0.0.0.0/0 already includes 192.168.0.0/16 However if your VPN doesn’t have an “exit node” configure (it’s Tailscale’s name for it but basically it means that there’s no machine configured to connect your tunnel to Internet) there could be issues with retrieving DNS.

I’d suggest making AllowedIP ip your-vpn-net, 192.168.y.0/24

Problem with that setup would be that while on your network with VPN turned on there could be conflicts.

Other solution would be to host a pihole on your wireguard network, use pihole’s wg ip as DNS server in wg configs and in pihole create A record for your servers wg ip and domain name.

If you never set up Traefik I suggest you use Nginx Proxy Manager, it’s waaaay easier to set up, especially if you don’t need the flexibility of Traefik.

DuckDNS provides you with xxx.duckdns.org for free and gives you ability to generate wildcard certificates. What I suggest you do is
1a) host VW locally only 1b) host it so that is accessible only with VPN.
2. In duckdns set ip to you local ip that VW is being hosted on (ie 192.168.1.20) or vpn ip
2. Use Traefik or NPM (or any other reverse proxy) to generate wildcard certificate with dns challange
3. Use Traefik or NPM to point on your device to the port VW is accessible on

I’ve recently started selfhosting email using docker mail server and honestly it’s quite straightforward. I have it on my server at home, all outgoing mail leaves using my home it (and honestly I’m quite impressed because I am behind CGNAT) and incoming mail goes (as the rest of my incoming traffic) through oracle vps via Haproxy (with proxy protocol)

This might sound complicated but honestly I had vps setup earlier so the “extra work” I had to put in was adding few ports to haproxy config using my existing config as a template (had to add like 2 ports)

this is pretty much all the guide you need but for a client input the same information into your wireguard app