OPNsense
OPNsense runs as a VM on Proxmox and handles routing, firewalling, and several network services for the homelab.
| Plugin / Service | Role |
|---|---|
| Unbound | Internal DNS resolver |
| AdGuard Home | Upstream DNS with ad blocking |
| dnsmasq | DHCP server |
| HAProxy | Reverse proxy for internal services |
| ACME client | Let's Encrypt certificate management |
| Tailscale | Subnet router for remote access |
DNS
DNS resolution is handled by a three-layer stack:
AdGuard Home is the DNS server for all clients on the network. It filters ads and trackers at the DNS level. Internet-bound queries are forwarded over DNS-over-TLS and DNS-over-HTTPS, keeping DNS traffic encrypted.
Unbound handles internal name resolution. AdGuard Home forwards queries for local hostnames to Unbound, which resolves them within the network. Internal services exposed through HAProxy are configured as host overrides in Unbound, pointing their hostnames to HAProxy's address.
dnsmasq handles DHCP and pushes AdGuard Home's address to clients as their DNS server.
Certificates
The ACME client fetches Let's Encrypt certificates automatically. Certificates are used in two places:
- OPNsense itself — for the web UI and other OPNsense services
- HAProxy — for TLS termination of internal services
HAProxy
HAProxy acts as a reverse proxy for internal services, terminating HTTPS using the Let's Encrypt certificates from the ACME client. This allows internal services to be reached over HTTPS with valid certificates without exposing them to the internet.
Tailscale
Tailscale runs as a subnet router, making the entire homelab network accessible remotely through the Tailscale VPN. This avoids opening any ports to the internet — remote access goes through Tailscale's encrypted tunnel instead.