So I have some services and wireguard running locally on a “home” network. I also have wireguard, a DNS resolver, and a reverse proxy set up on a remote server. Since I don’t want to expose the home IP to the public, to access my services I connect to the VPN on the remote, which then forwards my request home. But this means that when I’m at home, connecting to my local services requires going out to the remote. Is there some way to have the traffic go over the switch when at home, but go over wireguard when away, without having to manually switch the VPN on/off?
I could move the DNS resolver (which handles the internal names for the services) from the remote to the home server. But then similarly every DNS request will need to go through both the remote and home servers, doubling the hops. I’d like to use my own DNS server at all times though, both at and away from home. Which tradeoff seems better?
edit: thanks for all the suggestions, I’ll look into some of these solutions and see what works best
You must log in or register to comment.
Going the split DNS way is doable but had other issues (android devices bypassing local DNS for example or DNS over HTTPS issues)
I set up my opnSense to redorect all internal traffic to the external IP on port 443 to my internal server ip.
Works fine, it’s transparent, and doesn’t mess with DNS.
android devices bypassing local DNS
Can this be fixed/avoided?
For now yes but the very specifics of DNS over https make that impossible if enforced one day.
How?
DOH goes over port 443 using https, impossible to block (unless you want to blacklist all possible URLs that might serve DNS) so cannot be redirected at network level, like with classic DNS, and uses SSL encryption so cannot be “sniffed” and redirected.
In other words: say goodbye to ad blockers based on DNS like pihole or adguard
While it seems good for your privacy, it’s a dream for Google and such, where PiHoles and such DNS blockers will be useless…
No.
My question is: How can I avoid that my android devices bypass my DNS?
Set a custom private DNS with your dns
If you use IPv6 globally routable addresses for your services you can avoid all split horizon DNS, NAT, hairpin, etc. With the magic of IP routing and maybe some custom wireguard route advertisements your packets will go through the shortest path wherever your client hosts are.
This is how I do it. No VPN. No NAT nonsense. You can open an IPv6 address to the public internet and nobody is going to stumble across it. You don’t even disclose your address to servers you connect to.
100% of shady connections come from bots scanning address space on IPv4.
ipv6. No need to deal with hacky translation and dns bs if dont do nat.
I love ipv6 but I don’t see how it is related to anything here
All devices get individual exposed IP addresses, then you just control the flow of access through which interface. I guess…
You dont have local ips with ipv6, everything is globally routable
I have opnsense, and it was pretty easy. I use DNS overrides and a local reverse proxy. When I’m on the home network, the local dns overrides point to the local reverse proxy. When I’m outside the home, public DNS records point to my VPS, which reverse proxies the traffic to my home machine. This way I’m only hitting the VPS when I’m outside the home. Much more efficient.
I think Side of Burritos’ youtube channel has a guide on how to set this up, but it’s fairly straightforward.
I just do hairpin NAT sure people well say not the best but it just works and don’t have to maintain a separate DNS server.
What’s bad about hairpin NAT? Not having to maintain a local DNS server is nice.
Although I do have mine exposed to the internet, I do think this is the simpliest way:
Have an additional DNS resolver capable of overriding your outbound request to your server to loop back instead. I’m not sure what you’ll need to do different if you’re using a domain for your certificate, you could likely add your local IPs to your DNS return. But using domains allows you to wildcard your DNS override to catch all connections you may have using subdomains
E: if anyone could let me know if they see this comment, it seems my instance is having issues federating
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage NAT Network Address Translation PiHole Network-wide ad-blocker (DNS sinkhole) RPi Raspberry Pi brand of SBC SBC Single-Board Computer SSD Solid State Drive mass storage SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
[Thread #78 for this comm, first seen 9th Feb 2026, 22:20] [FAQ] [Full list] [Contact] [Source code]
Could you do a subdomain for internal? Using Nginx host base routing to get to the same port would let you have a valid cert for both
service.lan.your.fqdnandservice.your.fqdn.Let’s Encrypt wildcard certs for the
*.lan.your.fqdnwould simplify things.Your DNA server could then resolve the lan fqdns to your internal network and the non-lan to your Internet exposed?
Yes that would work, but it feels a bit cumbersome to have 2 fqdns per service, which I would have to switch between using depending on on whether I’m local or not.
Tailscale.
There are Wireguard clients that connect based on wifi / mobile status. On f-droid WG Tunnel, WG Auto Connect, or Rethink should do.
Right but I want to be connected to wireguard always, I just want the DNS/routing to be different based on home vs foreign network.
WG Tunnel. It does exactly this.
When I leave my WiFi, tunnel turns on. When I rejoin my WiFi, tunnel turns off.
