So I have some services and wireguard running locally on a “home” network. I also have wireguard, a DNS resolver, and a reverse proxy set up on a remote server. Since I don’t want to expose the home IP to the public, to access my services I connect to the VPN on the remote, which then forwards my request home. But this means that when I’m at home, connecting to my local services requires going out to the remote. Is there some way to have the traffic go over the switch when at home, but go over wireguard when away, without having to manually switch the VPN on/off?
I could move the DNS resolver (which handles the internal names for the services) from the remote to the home server. But then similarly every DNS request will need to go through both the remote and home servers, doubling the hops. I’d like to use my own DNS server at all times though, both at and away from home. Which tradeoff seems better?
edit: thanks for all the suggestions, I’ll look into some of these solutions and see what works best
So you have a public DNS record pointing to your home IP?
DNS server you use from your home network retuns 192.168.1.20 for your service hosted at jellyfin.Bob.org
The DNS server you hit when publically looks up jellyfin.Bob.org and gets the IP from the nameserver you have set with your domain registrar often just theirs and you set this to your home WAN ip.
You have to configure both. I use opentofu / terraform to configure both all from the CLI. Any software like DNS that has a bunch of implementations that doesn’t have Open-Tofu support gets skipped and an alternative is found at this stage. You just can’t beat config as code for this type of set up.
You can also use NAT reflection which will effectively reroute the connection from within your network to your external IP to work on your local network.
I started with reflection and ended up going to the multiple DNS servers as it felt cleaner and I already was running Adguard so why not.
Both adguard and pihlle have opentofu modules.
Rereading your post (heh): In your case I’d just always serve over the wireguard ip local or not. Why do you want to use the local IP vs wireguard? The overhead of wireguard is pretty low
Oh hm I didn’t think about your last point, maybe it’s not really an issue at all. I think I’m not 100% on how the wireguard networking works.
Suppose I tunnel all of my traffic through wireguard on the remote server. Say that while I am home, I request
foo.local, which on the remote server DNS maps to a wireguard address corresponding to my home machine. The remote will return to me the wireguard address corresponding to the home machine, and then I will try and go to that wireguard address. Will the home router recognize that that wireguard address is local and not send it out to the remote server?Your home router knows nothing about your wireguard VPN unless it is also configured to be a peer in it. So in short no it will not recognize and route your connection locally unfortunately.
Are you using TLS here at all? Can you give me an example of how you access this on your phone when remote vs when local.
e. g. From my phone on cellular I go to Firefox and type in jelly.bob.com which resolves to my wireguard ip hitting the VM in the cloud that then using nginx as a reverse proxy to reach jellyfin over my network.
Remote network: jellyfin.bob.com Phone - > VM - > Home Server where Jellyfin is running
Is each hop is over wireguard i.e from phone to VM from VM to Home Server?
On the local network: jellyfin.bob.com Currently looks the same as the above and what youx like it to do with the same name is go: Phone->Home server
Even when wireguard is on, correct?
Yes your description is just right and is the heart of my question. To use your terminology:
Currently:
Ideally:
In the ideal case, I would never have to change anything about the wireguard config/status on the Phone, nor would I have to change the domain name used to reach the resource on the Home Server.