Many developers want the flexibility of hosting applications in one region while exposing them publicly through a VPS in another region.

This guide shows how to (example):

Host your applications in the EU VPS using CloudPanel (Or any other you preffer)
Use a US VPS as the public-facing entry point
Connect them securely using WireGuard VPN
Forward all traffic through Nginx Reverse Proxy
Add unlimited domains through Cloudflare with proper SSL

This architecture gives you:

✔ A single secure public endpoint
✔ Private, isolated backend server
✔ Faster scaling for multiple domains
✔ Cloudflare DDoS protection
✔ Clean SSL handling on one machine

Let’s begin.

Table of Contents

🏗 STEP 1 — Prepare Both VPS Servers

We start with two VPS instances:

EU VPS

Will host CloudPanel (we will host our main site here)
Runs all your websites and backend apps
Accessible privately via WireGuard

US VPS

Will act as the public proxy
Exposes your websites to the internet
Handles SSL and forwards traffic
Connected privately to the EU VPS

Install basic packages on both VPS:

apt update && apt upgrade -y
apt install curl wget nano htop ufw -y

🔐 STEP 2 — Install WireGuard on Both VPS Servers

WireGuard will securely connect both servers over a private VPN network.

Install WireGuard:

apt install wireguard -y

🧩 STEP 3 — Configure WireGuard on the EU VPS

Generate keys:

wg genkey | tee /etc/wireguard/eu_private.key | wg pubkey > /etc/wireguard/eu_public.key

Open the file to use the key:

cat /etc/wireguard/eu_public.key
cat /etc/wireguard/eu_private.key

Create WireGuard config:

nano /etc/wireguard/wg0.conf

Paste:

[Interface]
Address = 10.10.0.1/24
PrivateKey = EU_PRIVATE_KEY
ListenPort = 51820

[Peer]
PublicKey = US_PUBLIC_KEY
AllowedIPs = 10.10.0.2/32
Endpoint = US_VPS_PUBLIC_IP:51820

Save, then enable:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

🧩 STEP 4 — Configure WireGuard on the US VPS

Generate keys:

wg genkey | tee /etc/wireguard/us_private.key | wg pubkey > /etc/wireguard/us_public.key

Create the config:

nano /etc/wireguard/wg0.conf

Paste:

[Interface]
Address = 10.10.0.2/24
PrivateKey = US_PRIVATE_KEY
ListenPort = 51820

[Peer]
PublicKey = EU_PUBLIC_KEY
AllowedIPs = 10.10.0.1/32
Endpoint = EU_VPS_PUBLIC_IP:51820
PersistentKeepalive = 25

Enable:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

🔍 STEP 5 — Test the VPN Connection

From US VPS:

ping 10.10.0.1

From EU VPS:

ping 10.10.0.2

If both respond → WireGuard is working.

⚙️ STEP 6 — Install CloudPanel on the EU VPS

CloudPanel is the backend hosting panel.

Install:

curl -sSL https://installer.cloudpanel.io/ce/v2/install.sh | sudo bash

After installation, CloudPanel becomes available at:

http://EU_VPS_PUBLIC_IP:8443/

But since we will hide the EU VPS behind the tunnel, CloudPanel will eventually be accessed only through the US VPS.

🌐 STEP 7 — Install and Configure Nginx on the US VPS

This server will be your public gateway.

apt install nginx -y

Verify Nginx works:

systemctl status nginx

🔁 STEP 8 — Create a Universal Reverse Proxy

This proxy forwards all domain traffic to the EU VPS through WireGuard.

Create:

nano /etc/nginx/sites-available/reverseproxy.conf

Paste:

server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name _;

    # Default certificates (can be replaced per-domain)
    ssl_certificate     /etc/ssl/default.pem;
    ssl_certificate_key /etc/ssl/default.key;

    location / {
        proxy_pass http://10.10.0.1:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Enable it:

ln -s /etc/nginx/sites-available/reverseproxy.conf /etc/nginx/sites-enabled/
nginx -t
systemctl reload nginx

Your reverse proxy is now ready.

☁️ STEP 9 — Configure Cloudflare DNS

For each domain:

Add an A-record pointing to US VPS IP
Enable orange cloud (proxied)

Cloudflare will now forward traffic to your US VPS → Nginx → WireGuard → CloudPanel.

🔐 STEP 10 — Create Cloudflare Origin SSL Certificate (Per Domain)

Go to:

Cloudflare → SSL/TLS → Origin Server → Create Certificate

Add:

example.com
*.example.com

This cert is only installed on the US VPS.

