The Goal: Private Access for Remote Teams
You have internal resources — a company website, documentation portal, admin dashboard, database, or API — that your distributed team needs to access. But exposing them to the public internet is unacceptable. One misconfigured auth page and you're in the news.
The solution: serve these resources on private IPs accessible only through VPN. Your internal wiki gets a real domain (wiki.yourcompany.com) with valid HTTPS, but the IP address (10.8.1.50) isn't routable from the public internet. Same for your database admin panel, staging environment, or any other service. No attack surface. No exposure.
But traditional VPNs have problems:
- They get blocked. Deep packet inspection (DPI) can identify and block WireGuard, OpenVPN, and IPSec traffic patterns
- Certificate management is painful. Let's Encrypt needs to reach your server on port 80 — impossible if your server isn't publicly accessible
- Setup is manual and error-prone. Each new team member means SSH access and config file juggling
We recently deployed this for a client who needed their internal documentation site accessible to a distributed team — including members who travel to regions that block standard VPNs. Here's how we built it.
The Architecture: VPN → Private Services
Four components working together:
- AmneziaWG — WireGuard with traffic obfuscation that defeats DPI
- Kubernetes + HAProxy — Ingress bound to VPN-only IP addresses
- cert-manager — Automated Let's Encrypt certificates via DNS validation
- Cloudflare DNS — Points to private IPs (not publicly routable)
Why AmneziaWG Instead of Plain WireGuard?
WireGuard is excellent — fast, simple, cryptographically sound. But its packet structure is distinctive. Network operators using DPI can identify and block it.
AmneziaWG adds obfuscation parameters (Jc, Jmin, Jmax, S1, S2, H1-H4) that make traffic look like random noise. The result: your VPN works in places where WireGuard is blocked.
We configure it as a split-tunnel — only traffic to internal resources goes through the VPN. Everything else uses the normal internet connection. This keeps things fast and avoids routing all your Netflix traffic through the company server.
The TLS Certificate Trick
Here's where it gets interesting. You want HTTPS for your internal sites (browsers complain otherwise, and you should encrypt anyway). But Let's Encrypt's standard HTTP-01 validation requires them to connect to your server on port 80.
If your server only has a private IP... that's impossible.
DNS-01 validation solves this:
Let's Encrypt never connects to your server. Instead:
- cert-manager requests a certificate
- Let's Encrypt says "prove you own the domain by adding this TXT record"
- cert-manager uses Cloudflare's API to add the record
- Let's Encrypt verifies the record exists and issues the cert
- cert-manager stores the cert and handles renewal automatically
Your internal site gets a valid HTTPS certificate, even though it's not reachable from the public internet.
Implementation
1. Set Up AmneziaWG
Install AmneziaWG on your server and generate configs with obfuscation parameters. The client apps (available for all platforms) import a simple config file.
Split-tunnel configuration routes only your internal subnet through the VPN:
[Interface]
Address = 10.8.1.2/24
PrivateKey = <client-private-key>
[Peer]
PublicKey = <server-public-key>
AllowedIPs = 10.8.1.0/24, 10.0.0.0/8 # Only internal traffic
Endpoint = vpn.example.com:51820
PersistentKeepalive = 25
# Obfuscation parameters
Jc = 4
Jmin = 40
Jmax = 70
S1 = 0
S2 = 0
H1 = 1
H2 = 2
H3 = 3
H4 = 4
2. Configure HAProxy Ingress
Your Kubernetes ingress binds to an IP only reachable via VPN:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
haproxy.org/ssl-redirect: "true"
spec:
tls:
- hosts:
- internal.example.com
secretName: internal-tls
rules:
- host: internal.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: internal-site
port:
number: 80
3. Set Up cert-manager with DNS-01
Create a Cloudflare API token with Zone:DNS:Edit permission, then configure cert-manager:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
Store your token:
kubectl create secret generic cloudflare-api-token \
--from-literal=api-token=<your-token> \
-n cert-manager
4. Point DNS to Private IP
In Cloudflare, create an A record pointing internal.example.com to your VPN-only IP (e.g., 10.8.1.1). This IP isn't routable from the public internet — only VPN users can reach it.
The Results
| Before | After |
|---|---|
| Partial public exposure | Zero public exposure |
| VPN blocked in some regions | Works everywhere (obfuscated) |
| Manual certificate renewal | Fully automated |
| Hours to onboard new users | Minutes (one config file) |
New team member? Send them the AmneziaWG config file. They import it, connect, and immediately have secure access to all internal tools with valid HTTPS certificates.
Cost
- VPN server: $5-20/month (small VPS)
- Kubernetes cluster: Your existing infrastructure
- Cloudflare DNS: Free tier
- Let's Encrypt: Free
- AmneziaWG: Open source
Total additional cost: ~$10/month for the VPN endpoint.
Key Takeaways
- DNS-01 validation enables automated TLS for private IPs — no public exposure required
- AmneziaWG obfuscation defeats DPI where standard WireGuard gets blocked
- Split-tunnel routing keeps general traffic off the VPN for better performance
- Automated renewal eliminates certificate management overhead
This isn't a toy setup. It's the same architecture pattern used by organizations with serious security requirements. The difference is you can deploy it yourself in a weekend.
Need help securing your internal infrastructure? Contact us — we've deployed this pattern for multiple clients and can have you running in days, not weeks.
