How best to manage seamless external access to home network?

dfederm · April 10

I'm trying to set up my home network so that a couple specific services can be accessed externally when I'm out of the house.

I explored using a VPN as an option since it's more secure, but the split tunneling configuration seemed very complicated and I'm unsure how well I can set that up on some of the devices which would need it (eg. my kids' Kindle Fire).

Based on that, I decided to just open a few ports in my router and use a reverse-proxy to get the traffic to go to the correct machines. And inside my network I can just DNS rewrite.

The problem I'm struggling with is how to make it work seamlessly internally and externally wrt ports.

For concreteness, I'm specifically just trying to get Home Assistant and Jellyfin to work externally. I know for Home Assistant at least on Android I can make it use a different url on my home network, but that doesn't work really on a laptop for example and I'm not aware of something similar for Jellyfin.

My plan (using fake hosts and IPs for illustration):

Internal - DNS rewrite
- ha.example.com -> 10.0.0.2
- jellyfin.example.com -> 10.0.0.3
External - Reverse Proxy
- ha.example.com:443 -> 10.0.0.2:5000
- jellyfin.example.com:443 -> 10.0.0.2:5001

But to actually access these services, internally I need ha.example.com:5000 and jellyfin.example.com:5001, while externally I need ha.example.com:443 and jellyfin.example.com:443.

One possible solution I had thought of is to use the reverse proxy even internally, and just DNS rewrite all subdomains to the machine running the reverse proxy. I suppose this could work, but I do worry that it'd incur extra stress on the reverse proxy, in particular Jellyfin.

Is there a better way to set this up, or do I pretty much have to decide between juggling ports and running internal traffic through my reverse proxy?

Or am I just a big dummy and split tunneling VPNs actually aren't that hard, even for tablets?

Demon Lord Bezos · April 11

I use OPNsense for my firewall and use OpenVPN on it. I just unticked redirect gateway and then under advanced can push my specific routes and dns requests I need.