So I have some services and wireguard running locally on a “home” network. I also have wireguard, a DNS resolver, and a reverse proxy set up on a remote server. Since I don’t want to expose the home IP to the public, to access my services I connect to the VPN on the remote, which then forwards my request home. But this means that when I’m at home, connecting to my local services requires going out to the remote. Is there some way to have the traffic go over the switch when at home, but go over wireguard when away, without having to manually switch the VPN on/off?
I could move the DNS resolver (which handles the internal names for the services) from the remote to the home server. But then similarly every DNS request will need to go through both the remote and home servers, doubling the hops. I’d like to use my own DNS server at all times though, both at and away from home. Which tradeoff seems better?
edit: thanks for all the suggestions, I’ll look into some of these solutions and see what works best
You must log in or register to comment.
If you use IPv6 globally routable addresses for your services you can avoid all split horizon DNS, NAT, hairpin, etc. With the magic of IP routing and maybe some custom wireguard route advertisements your packets will go through the shortest path wherever your client hosts are.
Okay lots of good info here but just to make sure it was clear that you are kinda solving two different but related problems. Connectivity with WireGuard or other VPN and split-horizon or multi-horizon DNS (Wikipedia) which also called a view sometimes (like BIND) and can also be done with two different DNS servers. You can sorta do it with AdGuard but it is tedious to maintain. If you are using a wildcard rewrite it works alright but that isn’t necessarily the same as a CNAME or subzone delegation.
The next pice I’m not sure I saw mentioned is that WireGuard is not like other VPNs in that if two nodes are on the same network they will generally communicate directly peer to peer even over WireGuard addresses so you don’t really need to worry about traffic hairpin like you described unless you configure it to do so (which is more like traditional VPN would act). Tailscale is similar in concept but it uses different terms and technologies.
Anyway not sure if that helped or made it more confusing but there are may ways to solve it so good luck! FWIW, my home network is currently set up with a public zone on a commercial provider. It has a wildcard CNAME to something like proxy.domain and that is an A record containing the WireGuard addresses. Then my local DNS overrides the one A record for the proxy internally which I only get when WG is off. I would rate this solution adequately functional but medium level of janky, 8/10 would use again :D
You might find the techniques used in Network-Aware Firewall useful. You can use firewall configuration to handle connections differently depending on whether you are connected to your home network or not. Or you can use the same techniquest to do other things, depending on network connection, like bringing up your VPN or not; modifying DNS or hosts file or not; etc.
Going the split DNS way is doable but had other issues (android devices bypassing local DNS for example or DNS over HTTPS issues)
I set up my opnSense to redorect all internal traffic to the external IP on port 443 to my internal server ip.
Works fine, it’s transparent, and doesn’t mess with DNS.
android devices bypassing local DNS
Can this be fixed/avoided?
For now yes but the very specifics of DNS over https make that impossible if enforced one day.
And so when away do you just directly connect to the external IP and do port forwarding?
Actually I am behind CGNAT so when away I connect to my VPS that has a nginx pointing to a wireguard endpoint to the internal server. Wireguard is also managed by opnSense but that’s a choice, not mandatory.
When home, my VPS ip gets rerouted on port 443 (and 80, mandatory for let’s encrypt) to the internal ip of my server.
My Setup:
OpenWRT Router: wireguard server, backup DNS
NAS: Main DNS Server - pihole, no wireguard
VPS: Client - Endpoint 10.1.99.0/24, 192.168.2.0/24
Phone: Client - Endpoint 0.0.0.0/0, ::/0
10.1.99.0 clients can talk to 192.168.2.0 clients and back and forth. The NAS can talk to anyone, anyone can talk to the NAS. Any new client can talk to anything.
They all use the NAS for DNS, so they all resolve hostnames and domain names.
why not dns on the router?
I didn’t like the unbound/adblock gui on Openwrt. I like pihole more. Personal pref.
I too run a PiHole in an RPi, physically plugged in to my OpenWRT router
I have opnsense, and it was pretty easy. I use DNS overrides and a local reverse proxy. When I’m on the home network, the local dns overrides point to the local reverse proxy. When I’m outside the home, public DNS records point to my VPS, which reverse proxies the traffic to my home machine. This way I’m only hitting the VPS when I’m outside the home. Much more efficient.
I think Side of Burritos’ youtube channel has a guide on how to set this up, but it’s fairly straightforward.
Could you do a subdomain for internal? Using Nginx host base routing to get to the same port would let you have a valid cert for both
service.lan.your.fqdnandservice.your.fqdn.Let’s Encrypt wildcard certs for the
*.lan.your.fqdnwould simplify things.Your DNA server could then resolve the lan fqdns to your internal network and the non-lan to your Internet exposed?
Yes that would work, but it feels a bit cumbersome to have 2 fqdns per service, which I would have to switch between using depending on on whether I’m local or not.
Yeah, in that case, I’d probably split my DNS duties. I started with internal resolution by having Pihole do hard coded DNS entries for internal systems, but my current setup seems to be much more resilient.
I have two PowerDNS servers (main and replica) with recursors to Open DNS internet servers and resolvers for my lab network. It plays very nicely with Terraform or (crucially lately) Kubernetes.
