Same domains for local & remote access (Split-DNS + Wireguard)

Floordb · January 25, 2026, 8:09am

Is it possible to have jellyfin.example.com resolve to an internal IP while I’m on my LAN, but use the same domain via Pangolin Wireguard when I’m outside? I want to avoid routing local traffic through the VPS when I’m at home.

hhf.technoloy · January 25, 2026, 3:03pm

Yes, you can achieve this with split DNS, where your domain (e.g., jellyfin.example.com) resolves to the local IP (e.g., 10.30.30.25 for jellyfin) when on your home LAN, but points to your pangolin-exposed endpoint (via wg tunnel) when outside. this keeps local traffic direct and efficient, avoiding the VPS round-trip. Pangolin handles the external access by proxying the domain through its dashboard-configured resource, which tunnels via WireGuard to your home setup.

end-to-end example incorporating your wg/proxmox setup the split DNS integration. I’ll use Pi-hole for the DNS (easy to run in an LXC on Proxmox), assuming your public DNS (e.g., Cloudflare) has jellyfin.example.com as a CNAME to your Pangolin resource domain (e.g., jellyfin.pangolin.yourvps.com).

Step 1: make sure your base setup works (wg + jellyfin via Pangolin)

Change Pangolin resource upstream to http://100.89.x.x:8096 (use HTTP, not HTTPS, unless Jellyfin is TLS-enabled internally).
In wg LXC: verify rules with iptables -t nat -L -v -n (look for hits on access). test local curl: curl http://10.30.30.25:8096.
In pangolin dashboard: confirm the resource is tied to the wg site. test tunnel: SSH to VPS, docker exec -it gerbil curl http://100.89.x.x:8096.
Proxmox: make sure LXCs are on the same bridge, privileged for iptables, and no firewalls block inter-LXC traffic.

Once external access works (e.g., jellyfin.example.com loads via Pangolin from outside), proceed to split DNS.

Step 2: Set Up Split DNS with Pi-hole in a Proxmox LXC

Create Pi-hole LXC:
- In Proxmox web UI: Create a new privileged LXC (Ubuntu 22.04 template), assign it to the same bridge as your other LXCs (e.g., vmbr0). Give it a static IP (e.g., 10.30.30.10).
- SSH into the LXC and install Pi-hole: curl -sSL https://install.pi-hole.net | bash. Set a web password during install.
Add Local Override in Pi-hole:
- Access Pi-hole UI: http://10.30.30.10/admin (from LAN).
- Go to “Local DNS” > “DNS Records”:
  - Domain: jellyfin.example.com
  - IP Address: 10.30.30.25 (Jellyfin’s local IP)
- Save. This overrides public resolution for LAN queries.
Configure Your Network to Use Pi-hole DNS:
- On your router: Set DHCP DNS to 10.30.30.10 (primary) and a fallback like 8.8.8.8 (secondary). This auto-configures all LAN devices (phones, PCs, etc.).
- For Proxmox host/LXCs: Edit /etc/resolv.conf or DHCP settings to use 10.30.30.10.
- Pangolin Integration Note: Your external resolution stays public—Pangolin’s resource domain (e.g., via Cloudflare CNAME) points to the VPS, which tunnels via WireGuard. No changes needed in Pangolin dashboard.
Test the Split:
- On LAN (home Wi-Fi): nslookup jellyfin.example.com → Should return 10.30.30.25. Browser access loads directly (local, fast, no VPS).
- Outside (mobile data): nslookup jellyfin.example.com → Returns Pangolin/VPS IP. Access tunnels through WireGuard (external, secure).
- Edge Case: If on VPN to home, it uses local DNS. For HTTPS, configure Jellyfin for local TLS if needed, but Pangolin handles external TLS.

Tips and Troubleshooting

Pangolin-Specific: If using multiple resources, add more local DNS entries (e.g., for Emby). WireGuard’s PersistentKeepalive=5 helps NAT stability.
Security: Block WAN access to Pi-hole (port 53) in your router firewall. Use Pi-hole’s ad-blocking for bonus LAN protection.
Alternatives: If no extra LXC, run Pi-hole in Docker on Proxmox host or use your router’s built-in DNS (e.g., OpenWRT’s dnsmasq with address=/jellyfin.example.com/10.30.30.25).
Issues?: Check Pi-hole query log for resolutions. If external still overrides locally, flush DNS cache (ipconfig /flushdns on Windows, systemd-resolve --flush-caches on Linux).

this single setup gives access: local when home, tunneled via pangolin/wg when away.

Floordb · January 25, 2026, 4:11pm

Thanks for the long response but I’ve got some questions. Is this possible with Adguard home? And I’m using my unifi router as a WG client connected to Pangolin. I’ve got a Nginx Proxy manager running and have some domains with radarr.local.example.com and have a wildcard domain .example.com pointed at my Pangolin setup. With this setup ill have 2 domains for Jellyfin ; jellyfin.local.example.com internal and jellyfin.example.com external. Internal ive a dns rewrite in Adguard with *.local.example.com pointing to ngnx with a wildcard cert. I cant add a port number in Adguard.. However that’s not great because ill need to switch from urls. Do I need the setup a cname?

Astonish5696 · January 26, 2026, 1:04am

You can override any domain locally with Adguard. When talking about split DNS, it usually means using the same domain name internally and externally but return different IP addresses in the internal network to avoid routing traffic through the gateway. So in this case:

public DNS, jellyfin.example.com → 104.18.26.120 (Pangolin)
adguard DNS, jellyfin.example.com → 10.0.0.20 (NPM)

This is also how I do it in my home network. You can not set ports via DNS. I recommend using either standard http/https ports or using the same ports on both internal and external endpoints.

Floordb · January 26, 2026, 5:19am

Thanks! Much easier than I Thought. I didnt know that it was possible to have 2 wildcard certs for the same domain.