diff --git a/docs/plans/remote-access.md b/docs/plans/remote-access.md index 29cabf1..e69d6e8 100644 --- a/docs/plans/remote-access.md +++ b/docs/plans/remote-access.md @@ -24,29 +24,25 @@ After evaluating WireGuard gateway vs Headscale (self-hosted Tailscale), the **W ## Architecture -``` - ┌─────────────────────────────────┐ - │ VPS (OpenStack) │ - Laptop/Phone ──→ │ WireGuard endpoint │ - (WireGuard) │ Client peers: laptop, phone │ - │ Routes 10.69.13.0/24 via tunnel│ - └──────────┬──────────────────────┘ - │ WireGuard tunnel - ▼ - ┌─────────────────────────────────┐ - │ extgw01 (gateway + bastion) │ - │ - WireGuard tunnel to VPS │ - │ - Firewall (allowlist only) │ - │ - SSH + 2FA (full access) │ - └──────────┬──────────────────────┘ - │ allowed traffic only - ▼ - ┌─────────────────────────────────┐ - │ Internal network 10.69.13.0/24 │ - │ - monitoring01:3000 (Grafana) │ - │ - jelly01:8096 (Jellyfin) │ - │ - *-jail hosts (arr stack) │ - └─────────────────────────────────┘ +```mermaid +graph TD + clients["Laptop / Phone\n(WireGuard clients)"] + + vps["VPS (OpenStack)\nWireGuard endpoint\nClient peers: laptop, phone\nRoutes 10.69.13.0/24 via tunnel"] + + extgw["extgw01 (gateway + bastion)\nWireGuard tunnel to VPS\nFirewall (allowlist only)\nSSH + 2FA (full access)"] + + internal["Internal network 10.69.13.0/24"] + grafana["monitoring01:3000\nGrafana"] + jellyfin["jelly01:8096\nJellyfin"] + arr["*-jail hosts\narr stack"] + + clients -->|"WireGuard"| vps + vps -->|"WireGuard tunnel"| extgw + extgw -->|"allowed traffic only"| internal + internal --- grafana + internal --- jellyfin + internal --- arr ``` ### Existing path (unchanged)