To be honest I don’t really know, but I know that what you want can easily be solved with SOCKS5 proxy. I think Wireguard and other VPNs are added to encrypt the traffic. There are also other alternatives to SOCKS5 proxy adding encryption.

In Wireguard you have those Allowed IPs, you can allow only those IPs to be reachable from outside and you can configure them per client if I am not wrong. I think the easiest way would be for you to run those services over Docker, that way each server will have an IP from your docker network and you can isolate the traffic. https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

My personal suggestion is to spin up a VM, install Debian, Ubuntu, or whatever your poison is, run docker compose or podman compose, spring up a Docker or two and Wireguard and try to achieve what you want. Heck you can even run Wireguard from a container. Once confident with your setup you can migrate it to Nix.

There is no need to have them on separate VMs, as containers are already isolated and additional VMs will add more overhead.

It is worth exploring the LXC containers too, even though I prefer Docker with compose for its declarativeness.

Yes, I also heard that he passed, and I really feel bad for the guy, he did an amazing job. Thanks for the link, I didn’t know there was a new place.

Check this project https://github.com/whyvl/wireproxy

I would suggest giving Proxmox a go and virtualise your VMs, as you can easily make snapshots and recover if something goes south.

You can also check https://tteck.github.io/Proxmox/ containing easy deployable scripts to make your life easier.

I would also try to run everything out of Docker compose and create a repo containing all configuration files.

The whole idea of self-hosted is to build something yourself and learn your way around some new technology or software. Plus building something yourself allows you to change and upgrade it down the path, while Synology doesn’t provide any of the sort.

You are missing the elephant in the room here that this format isn’t royalty free and requires a license and is patented.

Same story with H.265 and AV1 in the video. AV1 is royalty free video codec while H.265 is patented so every device that transcodes or encodes to it should pay royalty fee to the patent holder, but due to the fact that H.265 predates AV1, a lot of devices still don’t fully support AV1.

Also Apple are always supporting not open standards in their device making the whole interoperability a big mess. For example HLS vs Dash or Fair Play vs Widevine and the refusal of Apple to adopt AES-128 CTR to alleviate the problem with interoperability between devices. All of this because they want to extract the maximum profit from their users and lock their users.

The lightning cable was a prime example, where Apple put a small DRM chip that needs to authorize that the cable is authentic otherwise your phone won’t charge. And all of this so that they can charge third party vendors royalty fees on their cables and their long standing refusal to adopt USB-C on the iPhone.