Security

The VPS is a relay, not the trust boss.

The Home Agent owns device approval, relay tokens, route targets, and revocation. The VPS should hold only enough state to relay traffic and manage WireGuard peers.

TLS for Home Agent to VPS

The full setup path puts Caddy in front of the VPS Agent so pairing and relay management happen over HTTPS with automatic certificates.

Caddy443/tcp

WireGuard for remote devices

Phones and laptops use WireGuard to reach the VPS tunnel address. This gives the mobile VPN behavior users expect.

51888/udpQR profile

Token-protected management

After claim, sensitive VPS endpoints require the relay management token from the Home Agent.

No public state dump

Revocation removes access

Revoking a device removes the WireGuard peer and the Home Agent device record.

Lost device flow

Firewall shape

Blank VPS install keeps the raw agent port private.

80/tcpCaddy HTTP and ACME challenge

443/tcpCaddy HTTPS to 127.0.0.1:4174

51888/udpWireGuard device VPN

4174/tcpLocalhost for Caddy, and tater0-only for VPN relay use

Hardening checklist

Before calling a setup production-ready.

Use a real DNS name and HTTPS URL for Home Agent to VPS pairing.
Keep public TCP 4174 closed unless doing a short direct test.
Open UDP 51888 for WireGuard devices.
Use the Home Agent UI to revoke old or lost devices.
Keep route targets narrow. Do not expose raw LAN access by default.
Update the VPS with the same one-command installer when new tunnel fixes land.

Security checks

curl -fsS https://tunnel.example.com/api/health
sudo wg show tater0
sudo ufw status verbose