Do I have the architecture right?

It has been a year and a half since I last looked at this, so my already-novice knowledge is rusty. Here's what I think I want to do.

I'm moving my radarr, sonarr, and sabnzbd to a Raspberry Pi. My Plex is on a Windows box.

What I think I want to do is install my certificate on my ASUS router, and then forward the now-unencrypted connection through my LAN to the appropriate machine based on the port. Is that how it works? One thing I'm not sure of: Do I need a separate certificate for each port?

If I have this right, does anyone have a pointer to a HOWTO or a good search phrase to set up a ZenWiFi AX to do this with Let's Encrypt? I've been searching around, and I seem to be finding only descriptions of how to install the certificate on the destination machine.

Drake Christensen

While it's certainly possible to do something like that, it's probably not the best approach.

For one, a device like your Asus router isn't going to have a lot of CPU for running what's called a "reverse proxy", which would do what you've described. It may not have support for this, but I don't know about your particular device.

A different approach would be forwarding port :443 on your router to your Raspberry pi and running something like the Caddy or Traefik servers. They can get certificates automatically, and you can configure it to expose your radar, sonarr, sabnzbd locally and even your plex from your other box - but if you're streaming plex across the network, your pi might not have enough CPU either.

Do you want these services totally exposed to the internet? Personally, I wouldn't expose anything on my local network uncontrolled to the internet. You could use a service like to create an overlay network between all your devices that you want to have access to your plex/radarr/etc. Tailscale has built-in support for getting Let's Encrypt certs too. There's other options like ZeroTier too.


I throttle my sabnzbd to 20 Mbps, so that it doesn't affect anything else I'm doing. Would decrypting one stream at that rate still overwhelm the router?

I've managed to find the Status tab on the Network Map page of the router, so I can monitor the CPU usage. I think I'm going to give it a try, and if it's swamped, I'll pass the stream through to another device. Prolly the Pi. Though, while it's unpacking one while downloading the next, it's gonna get fully swamped. I guess I can run nice on sab, since I really don't care how long it takes to unpack.

I'll search around for reverse proxy on this router. Again, if anyone has a good pointer, I'd appreciate it.

I also have some spare routers. What I might do is put these devices behind their own firewall, to separate them from the rest of my network.

I'm not aware routers in their usual configuration are even able to be a TLS endpoint for upstream webservers? Usually, the only "certificate" thing that can be configured is for the routers own web panel.


As @Osiris said, The SSL Certificate configuration on ASUS firmware is for the ASUS control panel itself, it is not a reverse proxy that encrypts all traffic. I've had a few ASUS routers, so I'm just confirming this.

There does exist 3rd party firmware that can do this, but running that feature successfully really depends on your router. IMHO, the ASUS firmware is a lot better than any of the open source projects I've tried (I can't say that about any other router mfg I've tried).

The Certificate is tied to the domain, not port. You can use the certificate on any port.

+1 to everything @mcpherrinm said


Well, that's too bad. Seems like a nice central place to put it.

Okay. I'll start looking for how to get it set up on the Pi.

Thanks for the info

1 Like

The router is a nice central place to put a TLS-terminating reverse proxy--if it has the necessary software support and sufficient resources to handle it. Something like OPNsense or pfSense would handle this easily--but not your average consumer-grade gear.


Apparently, I'm not understanding the architecture correctly.

Again, what I think I want is to bring the encrypted packets into a central device, where it gets decrypted, and then passed on in the clear. Either to an app on the same device, or to another machine.

But, what I'm seeing as I search around, is instructions on pointing the apps directly at the cert files. IOW, the apps have to know about the encryption. What I would like is to hide the encryption from the apps.

Am I completely misunderstanding how the encryption system works? Is this possible with a Pi 3b? Any HOWTOs anyone know of?

Plex runs on it's own port, 32400, by default (that you can port forward on your router or have it use UPnP). Plex also handles its own certificate stuff automatically. You shouldn't need a separate cert specifically for Plex and it is intended to be accessible directly from the Internet so friends/family can stream stuff from wherever.

