I migrated my reverse proxy to OPNsense, and everything is so much simpler

I've used so many different ways of accessing my home lab content from outside my network, from Tailscale Funnel, NetBird, Pangolin, and a whole bunch of other reverse proxy solutions. But they all had one thing in common: the ability to reach the wider internet, either to communicate with management servers, my VPS, or my nameservers that point to a domain name I own. That's not usually a problem, but sometimes I prefer not to have my home lab communicate with the outside world.

Additionally, it'd be a significant quality of life improvement to be able to run the reverse proxy off a local nameserver, so that I don't have to adjust domain records every time my external IP address changes. I don't want to use DDNS for this either. The switchover time between IP addresses with caching bothers me; I want it to be quick. Enter OPNsense to my rescue once again, with its bundle of plugins, which include several reverse proxy solutions and Unbound for local domain resolution.

I can manage everything in one place

I can't understate how much this gives me joy

Usually, I'm all about keeping services separated when they don't make sense to combine. I don't like putting lots of services on my NAS, so they go on another server so as not to take away resources. I prefer having individual network appliances because there's something about physical Ethernet connections that helps my brain make sense of network space. I also enjoy using containers for their ease of setup and the ability to network between them.

There is one instance where combining services makes sense to me, and that's setting up my home lab's reverse proxy on my router. I don't need external access from outside my house, so I can use whatever WAN IP I've designated, without having to drudge through DDNS settings and external domain name server records. These are necessary evils in my eyes, and I'd rather not have to deal with them when I'm testing things out.

It's not that setting up a container with the reverse proxy and pointing it at OPNsense is difficult, but why shouldn't I be able to manage them from the same dashboard? It makes perfect sense to me, as the firewall, Unbound DNS, and the reverse proxy are all facets of access to my home lab network, although they have slightly different tasks.

And I have choices

I'm currently using Caddy because I got pretty enamored with it recently, but OPNsense also has plugins for HAProxy and Nginx, both of which I've used in the past. While I could run things in a Docker container on the same host I'm virtualizing OPNsense on, I prefer having it all in one place, where I can have anti-lockout rules in place, so that I can always access the OPNsense installation if something goes wrong and make the necessary fixes.

Otherwise, I know something will go wrong when configuring either the firewall rules or the reverse proxy, and I'll get locked out of one, and have to start from the last backup or more likely, from scratch. I'm trying to learn Ansible so I can set things up as a playbook and have an easily reproducible OPNsense configuration. Still, it's challenging because I'm often unsure what I did right to get network traffic flowing.

Managing domains is a breeze

Unbound makes OPNsense my DNS server for local domains on demand

Having the reverse proxy live on my OPNsense router is already quite beneficial, but adding Unbound makes it even more effective. Using an easily readable domain name instead of remembering IP addresses and ports is a huge time saver in the home lab, but normally, I'd have to go to my Cloudflare dashboard, set up the domain name and A record, then come back into OPNsense to set up Dynamic DNS, so I don't have to change the external IP every time my ISP changes it.

That's a minor irritation, sure, but I'm all about removing friction in my networking stack, and that's why I love using Unbound for local DNS resolving. It comes with all the usual benefits of local DNS caching, including speed and privacy, but I can also set up override records to use local domain names for every machine, service, and container in my home lab. That makes setting up reverse proxies easier, but it also simplifies management and cataloging, meaning I have fewer headaches overall once the initial setup is complete.

OPNsense is the logical place for my home lab reverse proxy to live

I've found that OPNsense is the perfect fit for my home lab shenanigans, and running a reverse proxy on the firewall makes sense for me. I'm not sure I'd do the same thing if this OPNsense install was the main router for my home network, because I value stability over everything else for that appliance, and I tend to set it up, then leave it alone for as long as possible. However, for internal routing with local domain names, OPNsense, Caddy, and Unbound mean I only need one dashboard open to set up static routes to services I'm testing, making my life easier.