I some self hosted services running in docker containers. They are all on the same server (with static ip).

I was able to configure Traefik (also in a container with Docker Compose) as a reverse proxy with a self-signed certificate in my local network. This was surprisingly easy to do.

Now I want to expose these self hosted services to the internet so I can access them everywhere, but only via a VPN tunnel (WG Easy). What I have done so far:

• Configured my router to forward ports 80, 443 and 51820
• Changed the DNS A record of my domain to point to my external ip address (I use Cloudflare DNS)

• Setup WG easy and Traefik in a docker container. I'm now able to navigate to https://vpn.my-domain.com (I'll disable this later again and only allow this from my LAN):

  services: wg-easy: labels: # traefik - "traefik.enable=true" - "traefik.http.services.WireGuardService.loadbalancer.server.port=51821" # http to https - "traefik.http.routers.WireGuardRoute.service=WireGuardService" # ⚠️ Required: # Change this to your host's public address - "traefik.http.routers.WireGuardRoute.rule=Host(vpn.my-domain.com)" - "traefik.http.routers.WireGuardRoute.entrypoints=web" - "traefik.http.routers.WireGuardRoute.middlewares=HttpToHttpsRedirectMiddleware" # https - "traefik.http.routers.WireGuardRouteSSL.service=WireGuardService" # ⚠️ Required: # Change this to your host's public address - "traefik.http.routers.WireGuardRouteSSL.rule=Host(vpn.my-domain.com)" - "traefik.http.routers.WireGuardRouteSSL.entrypoints=websecure" - "traefik.http.routers.WireGuardRouteSSL.tls.certresolver=MainCertResolver" environment: # ⚠️ Required: # Change this to your host's public address - WG_HOST=vpn.my-domain.com

   # Optional: # - PASSWORD= # - WG_PORT=51820 # - WG_DEFAULT_ADDRESS=10.8.0.x # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 #- WG_ALLOWED_IPS= # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt networks: - traefik_network container_name: wg-easy image: ghcr.io/wg-easy/wg-easy volumes: - .:/etc/wireguard ports: - "51820:51820/udp" restart: unless-stopped cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 

  traefik: image: "traefik:v3.2" container_name: "traefik" command: - "--providers.docker" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=traefik_network" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.MainCertResolver.acme.tlschallenge=true" - "--certificatesresolvers.MainCertResolver.acme.email=my@email.com" #- "--certificatesresolvers.MainCertResolver.acme.storage=/letsencrypt/acme.json" environment: - TZ=Earope/Brussels ports: - "80:80" - "443:443" - "8080:8080" networks: - traefik_network volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./config/dynamic.yml:/etc/traefik/dynamic.yml" - "./letsencrypt:/letsencrypt" - "./certs/:/etc/certs"networks: volumes: letsencrypt:

Then I created another small test service:

whoami: image: "traefik/whoami" container_name: "simple-service" labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`whoami.my-domain.com`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls.certresolver=MainCertResolver" - "traefik.http.services.whoami.loadbalancer.server.port=80" 

But no matter what I do, if I navigate to whoami.my-domain.com, I get following response:

If I ping that domain, I can see the DNS A record pointing to my personal external IP address....
Can someone point me in the right direction? Been breaking my head for hours now :)