Great idea, i really hope we see more of that type of local/selfhosting for average folks, its really the only way to save the internet from just being another corporate censorship heavy advertising platform.

In that case you would need to add the peers to the wireguard node you have running in the home lab as well. Wireguard can route peer to peer and will take the shortest path available to it.

That said, i highly recommend first getting things working in a “spoke and hub” style wireguard configuration with either your homelab or the vps as a central peer, then add peers as endpoints after you have everyone with working connections to the central peer. Its just a heck of a lot easier to trouble shoot and get your head around thatway.

deleted by creator

A central wireguard peer on your vps, connect home to vps and direct the wireguard. Add friends as peers on the VPS like such:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <VPS_PRIVKEY>

# Home
[Peer]
PublicKey = <HOME_PUBKEY>
AllowedIPs = 10.0.0.2/32

# Friend
[Peer]
PublicKey = <CLIENT_PUBKEY>
AllowedIPs = 10.0.0.3/32

Use iptables to Split tunnel traffic

For the home network ip route add 192.168.1.0/24 via 1. 0.2 dev wg0

And for the vpn To route google a .d such

Enable NAT for clients

iptables -t natw POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

You can set the iptables rules to run wjen it comes up

Forgive my formatting. Mobile clients being janky

It sounds like you’ve got the right plan. I use Anubis and fail2ban along with some manual rules on nginx to block AI bots. In my experience Anubis helps a lot, and you can monitor nginx logs over time to for scans and such to make additional ban rules on.

Ive used offtiktok which is self hostable

There is also proxitok

Or you could probably work out something with yt-dlp or one of the front ends for it.