For the rest of the stuff, I agree with @mcpherrinm about not exposing them directly to the Internet unless you're expecting random strangers to be able to access those interfaces from wherever. But usually, you'd be the only one accessing those things and something like Tailscale is a much better idea if you need access to them from outside your home. It's even free for up to 20 devices which includes things like your phone if you want.


Well, you're talking to a pretty hardcore geek, so I already have more than 30 devices on my network :slight_smile: I found a description of Tailscale's Personal Pro plan, but I have yet to find a price for it. I'm going to write them after I post this.

As I said above, I can split the Pi off behind its own firewall. Fairly regularly, I "get to" clean viruses off of friends' laptops. So, I already have an Inner Router - Outer Router configuration set up, so that those infected systems never have access to anything I care about. I treat them as just as dangerous as the rest of the Internet.

So, sticking the Pi outside the inner firewall is simple. I even have some extra old routers that have plenty of performance to keep the Pi isolated from any infected laptops I work on. The only problem then is figuring out how to let the Pi access the NAS.

I think most VPN settings in consumer routers are for outgoing VPN connections, right? I see Instant Guard on the Asus, and the description makes it sound like I can set up my router as a VPN endpoint that my phone can connect to? So that nobody can talk to the devices behind my router without first signing in?

Except, I don't see anything similar on my outer router, a Netgear.

I appreciate you guys helping me understand this, and giving me advice. Depending on the price, I'll go with Tailscale. Or, if I can't fit it in my budget, I'll continue to try to jerry-rig something that's at least slightly secure.


Seems less secure and possibly might not be required.
To that end...
What services do you want to "proxy"?
And to whom/where?


The current project would be sabnzbd, radarr and sonarr running on a Pi, from my Android phone.

In the future, I could see myself wanting to log into home automation servers, hubs, and possibly devices.

I'm sure other things would come to mind, once I have the capability in place.

Ala WiFI [locally]?
Via the Internet?



I have an app that collects sabnzbd, radarr, and sonarr in one place and looks at the WiFi name. If I'm at home, it'll switch to a local address. That works great, already.

The point of this thread is making it convenient to add stuff when I'm away from home.

Worst case, I can use Anydesk from my phone to log into a browser on a home machine. But, that's really cumbersome on a phone screen. Actually, worst case is I email stuff to myself to grab after I get home.

So, you plan on using a VPN?
OR some web-based authentication?
[to validate which Internet systems can reach your internal systems]

I didn't read about how "tailscale" works.


This is a just-for-fun thing. So, very low budget. Other than that, I'm pretty flexible on the specifics. I do want simple and convenient. I don't mind going to an app and tapping a switch to open up a conduit, or something similar, before firing up radarr. But, hopefully not a half dozen steps, with long pauses waiting for controls to respond.

Basically, I didn't think it through. I had it in my mind, if I have Let's Encrypt set up on the Pi, I'm protected. slaps forehead That still allows anyone sniffing ports to access radarr, etc. I know better.

So, that's where I'm at now. What's the cheapest, most convenient way for me to access this download server while I'm out and about, and yet keep other people off of it.

There are some good free VPNs [software] and web-based authentication can be made "simple".

There might be a tie (with more than one) for cheapest.
I mean zero cost software is about as cheap a price can get.
That said, they may require varying amounts of resources - like CPU/memory and also your time to set them up [properly].

This is not the right forum for me to be making such recommendations.
So, I'll just point to their existence.


That's entirely possible, and fairly straightforward; the tool to do this (as I mentioned in the message you replied to) is a reverse proxy.


The device limit only applies to devices you install the tailscale client on. And the client only needs to be installed on devices you want to reach from outside your network or devices that will be doing the reaching from outside your network. I'd guess most of those devices on your network never leave your network and aren't hosting services you'd need to access from outside your network and thus wouldn't need the client installed.


Ah, I misunderstood.