I wanted to share a service I’m hosting, but didn’t feel comfortable just leaving publicly accessible, even behind a reverse proxy. In the meantime I did not want to give access to my whole lan with a VPN, or redirect all internet traffic from a client thru my network. So the idea is to run a WireGuard instance on my OpenWRT router in a completely isolated zone (input, output and forward set to reject on firewall) and then forward a single port from the service host’s. Client is android, so using WG Tunnel and split tunnel just for the relevant app should not impair client’s network access. Initial tests seems to be ok, is there anything I may have overlooked? Please feel free to comment.
Is there a way for a Wireguard peer to advertise AllowedIPs similar to Tailscale’s subnet routings? If that’s right, perhaps you can configure your host’s address as one of the AllowedIPs on the OpenWRT peer, and skip port forwarding too
Yes, since Tailscale is based on wireguard.
Probably not the best practice, though, since any device that connects will be allowed to use the service if there is no authentication on the cert.