An issue with his remote setup is that the remote VPS decrypts packets from the remote laptop, then re-encrypts them for the LAN — this means that the remote VPS can see the plaintext of all those packets. He’ll need to layer TLS or something similar, or run Wireguard over Wireguard.
As somebody with a very similar setup, all the things I'm making accessible over the Wireguard network are HTTPS, SSH, etc. The handful of things that couldn't do native TLS (or were irritating to get configured with automated TLS certs) I stuck behind nginx for TLS.
Short of setting up dns validation and using 3rd party dns service as many registrars don't support API for dns management, how is domain validation done for acquiring TLS certs when serving only via wireguard ?
There's the private CA route but its a pain to setup the certs on all (mobile) devices and Android makes it very scary and hard.
I use https://github.com/go-acme/lego and DNS validation. I'm not sure what DNS provider you're using, but a ton of them have robust APIs. In my case, I'm using Route53 which is notable in that I can generate API credentials that can only update the specific record needed for a particular name's ACME validation record.
Here's a list of supported providers: https://go-acme.github.io/lego/dns/
And in case you're curious, the API perms dance to do specific-record updates: https://github.com/armorfret/terraform-aws-r53-certbot/blob/...
Author here! Indeed, it is mostly HTTPS terminated by Caddy in the server at home. Otherwise, it is SSH.
WireGuard over WireGuard (WireGuard end-to-end encrypted hub and spoke) example https://www.procustodibus.com/blog/2021/12/wireguard-e2ee-hu...
What options are available to use a remote VPS to facilitate connecting Wireguard directly through the CGNAT? It seems most "client" devices are going to be behind at least some kind of NAT as well.
STUN and TURN is what tail/headscale use, basically you can use whatever you want to map ports but if you want to hole-punch you are probably going to have to use something off the shelf or write your own client to integrate wg and the hole-punching logic.