Hey fellow selfhosters! Hope you’re doing well, today I would like to have some help to know how I could make this project a reality. So I would like to give to friends and family a VPN access to my homelab (probably with Wireguard).
I also have a VPS in the cloud and I can VPN to it to anonimize outgoing connections.
So basically in the case that a friend ask a local service I want the request to come to my home with his VPN connection and then comeback directly from my home.
In the case that a friend request google[dot]com I want the request to come to my house and then go trough the VPS to make the request from it and not from my home. Then comeback from google to the VPS to my home to the client.
The principal issue I have is how can I route my services directly trough my home without going into the regular WWW, but make all other requests to go trough the VPS and to the WWW
If you need some more explanations or infos, feel free to ask.
PS : I also self host PiHole so all the DNS requests should go trough it (and maybe I could use it to route requests where I want by tweaking my domain request to local IPs?)
You must log in or # to comment.
Install Tailscale on your vps and your homelab server.
Share the Tailscale dns of your server with guests.
Use your vps as your exit node.
But if I correctly understand how Tailscale works I would need to install tailscale on all machines I wish to give access to friends?
No, installing Tailscale on all machines is not actually required. You can setup a funnel that exposes a service to the internet for all to see. This also removes the requirement for them to access via Wireguard if desired. https://tailscale.com/kb/1223/funnel
Yes.
Otherwise, just open up ports on your network firewall and set up DNS to point to your external ip.
There might be a way to do this with cloudfare that is more secure.
Edit: you might want to create a network diagram to help explain what you have and what you want to do. The way you describe the problem is confusing.
Cloudflare tunnels does exactly this…
Edited the post with a diagramm
From the diagram you just want to put everything within a vpn so they are on the same network.
You can choose whatever vpn solution you want but I like Tailscale since you don’t need to set up any inbound nat or firewall.
From the diagram it looks like you want your outside clients to use vpn as well.
Nah it’s not what I want to do.
The request from client for local services goes trough the first VPN and are resolved in my home and then comeback.
The request from client to outside services goes trought my home with the first VPN, are resolved here and then go to the internet trough the second VPN and then comeback to the client
What you’re describing is overly complex routing, and split DNS.
Join all clients to a single network.
I want to protect my home services, so when accessing my domain it goes trough the vps and you only knows its IP (a datacenter IP) but for my friends and family I don’t need this protection so they are accessing my home with a VPN connection and btw they are using the vps to make requests and so protect their privacy.
The simple solution (since my services are publicly available), would be to route all traffic coming from my friends trough my home and then through the vps. But I don’t like this idea since it would add a lot of latency and useless traffic since the client is already going trough my home…
So my question is how could I route directly to the client the local services and let go through the vps the rest of the traffic?
Right will try to make you a diagram, but I dont think tailscale would be a good solution…
I don’t have time now so I will sketch the solution
You need a proxy server in your vps that will redirect the traffic to your home. Caddy is usually recommended here and I am planning to migrate to it (current is nginx)
For your dns you need something is called zone name resolution, it will resolve different ip depending where the request came from
Good luck
Didn’t know if I explained it bad, but it’s not exactly what I want to do. All the request goes trough my home (since people are VPNed to it), if they are requesting outside stuff it goes trough the VPS using VPN connection. But they request inside services it should go directly to them.
Basically I want to know a way of routing everything trough VPS (basically a wire guard connection) but home services to avoid doing a useless journey to the internet
If all traffic is going through your homelab you can make the vpn clients use a vpn specific DNS server or the one suggested with resolving per origin, you then make the external names to your services to resolve to the servsrs’ internal IP addresses, avoiding going out. Another way is to add rules to your gateway to redirect internal traffic going to your external IP addresses to DNAT to the internal addresses but in order for that to work you need to masquerade them which means server logs will have gateway’s IP.
Yeah that’s what I was thinking thank you. But how can I restrict the access of my local network to my friends and family connecting to the VPN provided (is tailscale something to consider?)
You’re pretty much describing Tailscale with an exit node on the VPS. If the purpose of the VPS is to make their traffic not come from your home, you can omit the VPS entirely as Tailscale only routes through the VPN when reaching services also on the VPN.
Edit: to self host it, look into Headscale, but the default, hosted control server works well too.
Could you precise your answer a bit?
deleted by creator
Hum maybe this is a good solution, gonna dig a bit into
A central wireguard peer on your vps, connect home to vps and direct the wireguard. Add friends as peers on the VPS like such:
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = <VPS_PRIVKEY> # Home [Peer] PublicKey = <HOME_PUBKEY> AllowedIPs = 10.0.0.2/32 # Friend [Peer] PublicKey = <CLIENT_PUBKEY> AllowedIPs = 10.0.0.3/32Use iptables to Split tunnel traffic
For the home network ip route add 192.168.1.0/24 via 1. 0.2 dev wg0
And for the vpn To route google a .d such
Enable NAT for clients
iptables -t natw POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
You can set the iptables rules to run wjen it comes up
Forgive my formatting. Mobile clients being janky
This is almost right, but you’ll need more specific iptables rules for the split tunneling - try something like
ip route add YOUR.HOME.SUBNET.0/24 via 10.0.0.2on the VPS and then on the homelab addiptables -t nat -A POSTROUTING -d YOUR.HOME.SUBNET.0/24 -j ACCEPTfollowed byiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEto route evreything else through the VPS connection.This is not what I exactly want to do. Requests to my home services are protected by not going directly to my home and rather going trough VPS, but since I know my friends I can let them go directly to my home without at any time go trough the VPS (expect to make up the out request).
In that case you would need to add the peers to the wireguard node you have running in the home lab as well. Wireguard can route peer to peer and will take the shortest path available to it.
That said, i highly recommend first getting things working in a “spoke and hub” style wireguard configuration with either your homelab or the vps as a central peer, then add peers as endpoints after you have everyone with working connections to the central peer. Its just a heck of a lot easier to trouble shoot and get your head around thatway.
This is absolutely possible as I do it myself however, executed entirely differently, my ASUS WRT Router with Merlin firmware handles the VPN server and it routes the IP range through my VPN provider (Proton), on the clients end their device see a Proton IP.
Didn’t have to mess with config files or anything, install the custom firmware and created a rule for the routing in the VPN Director.
