There’s something called NAT reflection that does a local lookup if the request originated in the internal network and avoids going via the external route. Some software for routers like ONPSense and/or PFSense support it (but I wouldn’t be surprised if DD-WRT, Tomato, etc supported it as well (its been a while since I used them).
It might work better of your DNS provider supports API based challenges vs traditional ACME challenges that might require you to still expose your IP/port on public DNS to get your certificates.
All my internal DNS has the option of SSL certs while my IP is not on any public DNS and it routes to the internal IPs with the above. Not sure how that would work with wireguard or tailacale/headscale, but I’m assuming they probably could complement nicely.
e8d79@discuss.tchncs.de 1 week ago
No, I use a second reverse proxy for my local network. For example, I can resolve navidrome either via my VPS using
navidrome.mydomain.netor directly in my local network with the addressnavidrome.local.mydomain.net. I also configured the local caddy reverse proxy with a DNS provider module to get LetsEncrypt certificates for my local addresses.