====== Tutorial: Host a Local Website via VPS with WireGuard and Nginx ======

This tutorial explains how to host a website locally, while making it accessible
through your domain on a VPS. The VPS acts as a reverse proxy and forwards traffic
over a WireGuard tunnel to your home server.

===== Architecture Overview =====

The following diagram illustrates how requests flow from the internet
to your locally hosted website via the VPS and WireGuard tunnel:

<code>
   +-------------------+
   |   Client Browser  |
   |  (User requests)  |
   +---------+---------+
             |
             v
   +-------------------+
   |   Domain (DNS)    |
   | mond-keks.de      |
   +---------+---------+
             |
             v
   +-------------------+
   |   VPS (Public IP) |
   |  Nginx Reverse    |
   |  Proxy + SSL      |
   +---------+---------+
             |
             |  WireGuard Tunnel
             v
   +-------------------+
   | Home Server       |
   | Local Website     |
   | (HTTP on 8080)    |
   +-------------------+
</code>


===== Requirements =====
  * VPS with public IPv4/IPv6 address
  * Home server with IPv6 (e.g. Fritzbox)
  * Domain pointing to the VPS IP
  * Installed WireGuard and Nginx

===== Step 1: Install WireGuard =====
<code>
sudo apt update
sudo apt install wireguard
</code>

===== Step 2: Generate Keys =====
<code bash>
wg genkey | tee vps_private.key | wg pubkey > vps_public.key
wg genkey | tee local_private.key | wg pubkey > local_public.key
</code>

===== Step 3: Create Configuration =====
VPS: '''/etc/wireguard/wg0.conf'''
<code ini>
[Interface]
Address = 10.0.0.1/24
PrivateKey = <VPS-Private-Key>
ListenPort = 51820

[Peer]
PublicKey = <Local-Public-Key>
AllowedIPs = 10.0.0.2/32
Endpoint = [YOUR_IPV6_HOME_ADDRESS]:51820
PersistentKeepalive = 25
</code>

Local server: '''/etc/wireguard/wg0.conf'''
<code ini>
[Interface]
Address = 10.0.0.2/24
PrivateKey = <Local-Private-Key>
ListenPort = 51820

[Peer]
PublicKey = <VPS-Public-Key>
AllowedIPs = 10.0.0.1/32
Endpoint = <VPS-IP>:51820
PersistentKeepalive = 25
</code>

===== Step 4: Start Tunnel and Make it Persistent =====
<code>
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
</code>

===== Step 5: Adjust Firewall =====
Using ufw:
<code>
sudo ufw allow 51820/udp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
</code>

===== Step 6: Configure Nginx as Reverse Proxy =====
File: '''/etc/nginx/sites-available/mond-keks.de'''
<code nginx>
server {
    server_name domain.com www.domain.com;

    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/letsencrypt/live/mond-keks.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mond-keks.de/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://10.0.0.2:80;   # WireGuard IP of home server
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name domain.com www.domain.com;

    return 301 https://$host$request_uri;
}
</code>

===== Step 7: Testing =====
  * Browser: https://mond-keks.de
  * Check tunnel: <code>wg show</code>
  * View logs: <code>tail -f /var/log/nginx/access.log</code>

===== Result =====
Your domain points to the VPS, Nginx terminates HTTPS and forwards requests
through the WireGuard tunnel to your home server. This way, your site stays local
but is globally accessible.