For the love of god don’t follow his ideas on consent, child sex, or bestiality.

Or eating habits

Why the downvote?

Don’t worry, there’s no deadline here. I’m not sure I got it so I’ll try to explain what I understood. You’re saying that I have to set a single IP address for the client, and allow that single address to connect to service on port 8080 on 192.168.10.1 in the firewall, right? I’m not too confident in my ability to configure the firewall, so I thought that completely isolate the subnet 192.168.2.0 and then forward a single port to it was the safe choice.

Now I have. Is this a roundabout way to say you did not appreciate my touchpad art? /j

If I understood correctly I should either get a VPS to host Pangolin or use their cloud. This would increase the costs right?

Could you elaborate what you mean with setting the allowed IPs? Yes, without tls.

Isn’t Pangolin just a reverse proxy?

I’m not sure if I understood, but on the host there are other services I do not want to share outside my LAN. My goal was to share a single service.

I know about Tailscale, but since it’s a commercial service I’m not keen to adopt it and then maybe they stop having a free tier. I’ll look into Headscale instead, I did not know about that before.

Thanks for the link, I did not know this service. I’m still a bit reluctant to use commercial solutions which may do a rug pull in the future.

The service runs on another machine with address 192.168.1.10, so a different subnet than the WireGuard one, hence the port forward. I confirmed that this works, I can reach the service from phone on mobile data connected to WireGuard endpoint. wg1 is in zone dmz this is the port forward

I think this video explains it better than I could do https://videos.elenarossini.com/w/64VuNCccZNrP4u9MfgbhkN

From what I found, it’s a reverse proxy