Yes your description is just right and is the heart of my question. To use your terminology:

Currently:

• Away from home: Phone -> VM -> Home Server
• At home: Phone -> VM -> Home Server (inefficient!)

Ideally:

• Away from home: Phone -> VM -> Home Server
• At home: Phone -> Home Server

In the ideal case, I would never have to change anything about the wireguard config/status on the Phone, nor would I have to change the domain name used to reach the resource on the Home Server.

Oh hm I didn’t think about your last point, maybe it’s not really an issue at all. I think I’m not 100% on how the wireguard networking works.

Suppose I tunnel all of my traffic through wireguard on the remote server. Say that while I am home, I request foo.local, which on the remote server DNS maps to a wireguard address corresponding to my home machine. The remote will return to me the wireguard address corresponding to the home machine, and then I will try and go to that wireguard address. Will the home router recognize that that wireguard address is local and not send it out to the remote server?

Yes that would work, but it feels a bit cumbersome to have 2 fqdns per service, which I would have to switch between using depending on on whether I’m local or not.

Right but I want to be connected to wireguard always, I just want the DNS/routing to be different based on home vs foreign network.

And so when away do you just directly connect to the external IP and do port forwarding?

So you have a public DNS record pointing to your home IP?

I think tailscale would work, though I’d ideally want to use something like headscale instead, but that’s a bit of a logistical hastle for my setup. Do you know if pangolin can handle this as well?