Hello all, I am struggling to find any resources online to help me set up the following:
I wish to access resources on my home network remotely, while simultaneously having any traffic to the Internet be routed over my commercial VPN.
My current setup: My resources all live within their own docker containers and are of course accessible when I’m on my LAN and I can reach them when my devices are connected to my commercial VPN. My router (or modem?) has static IP so I won’t be using a domain or anything like DuckDNS.
Thank you for any help!
This heavily depends on your router or whatever device you are using as your endpoint. Some vendors allow VPN connections in but not VPNs out (Netgear - some).
I won’t be of much help going further, since I don’t have that much knowledge. But I achieved what you describe with my Raspberry and NordVPN, by following these instructions for the Wireguard setup provided by Pihole:
https://docs.pi-hole.net/guides/vpn/wireguard/route-everything/
The port on the router must be forwarded to allow wireguard clients from outside your network to join.
I then installed the NordVPN via Curl, which was pretty straight forward and I think I whitelisted some requests from the home network, but since you might use another VPN, these probably differ anyway.
Then, I followed this, even though I only needed like half of the steps mentioned:
https://dietpi.com/forum/t/help-remotely-connecting-using-wireguard-while-nordvpn-is-running-on-pi/6293
Note that according to the guy there, doing this adds security issues: “you have already opened up holes in the airtight solution provided by nord to accommondate your needs, so you need to decide if you want security over comfort. This also depends on the usecase. If you are trying to hide from a suppressive regime, then I’d suggest you rethink about it. If you just want to browse without trackers and advertisements then it’s not a huge deal if it breaks.”
But from what I understand, this would be the case with any way you’d make this work. Good luck!
I have both a wireguard server and client in my glinet router. Connections come in via the server and go out the client connection. I can also access the lan.
I intend to run wireguard on my debian server, same server that hosts my local resources. Is that what you mean?
I did see that Tailscale allows for such a setup such that the exit nodes go through the VPN provider Mullvad. I don’t think it’s possible with other providers (or even without directly paying Tailscale even for users of Mullvad)
I have looked at a lot of these systems like Tailscale and Netbird but I am not very proficient in networking so I am hoping somewhere out there someone made a write-up of such a setup.
Reading your post again, I’m not completely sure if I got your usecase right, but the links might help you regardless, I can at least access the pihole and router interfaces from remote and I think that’s similar to what you mean with accessing ressources on your home network?
Awesome, will be reading through these!
Yes, that is important information. The endpoint/server setup does matter as there are certain tweaks/tunables that might need to be adjusted, and certain rules added to the kernel routing table to ensure proper routing by the WireGuard host.
Tailscale was basically created for people with no experience. It’s really that easy. Plug and play basically. Definitely give it a try.
Correct, just wish to access local resources like with a basic wireguard setup. But then if I go to eg. google.com I want it to be the commercial VPN IP instead of my home IP.
EDIT: I guess the setup in your guide is different in that my home server is not using my commercial VPN. Only my docker containers are.
Thank you, I will try to provide all the relevant information then.
The host is Debian 12. I have a docker container which runs Gluetun to set up the connection to my commercial VPN provider. All my other containers use this container as their network.
So while thinking this through I thought maybe I can run wireguard in a container as well somehow. I am also able to run wireguard on bare metal.
I have indeed read great things about Tailscale. I have read a lot of their docs as well, but I still cannot find info specifically on how to route traffic for the Internet though my commercial VPN (which lives inside a docker container)
Sorry I don’t have much experience in the Debian side of things. I hope others can provide the answers you are looking for.