into tunnel Reverse Proxy + TLS Subdomains + HTTPS Automation Provisioning · routing · recovery

Idea: The homelab stays behind CGNAT. The VPS is the public entry point. WireGuard connects both securely.