Setting Up a Secure Tunnel Between Two Machines - eviltoast

I have two machines running docker. A (powerful) and B (tiny vps).

All my services are hosted at home on machine A. All dns records point to A. I want to point them to B and implement split horizon dns in my local network to still directly access A. Ideally A is no longer reachable from outside without going over B.

How can I forward requests on machine B to A over a tunnel like wireguard without loosing the source ip addresses?

I tried to get this working by creating two wireguard containers. I think I only need iptable rules on the WG container A but I am not sure. I am a bit confused about the iptable rules needed to get wireguard to properly forward the request through the tunnel.

What are your solutions for such a setup? Is there a better way to do this? I would also be glad for some keywords/existing solutions.

Additional info:

  • Ideally I would like to not leave docker.
  • Split horizon dns is no problem.
  • I have a static ipv6 and ipv4 on both machines.
  • I also have spare ipv6 subnets that I can use for intermediate routing.
  • I would like to avoid cloudflare.
  • CronyAkatsuki@lemmy.cronyakatsuki.xyz
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 months ago

    You could try using ssh reverse proxy and proxy the port to the vps.

    Another way is to setup wireguard on the vps, connect the powerfull machine to it and keep it always connected there. ( This isn’t really a good options since then all traffic is moved thrkught the vps )

    There is also grok I think that’s the name.

    In general I think ssh reverse port proxy would be a decent way and then you can use a reverse proxy on the vps like nginx or caddy ( you need one that works on the host network )

    • raldone01@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      I was hoping for a solution which allows for other protocols not just https and http. I will take a closer look at grok.

      A ssh tunnel could work. I didn’t think of that. I will have to test how this interacts with docker but I think it must be setup directly on the host. I don’t think the ssh tunnel limitation applies since the service will still be reachable from As local network. Speed might be a concern but I will have to test.