Setting Up a Secure Tunnel Between Two Machines - eviltoast

I have two machines running docker. A (powerful) and B (tiny vps).

All my services are hosted at home on machine A. All dns records point to A. I want to point them to B and implement split horizon dns in my local network to still directly access A. Ideally A is no longer reachable from outside without going over B.

How can I forward requests on machine B to A over a tunnel like wireguard without loosing the source ip addresses?

I tried to get this working by creating two wireguard containers. I think I only need iptable rules on the WG container A but I am not sure. I am a bit confused about the iptable rules needed to get wireguard to properly forward the request through the tunnel.

What are your solutions for such a setup? Is there a better way to do this? I would also be glad for some keywords/existing solutions.

Additional info:

  • Ideally I would like to not leave docker.
  • Split horizon dns is no problem.
  • I have a static ipv6 and ipv4 on both machines.
  • I also have spare ipv6 subnets that I can use for intermediate routing.
  • I would like to avoid cloudflare.
    • raldone01@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      10 months ago

      I have heard of it seems like a good option. If you use it please tell me if it can fullfil my requirements.

      Mhh I didn’t know headscale exists. Tailscale being proprietary was the main thing keeping me from using it.

      • RiderExMachina@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        10 months ago

        I haven’t used Tailscale myself, but it seems like it’s basically just a Wireguard frontend.

        • Lunch@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          Although correct, there feature set is amazing and expanding. Tailscale is my number one tool of choice, these days, it’s so simple and so handy.

          • RiderExMachina@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            10 months ago

            “Technically correct” is the best form of correct. Though having tried setting up Wireguard in the past, having a dead-simple solution like Tailscale might be worth trying it out, especially with the 100 device free tier