Goal: Migrate my single-instance, all-services VPS (running ISPConfig3) from a costly cloud provider to an in-house server with enhanced storage, RAM, and resources. Use a smaller VPS (Server 1) as a public gateway to securely route traffic to my home server (Server 2). Concerns: Ensuring secure and reliable delivery for email (POP3/SMTP/IMAP) and database services. Protecting internal resources by isolating the smaller VPS in its own network, preventing any breach from affecting the home LAN/I have this sandboxed on a different vlan with no access internal. Managing dynamic home IP changes, wireguard won't do it, so duckdns or imilar. What’s Working: Web services are working via Cloudflare’s tunnel—but this method is limited to web ports. WireGuard is successfully connecting Server 1 and Server 2, allowing secure communication and network segmentation. Outstanding Points: For email: Use the VPS as an email relay. Configure it to handle incoming SMTP (with proper MX records and TLS via Let’s Encrypt) and forward traffic to the home server over WireGuard. Outbound emails can follow the same secure relay model, has this worked for anyone? Port Forwarding: Only forward the necessary ISPConfig3 ports (excluding port 22) so that SSH remains accessible directly on the VPS while other services communicate via the secure tunnel. Home IP Changes: If a static home IP isn’t available, implement Dynamic DNS (using Cloudflare’s API, DuckDNS, No-IP, etc.) to ensure consistent connectivity despite any IP changes. Closest setup I read but was multi server setup, this is a single was: Wireguard configuration | Howtoforge - Linux Howtos and Tutorials Thanks everyone,