Hello, I setup a wireguard server at home and has a public IP address. This server allows the clients to access my LAN (e.g. 192.168.87.0/24) and configuring the DNS servers as my DNS servers in my LAN (e.g. 192.168.87.1 and 192.168.87.2). My family members use their phones (iPhone and Android) to connect to my LAN via the Wireguard for iOS/Android App. And this worked perfectly while the phones are using the 4G/5G network. But when the phones connect to the Wi-Fi of my home's router, the DHCP assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones. In this situation, phones' owners should manually turn off their Wireguard connection to have the internet accessing. I guess there are something conflict because the vanilla IP network and the allowed IP network are the same. So, I have this idea that if it is possible to configure the Wireguard app to turn off or disable automatically when the network is established on specific Wi-Fi SSIDs ? Or do you have better ideas ? Thanks.
Hello, Am 18.04.22 um 04:12 schrieb Nohk Two: > This > server allows the clients to access my LAN (e.g. 192.168.87.0/24) and [..] > But when the phones connect to the Wi-Fi of my home's router, the DHCP > assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones. [...] > Or do you have better ideas ? the way I solve this is that I use a slightly larger /23-subnet in the AllowedIPs=192.168.87.0/23 and when I get a local IP inside 192.168.87.0/24 at home, the kernel automatically uses the more specific route.
On 18.04.22 04:12, Nohk Two wrote:
> I guess there are something conflict because the vanilla IP network
> and the allowed IP network are the same.
Thats right, but you can simply use other IPs for your WG clients
(192.168.187.0/24 or 172.16.0.0/24)
Am 22.04.22 um 08:16 schrieb Björn Fries:
> the way I solve this is that I use a slightly larger /23-subnet in the
> AllowedIPs=192.168.87.0/23
>
> and when I get a local IP inside 192.168.87.0/24 at home, the kernel
> automatically uses the more specific route.
an example:
my laptop e.g. has
Address = 172.22.247.58/32
PrivateKey = xxx
[Peer]
PublicKey = xxx
AllowedIPs = 172.22.144.1/32, 192.168.0.0/23
Endpoint = myhomeIP:51820
PersistentKeepalive = 25
172.22.144.1/32 is the wireguard-IP of my wireguard-server at home.
This way I can reach for example my printer at 192.168.0.10 even if I am
on the move, because my wireguard server is installed on my router at
home (Unifi USG-3P).
The printer sends it packets for 172.22.247.58 simply to its default
gateway, which is my router/wg-server, that forwards it over wireguard.
When I'm in my network at home, my laptop gets the IP 192.168.1.72/24
and automatically talks to the other devices in the LAN without taking
the wireguard route, because the subnet is more specific.
On 2022/4/22 14:16, Björn Fries wrote:
> Hello,
>
> Am 18.04.22 um 04:12 schrieb Nohk Two:
>> This server allows the clients to access my LAN (e.g. 192.168.87.0/24)
>> and
> [..]
>> But when the phones connect to the Wi-Fi of my home's router, the DHCP
>> assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones.
> [...]
>> Or do you have better ideas ?
>
> the way I solve this is that I use a slightly larger /23-subnet in the
> AllowedIPs=192.168.87.0/23
>
> and when I get a local IP inside 192.168.87.0/24 at home, the kernel
> automatically uses the more specific route.
I think I know your point. And since my network is 192.168.87.0/24, I
have to use 192.168.86.0/23 (not 192.168.87.0/23) in the AllowedIPs.
Because "87" is an odd number and it's "1000 0111" in binary
However, it failed in my Android phone. There is no internet accessing
as usual. I didn't try this in iPhone because Eugenio Tampieri told me
that Wireguard for iOS has the feature I required (and worked nicely)
but not Android.
Maybe I have to adjust my LAN's network to even number to make /24
enlarge to /23 happy.
Thank you very much.
On 2022/4/22 17:29, wireguard@qupfer.de wrote:
>
> On 18.04.22 04:12, Nohk Two wrote:
>> I guess there are something conflict because the vanilla IP network
>> and the allowed IP network are the same.
>
> Thats right, but you can simply use other IPs for your WG clients
> (192.168.187.0/24 or 172.16.0.0/24)
>
Hello,
I'm not sure if I understand your idea correctly.
It's not easy to configure my router's DHCP server to assign specific IP
addresses (192.168.187.0/24 or 172.16.0.0/24) to the specific phones
which connect to my LAN.
Even I did it eventually, the phones can't access to my LAN when the
wireguard is turned off because "192.168.187.0/24 or 172.16.0.0/24"
can't reach to my LAN (i.e. 192.168.87.0/24).
