momsi

I had authentik before but I found it to be unnecessarily complicated. Its really a nice one stop shop, doing authentication, authorization, even reverse proxing, but the setup/UI is just ... Not very well designed. Or it's so advanced that it's very far from the no it background hobbyist user

Would be nice if each user could add their own bookmarks so they could use the dashboard as new tab default.

And how do you disable the editing/configuration in Heimdall?

I just played around a little, and even got it playing nice with authelia quick. But I find it to loaded for me. No bad, it's looking awesome, but I really just want a few nice looking bookmarks for when the wife forgets what that one service was called again ;)

Two things:

192.135.163.0 is not a private IP... the private range would be 192.168.0.0/16. I guess that's because you changed the IPs bit maybe better check that

And 0.0.0.0/0 means "all IPs" so it doesn't really make sense to put the other one there.

Other than that I don't see anything wrong...

Can you post your config of the client? Remember to redact sensible information.

By no means an expert, bit I'll try: One technique would b asymmetric encryption. Every participant has two keys, a public and a private one. When I want to send you an encrypted message, I encrypt the message with your public key. This key you can make available in any way, it can't be used in a harmful way. The message I encrypted with you public, you can decrypt using your private key, and only with that. Like this, you only need to exchange public keys used only for encryption. So no useful information for an attacker. And private keys never need to leave your hands.

Then you would need to put that, and only that IP in the allowed IP section.

This would tell the peer with this configuration to send all traffic for the whole 192.168.1.0/24 through the tunnel, not sure that is what OP wants. (Didn't look at the link though)

Probably it would be much easier for you to setup tailscale. Just install it on the system you host the other services, install on the other end and use the tailscale ip. It should require minimal effort to set up with the added benefit of not having ports open, and way easier maintaining.

As for wireguard, the allowed up section tells what ips should be routed through the tunnel, it's not that difficult, but hard to wrap your head around at first. A friend of mine also used to use the Fritzbox Implementation of wireguard and I remember you need to specifically setup what clients you want the tunnel to have access to.

Have a look at tailscale.

To follow up on this: I now use a combination of caddy as reverse proxy and authelia for authentication. In my opinion caddy is the best reverse proxy, it's super lightweight and the caddyfiles are super easy to read. Authelia is surprisingly easy to get setup. I was a bit hesitant because it looked a little overwhelming in the beginning. When you sit down for half a day and dig into it, it's really surprisingly straightforward.

I found that before and it's really interesting. I didn't really find it easy to understand, though. Maybe I'll look into it again. As I understand it, you wouldn't even need caddy, oauth2-proxy itself can act as reverse proxy, right?