How to Use Local IP for Services when at Home?

Submitted ⁨⁨14⁩ ⁨hours⁩ ago⁩ by ⁨mrh@mander.xyz⁩ to ⁨selfhosted@lemmy.world⁩

So I have some services and wireguard running locally on a “home” network. I also have wireguard, a DNS resolver, and a reverse proxy set up on a remote server. Since I don’t want to expose the home IP to the public, to access my services I connect to the VPN on the remote, which then forwards my request home. But this means that when I’m at home, connecting to my local services requires going out to the VPS. Is there some way to have the traffic go over the switch when at home, but go over wireguard when away, without having to manually switch the VPN on/off?

I could move the DNS resolver (which handles the internal names for the services) from the remote to the home server. But then if I want to use that DNS resolver when away from home, every DNS request will need to go through both the remote and home servers, doubling the hops. I’d like to use my own DNS server at all times though, both at and away from home. Which tradeoff seems better?

source

Comments

Sort:hotnew top

7toed@midwest.social ⁨1⁩ ⁨hour⁩ ago
Although I do have mine exposed to the internet, I do think this is the simpliest way:

Have an additional DNS resolver capable of overriding your outbound request to your server to loop back instead. I’m not sure what you’ll need to do different if you’re using a domain for your certificate, you could likely add your local IPs to your DNS return. But using domains allows you to wildcard your DNS override to catch all connections you may have using subdomains

source
Wolfizen@pawb.social ⁨5⁩ ⁨hours⁩ ago
If you use IPv6 globally routable addresses for your services you can avoid all split horizon DNS, NAT, hairpin, etc. With the magic of IP routing and maybe some custom wireguard route advertisements your packets will go through the shortest path wherever your client hosts are.

source
- pHr34kY@lemmy.world ⁨4⁩ ⁨hours⁩ ago
  This is how I do it. No VPN. No NAT nonsense. You can open an IPv6 address to the public internet and nobody is going to stumble across it. You don’t even disclose your address to servers you connect to.
  
  100% of shady connections come from bots scanning address space on IPv4.
  
  source
Shimitar@downonthestreet.eu ⁨14⁩ ⁨hours⁩ ago
Going the split DNS way is doable but had other issues (android devices bypassing local DNS for example or DNS over HTTPS issues)

I set up my opnSense to redorect all internal traffic to the external IP on port 443 to my internal server ip.

Works fine, it’s transparent, and doesn’t mess with DNS.

source
- Zwuzelmaus@feddit.org ⁨5⁩ ⁨hours⁩ ago
  
  android devices bypassing local DNS
  
  Can this be fixed/avoided?
  
  source
  - Shimitar@downonthestreet.eu ⁨5⁩ ⁨hours⁩ ago
    For now yes but the very specifics of DNS over https make that impossible if enforced one day.
    
    source
    -> View More Comments
- mrh@mander.xyz ⁨14⁩ ⁨hours⁩ ago
  And so when away do you just directly connect to the external IP and do port forwarding?
  
  source
  - Shimitar@downonthestreet.eu ⁨6⁩ ⁨hours⁩ ago
    Actually I am behind CGNAT so when away I connect to my VPS that has a nginx pointing to a wireguard endpoint to the opnSense.
    
    When home, my VPS ip gets rerouted on port 443 (and 80, mandatory for let’s encrypt) to the internal ip of my server.
    
    source
bigredgiraffe@lemmy.world ⁨6⁩ ⁨hours⁩ ago
Okay lots of good info here but just to make sure it was clear that you are kinda solving two different but related problems. Connectivity with WireGuard or other VPN and split-horizon or multi-horizon DNS (Wikipedia) which also called a view sometimes (like BIND) and can also be done with two different DNS servers. You can sorta do it with AdGuard but it is tedious to maintain. If you are using a wildcard rewrite it works alright but that isn’t necessarily the same as a CNAME or subzone delegation.

The next pice I’m not sure I saw mentioned is that WireGuard is not like other VPNs in that if two nodes are on the same network they will generally communicate directly peer to peer even over WireGuard addresses so you don’t really need to worry about traffic hairpin like you described unless you configure it to do so (which is more like traditional VPN would act). Tailscale is similar in concept but it uses different terms and technologies.

Anyway not sure if that helped or made it more confusing but there are may ways to solve it so good luck! FWIW, my home network is currently set up with a public zone on a commercial provider. It has a wildcard CNAME to something like proxy.domain and that is an A record containing the WireGuard addresses. Then my local DNS overrides the one A record for the proxy internally which I only get when WG is off. I would rate this solution adequately functional but medium level of janky, 8/10 would use again :D

source
French75@slrpnk.net ⁨13⁩ ⁨hours⁩ ago
I have opnsense, and it was pretty easy. I use DNS overrides and a local reverse proxy. When I’m on the home network, the local dns overrides point to the local reverse proxy. When I’m outside the home, public DNS records point to my VPS, which reverse proxies the traffic to my home machine. This way I’m only hitting the VPS when I’m outside the home. Much more efficient.

