ND

Project | Secure Access

Secure Remote Access Design

Two independent remote access layers: a self-hosted Headscale mesh VPN for admin access, and a Cloudflare Tunnel in a DMZ VLAN for public-facing services. No management ports on the internet — every access path is intentional and documented.

Headscale Tailscale Exit Node Cloudflare Tunnel Nginx Proxy Manager DMZ Design Wildcard TLS
Zero-trust remote access architecture diagram

What I Built

  • Self-hosted Headscale as a WireGuard-based mesh VPN controller, managed via the Headplane web UI.
  • Tailscale exit node for subnet routing and remote access to lab resources from anywhere.
  • Cloudflare Tunnel connector deployed in a dedicated Public DMZ VLAN, isolated from LAN, routing public HTTPS requests through Cloudflare's edge without a WAN port forward.
  • Nginx Proxy Manager Plus as the internal reverse proxy, terminating TLS with a wildcard cert (*.masternazz.com) and routing subdomains to backend services.
  • ACME client on OPNsense auto-renewing the wildcard cert via Cloudflare DNS-01 — no cert management overhead.

Skills Demonstrated

  • Mesh VPN design and self-hosted control plane operation
  • Reverse proxy configuration and subdomain routing
  • DMZ network design for tunnel isolation
  • Automated TLS lifecycle management
  • Separating admin access paths from public service paths
Public Ingress

Cloudflare Tunnel in DMZ

The Cloudflare Tunnel connector LXC lives in VLAN 50, separated from the LAN. Public requests hit Cloudflare's edge, traverse the tunnel to the DMZ host, then reach internal services through the reverse proxy — no direct WAN port forwards needed.

Admin Access

Headscale Mesh VPN

Headscale provides a self-hosted WireGuard control plane. Admin traffic — Proxmox, OPNsense, Authentik — reaches the lab through the encrypted mesh rather than open firewall rules. Headplane gives a clean UI for managing peers and access policies.

TLS

Wildcard Cert Pipeline

OPNsense's ACME client issues and renews a *.masternazz.com certificate automatically via Cloudflare DNS-01. Nginx Proxy Manager terminates TLS for all subdomains, so every internal service gets HTTPS without managing individual certs.

What This Shows Employers

I built two separate access layers — mesh VPN for admin, Cloudflare Tunnel for public services — because they solve different problems. I can explain why each path exists, what it protects, and where the trust boundaries are. That's the mindset network and security roles need on day one.

Explore More Projects

Project pages that cover the underlying infrastructure and monitoring.

Architecture

Enterprise Homelab Architecture

A production-grade virtualization lab: Proxmox cluster, Cisco switching, and Synology storage.

View project ->
Firewall

OPNsense Edge Firewall

Hardened gateway implementation: VLAN segmentation, AdGuard DNS, and Suricata IDS.

View project ->
Monitoring

SIEM/XDR with Wazuh

Active security monitoring and log aggregation for endpoint behavior and compliance.

View project ->
IAM

Centralized Identity & Auth

Authentik implementation for SSO, OIDC, and LDAP across the lab infrastructure.

View project ->

Get In Touch

Open to Junior Network Administrator, SOC Analyst, NOC, MSP, Help Desk, IT Support, and Cybersecurity Internship opportunities.

Email Me LinkedIn GitHub

Email: NazeemDickey@gmail.com | Boynton Beach, FL

<- Back to projects