Adguard home has a DNS rewrite function that you can use to rewrite local DNS queries.
I use it to rewrite my queries at home to point to the LAN IP. When I am out I get my public IP from normal resolvers.
So you have a public DNS record pointing to your home IP?
DNS server you use from your home network retuns 192.168.1.20 for your service hosted at jellyfin.Bob.org
The DNS server you hit when publically looks up jellyfin.Bob.org and gets the IP from the nameserver you have set with your domain registrar often just theirs and you set this to your home WAN ip.
You have to configure both. I use opentofu / terraform to configure both all from the CLI. Any software like DNS that has a bunch of implementations that doesn’t have Open-Tofu support gets skipped and an alternative is found at this stage. You just can’t beat config as code for this type of set up.
You can also use NAT reflection which will effectively reroute the connection from within your network to your external IP to work on your local network.
I started with reflection and ended up going to the multiple DNS servers as it felt cleaner and I already was running Adguard so why not.
Both adguard and pihlle have opentofu modules.
Rereading your post (heh): In your case I’d just always serve over the wireguard ip local or not. Why do you want to use the local IP vs wireguard? The overhead of wireguard is pretty low
Oh hm I didn’t think about your last point, maybe it’s not really an issue at all. I think I’m not 100% on how the wireguard networking works.
Suppose I tunnel all of my traffic through wireguard on the remote server. Say that while I am home, I request
foo.local, which on the remote server DNS maps to a wireguard address corresponding to my home machine. The remote will return to me the wireguard address corresponding to the home machine, and then I will try and go to that wireguard address. Will the home router recognize that that wireguard address is local and not send it out to the remote server?Your home router knows nothing about your wireguard VPN unless it is also configured to be a peer in it. So in short no it will not recognize and route your connection locally unfortunately.
Are you using TLS here at all? Can you give me an example of how you access this on your phone when remote vs when local.
e. g. From my phone on cellular I go to Firefox and type in jelly.bob.com which resolves to my wireguard ip hitting the VM in the cloud that then using nginx as a reverse proxy to reach jellyfin over my network.
Remote network: jellyfin.bob.com Phone - > VM - > Home Server where Jellyfin is running
Is each hop is over wireguard i.e from phone to VM from VM to Home Server?
On the local network: jellyfin.bob.com Currently looks the same as the above and what youx like it to do with the same name is go: Phone->Home server
Even when wireguard is on, correct?
Yes your description is just right and is the heart of my question. To use your terminology:
Currently:
- Away from home: Phone -> VM -> Home Server
- At home: Phone -> VM -> Home Server (inefficient!)
Ideally:
- Away from home: Phone -> VM -> Home Server
- At home: Phone -> Home Server
In the ideal case, I would never have to change anything about the wireguard config/status on the Phone, nor would I have to change the domain name used to reach the resource on the Home Server.
Are you routing DNS over wireguard the whole time or do the DNS servers change when you go from public internet to your home network?
If you are using the same DNS servers i.e. always using DNS over wireguard then there isn’t really a lot you can do.
The way I do this is when I am on my home network I use the DNS on that network, i.e. the adguard instance I set up and also override DNS names with, when I am on some public internet i.e. via cellular, I use whatever DNS server they have. So on home network jellyfin.bob.com returns 192.168.8.3 (for example) and on the public internet jellyfin.bob.com will return 68.32.23.11 (i.e. my public IP address).
However that requires multiple DNS servers.
What is an example server where you’d like to do this (it may give us more options) and how is your DNS set up?
There are Wireguard clients that connect based on wifi / mobile status. On f-droid WG Tunnel, WG Auto Connect, or Rethink should do.
deleted by creator
Right but I want to be connected to wireguard always, I just want the DNS/routing to be different based on home vs foreign network.
WG Tunnel. It does exactly this.
When I leave my WiFi, tunnel turns on. When I rejoin my WiFi, tunnel turns off.
I just use Avahi to use a .local domain when at home. That way felt easier. Also, I have separate bookmarks for “heimdall” and “heimdall-away” on my phone.
I ran into a similar issue when visiting some family. Even though I was connected to home via VPN, my devices wouldn’t pull servers by their IPs. Our networks were setup too similarly. I was able to fix it by editing my conf for the WG connection and added my static servers as allowed IPs. While still having to self host a server for accounting at work, we did a similar split setup so they would be able to use RDP to their desktops but all other traffic was ignored and handled locally. This forum post has pretty good, short explanation with some example config scenarios https://forum.mikrotik.com/t/wireguard-allowed-ips-unofficial-wireguard-documentation/156426
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation PiHole Network-wide ad-blocker (DNS sinkhole) RPi Raspberry Pi brand of SBC SBC Single-Board Computer SSD Solid State Drive mass storage SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #78 for this comm, first seen 9th Feb 2026, 22:20] [FAQ] [Full list] [Contact] [Source code]
@mrh
I did similar thing for my selfhosted vaulwarden with tailscale and their funnel. give the client apps my tailscale address and i can hit on lan or off as long as the device is in the tailnet…and well the server is up 😎I think tailscale would work, though I’d ideally want to use something like headscale instead, but that’s a bit of a logistical hastle for my setup. Do you know if pangolin can handle this as well?
Tailscale.
