Hey fellow selfhosters! Hope you’re doing well, today I would like to have some help to know how I could make this project a reality. So I would like to give to friends and family a VPN access to my homelab (probably with Wireguard).
I also have a VPS in the cloud and I can VPN to it to anonimize outgoing connections.
So basically in the case that a friend ask a local service I want the request to come to my home with his VPN connection and then comeback directly from my home.
In the case that a friend request google[dot]com I want the request to come to my house and then go trough the VPS to make the request from it and not from my home. Then comeback from google to the VPS to my home to the client.
The principal issue I have is how can I route my services directly trough my home without going into the regular WWW, but make all other requests to go trough the VPS and to the WWW
If you need some more explanations or infos, feel free to ask.
PS : I also self host PiHole so all the DNS requests should go trough it (and maybe I could use it to route requests where I want by tweaking my domain request to local IPs?)
I don’t have time now so I will sketch the solution
You need a proxy server in your vps that will redirect the traffic to your home. Caddy is usually recommended here and I am planning to migrate to it (current is nginx)
For your dns you need something is called zone name resolution, it will resolve different ip depending where the request came from
Good luck
Didn’t know if I explained it bad, but it’s not exactly what I want to do. All the request goes trough my home (since people are VPNed to it), if they are requesting outside stuff it goes trough the VPS using VPN connection. But they request inside services it should go directly to them.
Basically I want to know a way of routing everything trough VPS (basically a wire guard connection) but home services to avoid doing a useless journey to the internet
If all traffic is going through your homelab you can make the vpn clients use a vpn specific DNS server or the one suggested with resolving per origin, you then make the external names to your services to resolve to the servsrs’ internal IP addresses, avoiding going out. Another way is to add rules to your gateway to redirect internal traffic going to your external IP addresses to DNAT to the internal addresses but in order for that to work you need to masquerade them which means server logs will have gateway’s IP.
Yeah that’s what I was thinking thank you. But how can I restrict the access of my local network to my friends and family connecting to the VPN provided (is tailscale something to consider?)