🗂 STEP 11 — Install the Certificate on US VPS

Create directory:

mkdir -p /etc/ssl/cloudflare/

Add cert:

nano /etc/ssl/cloudflare/example.com.pem

Add key:

nano /etc/ssl/cloudflare/example.com.key

Set permissions:

chmod 600 /etc/ssl/cloudflare/example.com.key
chmod 644 /etc/ssl/cloudflare/example.com.pem

🌍 STEP 12 — Create Nginx Reverse Proxy File per Domain

nano /etc/nginx/sites-available/example.com.conf

Paste:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate     /etc/ssl/cloudflare/example.com.pem;
    ssl_certificate_key /etc/ssl/cloudflare/example.com.key;

    location / {
        proxy_pass http://10.10.0.1:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Enable it:

ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
nginx -t
systemctl reload nginx

🎉 Your Website Is Now Live

The data flow is:

Visitor → Cloudflare → US VPS (SSL + Reverse Proxy) → WireGuard → EU VPS (CloudPanel) → Application

Clean. Secure. Scalable.

📌 STEP 13 — Adding New Sites (Quick Summary)

Below is a clean, privacy-safe, blog-ready article based on your original chat.
I removed the domain, replaced VPS names with EU VPS and US VPS, and rewrote everything as a standalone guide.

After setting up a WireGuard VPN tunnel between two VPS servers—one hosting CloudPanel (EU VPS) and the other acting as the public-facing reverse proxy (US VPS)—adding new sites becomes extremely simple.

This article explains how the system works, and the exact steps required to add any new domain to your CloudPanel environment without exposing internal IPs or sensitive details.

🧩 How the Architecture Works

Your setup uses:

EU VPS → runs CloudPanel and the actual websites
US VPS → acts as the public entry point
WireGuard → connects the two servers privately
Nginx Reverse Proxy (US VPS) → forwards all traffic through the VPN to CloudPanel
Cloudflare → handles DNS + SSL Origin Certificates

On the US VPS, you have a simple reverse-proxy configuration that forwards all traffic to CloudPanel over WireGuard:

server_name _;
proxy_pass http://10.10.0.1:8080;

Because of this…

⭐ Every New Site Added in CloudPanel Works Automatically

As long as these conditions are met:

The domain’s DNS (Cloudflare) points to the US VPS public IP
Cloudflare proxy (orange cloud) is ON
A Cloudflare Origin Certificate is installed on US VPS
The site is created normally inside CloudPanel on the EU VPS

The US VPS handles SSL termination and request routing, and the EU VPS handles the app itself.

This lets you host unlimited domains through one clean and secure reverse-proxy.

🔧 Step-by-Step: Adding a New Domain

Below is the general procedure for adding any new site to CloudPanel using this architecture.

✅ Step 1 — Create a Cloudflare Origin Certificate

In Cloudflare:

Domain → SSL/TLS → Origin Server → Create Certificate

Add:

example.com
*.example.com

This certificate will be installed on the US VPS, not the EU VPS.

✅ Step 2 — Install the Certificate on the US VPS

SSH into the US VPS:

mkdir -p /etc/ssl/cloudflare/
nano /etc/ssl/cloudflare/example.com.pem

Paste the Origin Certificate, save.

nano /etc/ssl/cloudflare/example.com.key

Paste the Origin Private Key, save.

Set permissions:

chmod 600 /etc/ssl/cloudflare/example.com.key
chmod 644 /etc/ssl/cloudflare/example.com.pem

✅ Step 3 — Create an Nginx Reverse Proxy File (US VPS)

Create an Nginx config:

nano /etc/nginx/sites-available/example.com.conf

Paste:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    # Cloudflare Origin SSL
    ssl_certificate     /etc/ssl/cloudflare/example.com.pem;
    ssl_certificate_key /etc/ssl/cloudflare/example.com.key;

    # Forward traffic to CloudPanel (EU VPS) via WireGuard
    location / {
        proxy_pass http://10.10.0.1:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Enable it:

ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/
nginx -t
systemctl reload nginx

🎉 Done! The New Domain Goes Live Instantly

Thanks to WireGuard + Cloudflare + Nginx + CloudPanel, the entire pipeline works seamlessly.

📌 Quick Summary (Copy/Paste Checklist)

When adding a new site:

Add site in CloudPanel (EU VPS)
Cloudflare DNS A record → US VPS IP
Create Cloudflare Origin Certificate for the domain
Install certificate on US VPS
Create Nginx reverse-proxy config pointing to: proxy_pass http://10.10.0.1:8080;
Reload Nginx