I think Side of Burritos’ youtube channel has a guide on how to set this up, but it’s fairly straightforward.

source
tangeli@piefed.social ⁨10⁩ ⁨hours⁩ ago
You might find the techniques used in Network-Aware Firewall useful. You can use firewall configuration to handle connections differently depending on whether you are connected to your home network or not. Or you can use the same techniquest to do other things, depending on network connection, like bringing up your VPN or not; modifying DNS or hosts file or not; etc.

source
Willoughby@piefed.world ⁨12⁩ ⁨hours⁩ ago
My Setup:

OpenWRT Router: wireguard server

NAS: DNS Server - pihole

VPS: Client - Endpoint 10.1.99.0/24, 192.168.2.0/24

Phone: Client - Endpoint 0.0.0.0/0, ::/0

10.1.99.0 clients can talk to 192.168.2.0 clients and back and forth. The NAS can talk to anyone, anyone can talk to the NAS. Any new client can talk to anything.

They all use the NAS for DNS, so they all resolve hostnames and domain names.

source
- nymnympseudonym@piefed.social ⁨10⁩ ⁨hours⁩ ago
  I too run a PiHole in an RPi, physically plugged in to my OpenWRT router
  
  source
slazer2au@lemmy.world ⁨14⁩ ⁨hours⁩ ago
Adguard home has a DNS rewrite function that you can use to rewrite local DNS queries.

I use it to rewrite my queries at home to point to the LAN IP. When I am out I get my public IP from normal resolvers.

source
- mrh@mander.xyz ⁨14⁩ ⁨hours⁩ ago
  So you have a public DNS record pointing to your home IP?
  
  source
  - motruck@lemmy.zip ⁨9⁩ ⁨hours⁩ ago
    DNS server you use from your home network retuns 192.168.1.20 for your service hosted at jellyfin.Bob.org
    
    The DNS server you hit when publically looks up jellyfin.Bob.org and gets the IP from the nameserver you have set with your domain registrar often just theirs and you set this to your home WAN ip.
    
    You have to configure both. I use opentofu / terraform to configure both all from the CLI. Any software like DNS that has a bunch of implementations that doesn’t have Open-Tofu support gets skipped and an alternative is found at this stage. You just can’t beat config as code for this type of set up.
    
    You can also use NAT reflection which will effectively reroute the connection from within your network to your external IP to work on your local network.
    
    I started with reflection and ended up going to the multiple DNS servers as it felt cleaner and I already was running Adguard so why not.
    
    Both adguard and pihlle have opentofu modules.
    
    source
    -> View More Comments
pedroapero@lemmy.ml ⁨13⁩ ⁨hours⁩ ago
There are Wireguard clients that connect based on wifi / mobile status. On f-droid WG Tunnel, WG Auto Connect, or Rethink should do.

source
- mrh@mander.xyz ⁨13⁩ ⁨hours⁩ ago
  Right but I want to be connected to wireguard always, I just want the DNS/routing to be different based on wifi/mobile.
  
  source
  - non_burglar@lemmy.world ⁨12⁩ ⁨hours⁩ ago
    WG Tunnel. It does exactly this.
    
    When I leave my WiFi, tunnel turns on. When I rejoin my WiFi, tunnel turns off.
    
    source
plateee@piefed.social ⁨10⁩ ⁨hours⁩ ago
Could you do a subdomain for internal? Using Nginx host base routing to get to the same port would let you have a valid cert for both service.lan.your.fqdn and service.your.fqdn.

Let’s Encrypt wildcard certs for the *.lan.your.fqdn would simplify things.

Your DNA server could then resolve the lan fqdns to your internal network and the non-lan to your Internet exposed?

source
- mrh@mander.xyz ⁨9⁩ ⁨hours⁩ ago
  Yes that would work, but it feels a bit cumbersome to have 2 fqdns per service, which I would have to switch between using depending on on whether I’m local or not.
  
  source
  - plateee@piefed.social ⁨9⁩ ⁨hours⁩ ago
    Yeah, in that case, I’d probably split my DNS duties. I started with internal resolution by having Pihole do hard coded DNS entries for internal systems, but my current setup seems to be much more resilient.
    
    I have two PowerDNS servers (main and replica) with recursors to Open DNS internet servers and resolvers for my lab network. It plays very nicely with Terraform or (crucially lately) Kubernetes.
    
    source
damnthefilibuster@lemmy.world ⁨13⁩ ⁨hours⁩ ago
I just use Avahi to use a .local domain when at home. That way felt easier. Also, I have separate bookmarks for “heimdall” and “heimdall-away” on my phone.

source
FreedomAdvocate@lemmy.net.au ⁨14⁩ ⁨hours⁩ ago
Tailscale.

source
tophneal@sh.itjust.works ⁨14⁩ ⁨hours⁩ ago
I ran into a similar issue when visiting some family. Even though I was connected to home via VPN, my devices wouldn’t pull servers by their IPs. I was able to fix it by editing my conf for the WG connection and added my static servers as allowed IPs. While still having to self host a server for accounting at work, we did a similar split setup so they would be able to use RDP to their desktops but all other traffic was ignored and handled locally. This forum post has pretty good, short explanation with some example config scenarios forum.mikrotik.com/t/…/156426

source

Decronym@lemmy.decronym.xyz ⁨14⁩ ⁨hours⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
SSD	Solid State Drive mass storage
SSL	Secure Sockets Layer, for transparent encryption

[Thread #78 for this comm, first seen 9th Feb 2026, 22:20] [FAQ] [Full list] [Contact] [Source code]

source