I host a publically-accessible (after an invite is granted) Mattermost team server on a (locally-hosted) Raspberry Pi 4. This Pi 4 runs Ubuntu 20.04 64bit. Using a combination of Wireguard and HAproxy (on a VPS server, allowing a public connection), I “punch” the firewall which I’m behind (the Internet access here is double-Natted, so port-forwarding is a very ugly prospect for me). I use a wildcard Let’s Encrypt SSL cert in front of Mattermost, on the Pi (Nginx is a proxy in front of Mattermost locally on the Pi). These SSL cert files are hand-installed, and new certs get generated on a VPS, based on a manual DNS-based challenge.
Yes, that’s proxied twice. This works, because HAproxy on my VPS merely forwards TCP packets, leaving the HTTPS traffic inside the packets unmolested. Nginx on the Pi actually works with the contents of the packets, encrypting and decrypting the SSL. My VPS sees nothing but SSL-encrypted Mattermost traffic.
This nifty networking trick I use where I first establish a Wireguard connection to my VPS server (using the “keepalive” option, on the Pi4), then use HAproxy to send TCP-forwarded packets down the Wireguard tunnel (thereby punching the firewall, and not needing port forwarding), is a trick which I have dubbed the “Subzero” firewall puncher.
Let me explain this “Subzero” analogy (the combined use of Wireguard and HAproxy) a little more. It’s sort of like in the original Mortal Kombat video game back in the day, where my favorite character Subzero would throw a hook thing on a chain at his opponent which would stick in their neck, then he would say “Come here” and would pull them close for an uppercut. That’s sort of like the periodic Wireguard keepalives holding a connection to the VPS (the “chain”), and then HAproxy is like the “hook thing”, hooking the traffic down the Wireguard connection to the Pi 4. The “uppercut” is a reference to the firewall being punched (and it’s not any end-user who gets “punched”).
I apologize that the “Subzero” analogy involves violence. My server does nothing which is of a bad or dark nature BTW. It’s used for a totally legitimate, above-the-board purpose. My motivation for posting this method is to prevent it from getting patented somehow in the future. I hereby release this method to the public (and may the ultra-rich hi-tech tycoons like Jeff Bezos not take over the world!)
Perhaps a few others have already figured out and used my “Subzero” trick (I followed no other comprehensive guide to do this all as one coherent system/solution), but I think I’m the first to put a name to it. This trick is especially ideal for me, because my heartless ISP gets to remotely update the firmware for the dodgy local wifi routers here all they want, and they won’t ruin my setup (by erasing, without warning, all port-forwarding rules, which is a huge annoyance I’ve had happen to me multiple times before, wrt other self-hosted services).