I’ve been doing the SSL with Caddy and Let’s Encrypt via CertBot. Extra work but not too bad once you figure it out (and take notes since I forget by the time the renewal comes around :)
I still need to find time to set up auto renewal… One day
Thank you for your answer.
My problem is, that I would like to keep my (Docker) services like Silverbullet.md in my local network only and reach them exterally by Wireguard VPN.
Before https I reached my services with <ip>:<port>, which worked fine with VPN.
As mentioned here, there are now only a few options to get https without open everything to the world:
Set my local servers ip as localhost by ssh ( ssh -N -L 3002:localhost:3000 user@someip) which works, but needs to be added for every client and every access.
Add a hosts file entry (e.g. silverbullet.lan 192.168.1.123) on every client to access the local server and add a Caddyfile entry with a selfsigned certificate.
Put a local DNS server like dnsmasq or bind9 in my network and add local domains there (like silverbullet.lan) and use Caddy again for SSL. That’s the point where I haven’t figured out how to get it running over Wireguard VPN.
I don’t want to rely on external services like Tailscale.
I want to preface this with the fact that I am definitely NOT a networking expert so… don’t trust anything I say.
My situation is a bit different because I am using Tailscale, though I have it on the list to be replaced in the future.
When you Wireguard to your LAN, do subsequent DNS requests go through the VPN? Sounds like you’re looking into that route based on your third point above. If so, can you just add a static DNS resolution to your LAN router that points to your Caddy SSL terminator/reverse proxy? This assumes a static IP for your host.
That’s what I’ve done. On my router I’ve set a static DNS entry of silverbullet.mydomain.com ->10.0.0.101 (where *.101 is the static IP of my internal host/Caddy). This allows everything to resolve correctly when I’m physically attached to my LAN but also when connecting remotely via Tailscale.
It may not be elegant, but it avoids the hassle / extra config of a local DNS server as well as the need to manage host routes on each device.
EDIT: My router is running OpenWRT but I think most consumer grade routers support static DNS routes… but I could be wrong.
I’ve been doing the SSL with Caddy and Let’s Encrypt via CertBot. Extra work but not too bad once you figure it out (and take notes since I forget by the time the renewal comes around :)
I still need to find time to set up auto renewal… One day
Thank you for your answer.
My problem is, that I would like to keep my (Docker) services like Silverbullet.md in my local network only and reach them exterally by Wireguard VPN.
Before https I reached my services with <ip>:<port>, which worked fine with VPN. As mentioned here, there are now only a few options to get https without open everything to the world:
Set my local servers ip as localhost by ssh ( ssh -N -L 3002:localhost:3000 user@someip) which works, but needs to be added for every client and every access.
Add a hosts file entry (e.g. silverbullet.lan 192.168.1.123) on every client to access the local server and add a Caddyfile entry with a selfsigned certificate.
Put a local DNS server like dnsmasq or bind9 in my network and add local domains there (like silverbullet.lan) and use Caddy again for SSL. That’s the point where I haven’t figured out how to get it running over Wireguard VPN.
I don’t want to rely on external services like Tailscale.
I want to preface this with the fact that I am definitely NOT a networking expert so… don’t trust anything I say.
My situation is a bit different because I am using Tailscale, though I have it on the list to be replaced in the future.
When you Wireguard to your LAN, do subsequent DNS requests go through the VPN? Sounds like you’re looking into that route based on your third point above. If so, can you just add a static DNS resolution to your LAN router that points to your Caddy SSL terminator/reverse proxy? This assumes a static IP for your host.
That’s what I’ve done. On my router I’ve set a static DNS entry of
silverbullet.mydomain.com -> 10.0.0.101(where*.101is the static IP of my internal host/Caddy). This allows everything to resolve correctly when I’m physically attached to my LAN but also when connecting remotely via Tailscale.It may not be elegant, but it avoids the hassle / extra config of a local DNS server as well as the need to manage host routes on each device.
EDIT: My router is running OpenWRT but I think most consumer grade routers support static DNS routes… but I could be wrong.