So I have some services and wireguard running locally on a “home” network. I also have wireguard, a DNS resolver, and a reverse proxy set up on a remote server. Since I don’t want to expose the home IP to the public, to access my services I connect to the VPN on the remote, which then forwards my request home. But this means that when I’m at home, connecting to my local services requires going out to the remote. Is there some way to have the traffic go over the switch when at home, but go over wireguard when away, without having to manually switch the VPN on/off?
I could move the DNS resolver (which handles the internal names for the services) from the remote to the home server. But then similarly every DNS request will need to go through both the remote and home servers, doubling the hops. I’d like to use my own DNS server at all times though, both at and away from home. Which tradeoff seems better?
edit: thanks for all the suggestions, I’ll look into some of these solutions and see what works best
If you use IPv6 globally routable addresses for your services you can avoid all split horizon DNS, NAT, hairpin, etc. With the magic of IP routing and maybe some custom wireguard route advertisements your packets will go through the shortest path wherever your client hosts are.
This is how I do it. No VPN. No NAT nonsense. You can open an IPv6 address to the public internet and nobody is going to stumble across it. You don’t even disclose your address to servers you connect to.
100% of shady connections come from bots scanning address space on IPv4.