I am pulling my hair out and need help. I’m going to try to be as thorough as possible.
The Goal : To use sub.domain.tld to access a service hosted on my local network whether I am on the local network or not, with SSL certs either way.
The Current Situation : I have Unraid running on a home server on Unraid.IP.Address. On that server, I’m running a few services as well as a couple VMs which themselves are running services. I won’t get into the details of all of them. I think the most relevant ones right now are DuckDNS, Nginx Proxy Manager, and Adguard Home - all of these run in docker containers on the Unraid host.
The Adguard home service has a static IP at AGH.IP.Address, and my router (an Actiontec T3200M) has been set to use AGH.IP.Address as both DNS Server 1 and DNS Server 2.
I own domain.tld through Namecheap and use their DNS records to point multiple sub.domain.tlds to sub.duckdns.org for dynamic DNS services. These successfully resolve through Nginx Proxy Manager when I’m outside my network to my various services, as well as those I host for some friends. Nginx Proxy Manager has a cert for each sub.domain.tld. I cannot gain access to Namecheap API for the purposes of a wildcard cert via DNS challenge, to my knowledge.
I also have Tailscale setup on the Unraid server. I currently use Tailscale to pretend to be on my local network when I am away to continue accessing my services from the same LAN.IP.Addresses whether I am home or away. This makes it seamless for me and my partner, but it wasn’t my ultimate goal (as mentioned in The Goal).
What I’ve Tried : I have tried to use Adguard Home’s DNS rewrites as well as custom query filters to catch local requests for sub.domain.tld and point them instead to Unraid.IP.Address, but this does not resolve. If I try to access sub.domain.tld from within the network with or without DNS rewrite entries, it does not resolve. I’ve tried using PiHole instead of Adguard Home, but was having difficulty determining if it was working at all as a DNS server, so I switched back to Adguard Home. I’ve also tried setting up a second Nginx Proxy Manager instance on my network at a different IP address, and tried to have Adguard Home rewrite DNS to that one still with no success.
This has been a thing I’ve worked on off and on for a few months with no real success so I may be forgetting a few things that I have tried. If they come up in the comments, I will edit this part with additional things I’ve tried.
I believe I want split DNS to achieve what I’m trying to achieve, but for the life of me I cannot figure out how to accomplish it. Any help would be super appreciated. Of all the things I’ve learnt on my self-hosting journey—switching to Linux full time, learning some docker and docker compose concepts, some light scripting, learning about VMs and passthrough, and more—networking as by far been the most difficult and head-bashingly difficult aspect of it all. For me, at least.
Does anyone have any suggestions for what my next steps should be to achieve my goal? I am open to any good or bad news. If I need to switch registrars, or change up my set-up radically, whatever it might take, I want to learn and I need direction because my research has hit its end.
Cheers!
When connected to your internal network, what is the results of:
nslookup sub.domain.tld AGH.IP.Address
This should respond authoritative with the IP you need to access NPM’s VIP IP address. If that is not the case, let us see your AGH configuration for your sub.domain.tld.
If that does return the correct IP, verify that it responds to https using curl on Linux or windows (replace curl with curl.exe)
curl -vvvI https://sub.domain.tld/
If this is not connecting or showing a cert error then there’s a misconfiguration on the NPM side. Screenshots of your site configuration for one of the sites would be helpful. The domain name should match sub.domain.tld (not your duckdns) and be bound to the let’s encrypt cert.
That returns a non-authoritive answer only, but the address is
Unraid.IP.Address(which NPM is running on). Here’s the AGH rewrite I’m trying:Here is the result of the curl:
21:55:55.862001 [0-x] * [READ] client_reset, clear readers 21:55:55.863057 [0-0] * Host sub.domain.tld:443 was resolved. 21:55:55.863116 [0-0] * IPv6: (none) 21:55:55.863146 [0-0] * IPv4: Unraid.IP.Address 21:55:55.863183 [0-0] * [HTTPS-CONNECT] adding wanted h2 21:55:55.863234 [0-0] * [HTTPS-CONNECT] added 21:55:55.863274 [0-0] * [HTTPS-CONNECT] connect, init 21:55:55.863330 [0-0] * Trying Unraid.IP.Address:443... 21:55:55.863396 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0 21:55:55.863447 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0 21:55:55.863518 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks 21:55:55.863576 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0 21:55:55.863625 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0 21:55:55.863697 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks 21:55:55.863792 [0-0] * connect to Unraid.IP.Address port 443 from My.PC.IP.Address port 57824 failed: Connection refused 21:55:55.863894 [0-0] * Failed to connect to sub.domain.tld port 443 after 1 ms: Could not connect to server 21:55:55.863985 [0-0] * [HTTPS-CONNECT] connect, all attempts failed 21:55:55.864043 [0-0] * [HTTPS-CONNECT] connect -> 7, done=0 21:55:55.864094 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 7, done=0 21:55:55.864163 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(), filter returned 7 21:55:55.864231 [0-0] * [WRITE] [OUT] done 21:55:55.864268 [0-0] * closing connection #0 curl: (7) Failed to connect to sub.domain.tld port 443 after 1 ms: Could not connect to server