What is the correct way reach home resources via the same URL, whether local or remote, and without internet?

partytimeexcellent · January 4, 2026, 12:19am

I currently have Pangolin setup normally on a VPS, with Cloudflare A and wildcard records for my domain name pointing to it. External access works perfectly, as does internal LAN access when internet is active. If the internet goes down, of course DNS isn’t able to resolve the addresses. I’d like to keep all DNS requests local when on the LAN. I also have some resources I’d like to keep 100% locally accessible only but still use a nice URL like https://subdomain.domain.com

So the question is, how can I keep my domain URLs accessible locally without having to go out to Cloudflare for DNS, while also leaving all external access to the Pangolin tunnel? Some discussions suggested setting up a local DNS rewrite, so I tried this with AdGuard Home, but unfortunately it only works for services running on port 80, as I’m not able to define a port number in the rewrite.

The other suggestion is set up a second locally hosted reverse proxy, which is what I’d like to try next. The question then is which flavor would make this easiest? How do I set it up in a way to make sure it doesn’t interfere with anything Pangolin is already doing? Or, is there a much simpler solution that I haven’t thought of? Thanks

po_tato · January 4, 2026, 12:36am

I can tell you how i have mine setup. I have two pangolin instances, one for internal(running within tailscale and also within my home network) and external. I have a single DNS NextDNS as i really don’t want to manage DNS(because when DNS goes down everything goes down so i trust it to a third-party). Within my home network I have setup DNS on my router to route *.int.domain.tld to my internal proxy. This means i can access my internal service over my tailnet(internal) and also on my home network all from 1 proxy.

If any of what i said doesn’t make sense please let me know I’ll try my best to elaborate. Sadly i have to manage 2 reverse proxy but then both proxies don’t even talk to each other unless i want to proxy an internal service externally which doesn’t make sense as i can updated my ACL rules for the external proxy to access said internal service.

rowie · January 5, 2026, 9:19am

Hi,

i use split-dns and nginxproxymanager internal.

.mydomain.cim points to my public pangolin instance and on my adguard at home .mydomain.com poinrs to the npm.

LE DNS Challenge with API for the Certs …

partytimeexcellent · January 7, 2026, 10:19am

My problem seems to be with getting the certs. Will lets encrypt allow the internal NPM to get certs for the same domain name, when the DNS record is pointed to the VPS?

rowie · January 8, 2026, 6:13am

Only with DNS- Challenge! No port 80 forwarding needed.

You can set the entries in your zonefile manually or via API.

Mangle4739 · January 9, 2026, 4:08am

Prior to setting up Pangolin, I had Caddy on my LAN, with DNS rewrites pointing toward it. When I set up Pangolin, I just left it as it was.

partytimeexcellent · January 9, 2026, 5:55pm

Thanks, I havn’t had time to dive back into this recently, but I am going to give it another shot and take pangolin out of the mix and start from the local RP like you suggested. Cheers

partytimeexcellent · January 15, 2026, 7:44am

Just want to chime in and say I finally have it working. Thank you to everyone who offered tips! I know this is baby steps stuff for a lot of people here, but I’m going to post my solution in case any other noobs like me come across this thread in the future.

Traefik internally for reverse proxy of all resources I want named and given certifications, (man that was a difficult one to get working, maybe go Caddy). Cloudflare DNS-01 challenge to pull Let’s Encrypt certs (which works no matter where your DNS records are pointed, took a while to understand that).

Initially I tried to use Adguard Home for local DNS rewrites but had all kinds of issues that I still can’t explain. I finally gave in and switched to PiHole and now it’s working (possibly due to the way PiHole has options for DNS and CNAME records?).

PiHole doing internal DNS records, and my Unifi gateway set to look at PiHole as primary DNS. The (most frustrating for me) trick was figuring out how to configure PiHole correctly. For local PiHole DNS records, there is only one, traefik.mydomain.com > 192.168.1.X (Traefik address)

The rest of the services are individually set up as CNAME records in PiHole pointed to the Traefik URL, such as: home-assistant.mydomain.com > traefik.mydomain.com. I don’t know how many videos and google searches it took to make this sink in. I was hoping a wildcard would work here to save a bunch of typing, but no such luck, I have to enter them all individually.

Once that’s working and all resources are available locally, even with the internet down, it’s time to work on external access. Cloudflare wildcard DNS records are pointed to the Pangolin on VPS. Newt sits locally to make the tunnel work. Pangolin is pointing resource URLS to the Traefik URL again (service.mydomain.com > traefik.mydomain.com), with TLS enabled.

Gotchas that cost me a lot of wasted time: Browser DNS caching. Use private windows and close them periodically to flush cache. If you’re on Mac and primarily use Safari, but want to test in other browsers, make sure you go into the MacOS security settings and allow Firefox/Chrome/Etc to have local access to discover devices. I had no idea this setting would prevent webpages on local servers from loading. I about pulled my hair out. Oh and probably just go Caddy unless you hate yourself and want to waste days learning how Traefik works for no good reason!

Hope this helps. Also, feel free to chime in if there is a better way to do this stuff.

My next step will be trying to get this all working with Netbird or maybe Headscale, and PocketID or Authentik.