Best option to set up a site with https for lan access only?

[peterge1998]

I have NPM up and running. What’s the best option for homelab sites with an ssl certificate that I do not want publicly available?
I already tried the nginx http access stuff, which works but I am facing problems with limited ip tracking on apple devices and problems when accessing my lan sites through vpn.
Another idea would be a second NPM instance, that’s accessible from lan only and that gets certs via dns from netcup. But I had problems requesting certs through the api before with caddy, because the netcup api is shit…
And currently I am facing the „another certbot instance is already running“ error when I try request via dns…

[deployn]

I am not sure about the "best" way. What I do is to have a local DNS server that routes my domain directly into npm, therefore the IP address is in the 192.x.x.0/24 range. I can only allow requests coming from this range.

German guide

[peterge1998]

I see you are doing what I want to achive too. In my case it does not work.

My Access rule is set up like this:
Allow 10.0.0.0/8 to allow everything in my home network.
Deny all does deny everything else.

My wireguard clients get a 10.7.0.5/24 ip, which is inside 10.0.0.0/8. But I cant connect to sites that have this rule enabled.
My wireguard server has 10.0.4.116 and my DNS has 10.0.4.102.

From what I understand the rule, it should work, because the IP of VPN clients is inside 10.0.0.0/8. But it doesnt. Any idea why?

[deployn]

Check where the request is coming from. My guess is that the 10.something IP is only internal. But the request comes from something else. Another option is that the DNS sever doesn't route the local domain.

[deployn]

And you should deactivate IPv6 if you haven't done this already.

[peterge1998]

Why? To match my ipv4 allow subnet?
Already did this