By the way, the WG tunnel interface's IP address (e.g. 192.168.19.0/24)
is already different from my LAN's (i.e. 192.168.87.0/24).
Regards :)
On 2022/4/22 17:51, Björn Fries wrote:
> Am 22.04.22 um 08:16 schrieb Björn Fries:
>> the way I solve this is that I use a slightly larger /23-subnet in the
>> AllowedIPs=192.168.87.0/23
>>
>> and when I get a local IP inside 192.168.87.0/24 at home, the kernel
>> automatically uses the more specific route.
>
> an example:
> my laptop e.g. has
>
> Address = 172.22.247.58/32
> PrivateKey = xxx
>
> [Peer]
> PublicKey = xxx
> AllowedIPs = 172.22.144.1/32, 192.168.0.0/23
> Endpoint = myhomeIP:51820
> PersistentKeepalive = 25
>
> 172.22.144.1/32 is the wireguard-IP of my wireguard-server at home.
>
> This way I can reach for example my printer at 192.168.0.10 even if I am
> on the move, because my wireguard server is installed on my router at
> home (Unifi USG-3P).
> The printer sends it packets for 172.22.247.58 simply to its default
> gateway, which is my router/wg-server, that forwards it over wireguard.
>
> When I'm in my network at home, my laptop gets the IP 192.168.1.72/24
> and automatically talks to the other devices in the LAN without taking
> the wireguard route, because the subnet is more specific.
I referred to your example and the Android phone is now:
[Interface]
Address = 192.168.19.30/32
DNS = 192.168.87.1, 192.168.87.2
PrivateKey = xxx
[Peer]
PublicKey = xxx
AllowedIPs = 192.168.19.1/32, 192.168.86.0/23
Endpoint = myhomeIP:4999
PresharedKey = xxx
192.168.19.1/32 is my wireguard-IP address of my wireguard-server at home.
It work nicely if the Android phone is on 4G network. But it still
failed when I connect to my LAN's Wi-Fi (no internet accessing and no
LAN accessing). The phone got the LAN IP address 192.168.87.11/24 from
the DHCP server.
Maybe the routing implementation in Android doesn't fit this solution.
Anyway, thank you very much. :)
On 17 Apr 2022, at 21:12, Nohk Two wrote:
> So, I have this idea that if it is possible to configure the Wireguard
> app to turn off or disable automatically when the network is
> established on specific Wi-Fi SSIDs ?
The MacOS WireGuard client has exactly this feature. You can
enable/disable on-demand access for particular SSIDs, and it’s very
useful for a situation where you’re moving your device around, between
home and office say. Any timetable for adding this feature to other
platforms, like Windows or Android?
Am 22.04.22 um 13:05 schrieb Nohk Two:
> However, it failed in my Android phone.
I don't use wireguard on my phone on the moment, but perhaps there was a
difference whether you use the (non-root) wireguard-go implementation or
the kernel module on android.
I guess I used the kernel module as I nearly weekly try new custom roms
on my phone.
On 2022/4/22 21:40, Björn Fries wrote:
>
>
> Am 22.04.22 um 13:05 schrieb Nohk Two:
>> However, it failed in my Android phone.
> I don't use wireguard on my phone on the moment, but perhaps there was a
> difference whether you use the (non-root) wireguard-go implementation or
> the kernel module on android.
> I guess I used the kernel module as I nearly weekly try new custom roms
> on my phone.
I just checked my Wireguard for Android App, the settings page shows:
WireGuard for Android v1.0.20211029
Go userspace backend eb6302c
So my wireguard on my Android phone is the non-root wireguard-go
implementation.
So said that I don't use custom ROMs, I always use official ROMs.
At least I still can turn off the wireguard manually. :)
On Fri, Apr 22, 2022 at 2:26 AM Nohk Two <nohktwo@gmail.com> wrote: > [...] > So, I have this idea that if it is possible to configure the Wireguard > app to turn off or disable automatically when the network is established > on specific Wi-Fi SSIDs ? > > Or do you have better ideas ? As a workaround, you can achieve what you want with tasker.
On 2022/4/23 02:23, Kai Haberzettl wrote:
> On Fri, Apr 22, 2022 at 2:26 AM Nohk Two <nohktwo@gmail.com> wrote:
>>
> [...]
>> So, I have this idea that if it is possible to configure the Wireguard
>> app to turn off or disable automatically when the network is established
>> on specific Wi-Fi SSIDs ?
>>
>> Or do you have better ideas ?
>
> As a workaround, you can achieve what you want with tasker.
Indeed, this "tasker" app might work. Though it's some kind of overkill.
I will consider this workaround on the Android phone when there are no
other solutions.
Thank you very much.