[salamander014]

Hey cool project! I had the same need, and solved it a very different way.

I set up a wireguard server on a publicly accessible VPS.

The neat part about using "lscr.io/linuxserver/wireguard:latest"

is that it allows my to codify the number of clients I need. This includes both endpoints and source devices.

The second thing I did, was separate out the "networking" bits from the "userspace" bits, meaning it doesn't matter what port the service is running on. The client can hit it.

Taking that one step further, I just combined the above with haproxy and set my application ports there. This means I can hit haproxy on "someport" inside the VPN and it'll forward to whatever service I've got configured on that "client" that haproxy can see on it's LAN.

Works great, currently running a simple web page off the whole thing, where you connect to VPS and it tunnels the actual HTTP connection into kubernetes in my house.

I was thinking about writing this all up one day, but there's some cleanup to be done. Oh well.

[aborsy]

VPN traffic is decrypted at VPS. TLS encryption may also be terminated by the reverse proxy.

A mesh VPN will give you point to point tunnel. Even http will be secure.

[0xdade]

Sounds pretty cool, I have done some similar things in the past with using a vpn to proxy backwards into my home network (hello fellow k8s at home user). I think in this case I wanted to basically set up my one nginx config and never have to change the web server config again and support arbitrary services in the future. I've never used haproxy before, but I wonder if there could be some room for improvement (read: not using unix domain sockets) by using a web server that can dynamically detect upstreams in a particular set of ports. E.g. if all my "tunnel" ports are on localhost:8000-9000, it can dynamically pick them up. I guess I still wouldn't know how to answer the "pick a name for the tunnel at runtime" problem, but it's definitely something worth exploring further!

If I was doing something that I intended to have running more than an hour or two at a time, I would 100% do something more like what you're describing haha.