Skip to content

Network Topology

Overview

Network architecture connecting reference deployments and demonstrating WireGuard-based secure monitoring.

Network Diagram

┌─────────────────────────────────────────────────────────────────┐
│                         Internet                                 │
└────────────┬────────────────────────────────────┬────────────────┘
             │                                     │
             │                                     │
     ┌───────▼────────┐                   ┌───────▼────────┐
     │ prod.example.com│                   │  Home Network  │
     │  (Linode VPS)   │                   │  192.168.x.x   │
     │                 │                   └────────┬───────┘
     │ Public Services:│                            │
     │ • Web (80/443)  │                            │
     │ • Mail (25/587) │                   ┌────────▼───────┐
     │ • DNS (53)      │                   │ Nas Server     │
     │ • Gitea (3000)  │                   │ S3 Storage     │
     │                 │                   │ :8010          │
     │ WireGuard Client│◄──────┐           └────────┬───────┘
     │ 10.10.0.1       │       │                    │
     └─────────────────┘       │                    │
                               │           ┌────────▼───────┐
                        ┌──────┴──────┐    │  Proxmox Host  │
                        │  WireGuard  │    │                │
                        │   Tunnel    │    │  ┌──────────┐  │
                        │ (Encrypted) │    │  │monitor11 │  │
                        └──────┬──────┘    │  │   VM     │  │
                               │           │  │          │  │
                     ┌─────────▼────────┐  │  │ Services:│  │
                     │ monitor11.example.com│◄─┼──┤ InfluxDB │  │
                     │  (Proxmox VM)      │  │  │ :8086   │  │
                     │                    │  │  │ Loki    │  │
                     │ WireGuard Server   │  │  │ :3100   │  │
                     │ 10.10.0.11         │  │  └──────────┘  │
                     │                    │  └─────────────────┘
                     │ Receives:          │
                     │ • Logs from prod  │
                     │ • Metrics from all │
                     └────────────────────┘

Network Segments

Public Internet

Hosts: - prod.example.com (Linode VPS)

Exposed Services: - HTTP/HTTPS (80/443) - Web hosting - SMTP (25/587/465) - Mail server - DNS (53) - Bind9 name server - Gitea (3000) - Git repositories

Home Network (192.168.x.x)

Hosts: - storage.example.com - NAS with S3-compatible storage - Proxmox host - Hypervisor for VMs - monitor11.example.com - Monitoring VM

Internal Services: - S3 Storage (s3-server:8010) - Proxmox Web UI (192.168.x.x:8006)

WireGuard VPN (10.10.0.0/24)

Purpose: Secure tunnel for monitoring traffic

Endpoints: - 10.10.0.11 - monitor11.example.com (server) - 10.10.0.1 - prod.example.com (client)

Port: 51820 (UDP)

Traffic: - Logs: prod.example.com → monitor11:3100 (Loki) - Metrics: prod.example.com → monitor11:8086 (InfluxDB)

Data Flow

Metrics Collection

prod.example.com
  ├─ Telegraf collects system metrics
  │   │
  │   └─► WireGuard tunnel (10.10.0.1 → 10.10.0.11)
  │       │
  │       └─► monitor11:8086 (InfluxDB)
  │           │
  │           └─► S3 storage (s3-server:8010/influx11)

Log Collection

prod.example.com
  ├─ Alloy collects logs:
  │   ├─ Apache
  │   ├─ Fail2ban
  │   ├─ Mail (journald)
  │   ├─ Bind9 (journald)
  │   └─ WireGuard (journald)
  └─► WireGuard tunnel (10.10.0.1 → 10.10.0.11)
      └─► monitor11:3100 (Loki)
          └─► S3 storage (s3-server:8010/loki11)

Self-Monitoring

monitor11.example.com
  ├─ Telegraf collects local metrics
  │   │
  │   └─► localhost:8086 (InfluxDB)
  └─ Monitors itself without external dependencies

Security Considerations

WireGuard Encryption

  • All monitoring traffic encrypted via WireGuard
  • Public keys only, no shared secrets
  • Automatic key rotation possible

Firewall Rules

prod.example.com: - Allow outbound WireGuard (UDP 51820) - Block direct inbound to monitoring ports - All monitoring via encrypted tunnel

monitor11.example.com: - Allow inbound WireGuard (UDP 51820) - InfluxDB/Loki only accessible via WireGuard - No public exposure of monitoring services

Network Isolation

  • Monitoring traffic separated from application traffic
  • WireGuard provides network segmentation
  • S3 storage on private network only

Bandwidth Considerations

Typical Traffic

Per hour from prod.example.com: - Logs: ~50-100 MB (depending on activity) - Metrics: ~5-10 MB

Daily: - Logs: ~1-2 GB - Metrics: ~100-200 MB

WireGuard Overhead

  • Minimal overhead (~50 bytes per packet)
  • Compression available if needed
  • Persistent keepalive: 25 seconds

Future Expansion

Adding New Collectors

New Host
  ├─ Install Telegraf + Alloy
  ├─ Configure WireGuard client
  │   ├─ Generate keys
  │   ├─ Add to monitor11 allowed peers
  │   └─ Assign IP in 10.10.0.0/24
  └─ Point collectors to monitor11wg endpoints

Additional Monitoring Servers

Multiple monitor servers possible: - Add routes in WireGuard config - Load balance via DNS or Alloy config - Replicate S3 buckets if needed

Network Testing

Test WireGuard Connectivity

From prod.example: 

ping 10.10.0.11

Test Service Reachability

From prod.example.com: 

curl http://10.10.0.11:3100/ready  # Loki
curl http://10.10.0.11:8086/health # InfluxDB

Test S3 Storage

From monitor11: 

curl http://storage.example.com:8010

References

  • WireGuard config: /etc/wireguard/wg0.conf
  • Alloy endpoint config: roles/alloy/templates/config.alloy.j2
  • Telegraf output config: roles/telegraf/templates/telegraf.conf.j2
  • CLAUDE.md: Reference Machines section