The crux of the issue I'm experiencing is that I have several services hosted from my home network and available at <service>.mydomain.com that are accessible over the public Internet, but I'm unable to access them from any devices that are connected to a Wireguard server (which lives on the same machine that hosts the web services).

Here's what I've got, setup-wise:

Server

I'm running an Unraid server that is hosting several Docker containers, in addition to a Wireguard server. Many of the Docker containers are running web services that are fronted by a Caddyserver instance (also running as a Docker container).

Gateway/Switch

I'm running a Unifi Security Gateway and a Unifi Switch Lite. I have a few forwarded ports (80 and 443 are forwarded to the Caddy container, for example).

I also have a static route set up for Wireguard, where the "Destination network" is the Wireguard tunnel subnet configured by Unraid's Wireguard server, and the "Next hop" is the Unraid host IP address. I had to set this up so that Wireguard clients/peers could access containers running on dedicated IP addresses, like my DNS server.

Clients

I've got several clients, all experiencing this issue. I've been testing on my iPhone and my laptop running Fedora (debugging mostly on Fedora).

What I've tried/learned

If I try to curl one of my web services, here's what I get:

$ curl -v https://<service>.mydomain.com
*    Trying <my WAN IP>:443...

This will just hang forever.

I tried running tcpdump to see if I could get any more info:

$ tcpdump src fedora and dst <unraid host LAN IP>
13:46:49.362999 IP fedora > <unraid host LAN IP>: ICMP host fedora unreachable - admin prohibited filter, length 68

Surprisingly (to me, at least), I don't see any traffic to <my WAN IP> in tcpdump, except for the Wireguard traffic. When I'm not connected to Wireguard, the above curl request would only generate traffic to <my WAN IP>, even when I'm on my home network. I don't know what's different here.

Weirdly, I can ping <my WAN IP> with no issues. I can also ping <unraid host LAN IP>, as well as curl --resolve <service>.mydomain.com:443:<unraid host LAN IP> https://<service>.mydomain.com. I can also ping <my gateway LAN IP>, and I can ping <my WAN IP>! Seemingly the only issue I have is with specifically making an HTTPS request to my WAN IP, which I'm having a lot of trouble reasoning about.

I've also tried disabling the static route mentioned above, as well as turning on the "Local server uses NAT" setting, which is usually turned off (so that connections from the tunnel go through the gateway and can access the DNS VLAN).

​

I would absolutely love some help, if anyone has any ideas, or even just tips for debugging! Happy to provide more details if anyone can think of anything that would be useful.