Wireguard, iPhone, and cruise ships

Wireguard, iPhone, and cruise ships

[Perry The Cynic]

Dear wg community,

I recently enjoyed a cruise to Alaska. Fun and easy, and with Starlink on board, the WiFi connectivity was actually not bad (some sporadic packet drops, mostly). Sadly, the cruise company’s network unceremoniously drops UDP of most kinds, leading to my Wireguard VPN (to my inside network at home) failing entirely. The cruise line is utterly immovable on this: “it’s someone else’s fault, and how dare you want to do this nonstandard thing?” Yes, I actually talked to their onboard IT guy. “It’s on the network path somewhere, and they don’t even tell me how and why."

Now I totally understand Wireguard’s attitude towards this: It’s not a “core” wg problem, and should be solved on the outside by whatever tools happen to fit the problem. If this was a linux-to-linux connection, I’d just pop in my favorite TCP-ish tunnel tool and move on. But it’s an iPhone (and iPad). And iOS doesn’t seem to like network composability. At all. Once you move outside the “it’s a VPN endpoint” paradigm, things get stuck very quickly. I realize this is all Apple’s fault, and they should allow building arbitrary network stacks in iOS. But they don’t (yet). NWConnection is getting pretty good, but it requires in-app code composition. AFAIK, you can’t stack two iOS VPNs on top of each other (right?).

So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?

And, to prefetch a possible ending of this discussion: if I coded up patches to the iOS client that add some tcp-wrapper option, would you take it?

Cheers
  — perry
---------------------------------------------------------------------------
Perry The Cynic                                             perry@cynic.org
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

Re: Wireguard, iPhone, and cruise ships

[Perry The Cynic]

I’m basically coming to the conclusion that it’s not a wg core issue, but it IS an iOS app issue. If iOS won’t support a composition that works, then the app needs to. Somehow.

Cheers
  — perry


> On Jun 13, 2024, at 7:40 AM, Amir Omidi <amir@aaomidi.com> wrote:
> 
> I think there is "technically" a way to put a VPN on a VPN and that is doing one of those VPNs as a configuration profile. I'm not 100% sure about this though.
> 
> I've run into very similar issues to this at various hotels. I've also always wished there was something to do HTTP tunneling on Wireguard officially to help with these awful network setups. But I also understand that's not a core WG issue.
> 
> 
> On Thu, Jun 13, 2024 at 2:35 PM Perry The Cynic <perry@cynic.org> wrote:
> Dear wg community,
> 
> I recently enjoyed a cruise to Alaska. Fun and easy, and with Starlink on board, the WiFi connectivity was actually not bad (some sporadic packet drops, mostly). Sadly, the cruise company’s network unceremoniously drops UDP of most kinds, leading to my Wireguard VPN (to my inside network at home) failing entirely. The cruise line is utterly immovable on this: “it’s someone else’s fault, and how dare you want to do this nonstandard thing?” Yes, I actually talked to their onboard IT guy. “It’s on the network path somewhere, and they don’t even tell me how and why."
> 
> Now I totally understand Wireguard’s attitude towards this: It’s not a “core” wg problem, and should be solved on the outside by whatever tools happen to fit the problem. If this was a linux-to-linux connection, I’d just pop in my favorite TCP-ish tunnel tool and move on. But it’s an iPhone (and iPad). And iOS doesn’t seem to like network composability. At all. Once you move outside the “it’s a VPN endpoint” paradigm, things get stuck very quickly. I realize this is all Apple’s fault, and they should allow building arbitrary network stacks in iOS. But they don’t (yet). NWConnection is getting pretty good, but it requires in-app code composition. AFAIK, you can’t stack two iOS VPNs on top of each other (right?).
> 
> So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?
> 
> And, to prefetch a possible ending of this discussion: if I coded up patches to the iOS client that add some tcp-wrapper option, would you take it?
> 
> Cheers
>   — perry
> ---------------------------------------------------------------------------
> Perry The Cynic                                             perry@cynic.org
> To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
> ---------------------------------------------------------------------------
> 

Re: Wireguard, iPhone, and cruise ships

[Antonio Quartulli]

Hi,

On 13/06/2024 16:34, Perry The Cynic wrote:
> So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?

How about simply getting a small travel router that you can install 
between your devices and the uplink connection (being this wifi or 
ethernet)?

The travel router could be running OpenWRT and thus allow you to play 
any wanted trick.

Cheers,

-- 
Antonio Quartulli

Re: Wireguard, iPhone, and cruise ships

[Perry The Cynic]

That works when I’m in my room/cabin/place. I’m actually building a Raspberry Pi-based travel box right now (so next time I have linux tools to diagnose problems), and it can do tcp wrapping/forwarding. But carrying a battery-powered router-sized thing around on vacation somewhat defeats the point of carrying an iPhone on travel. Another box to break, another battery to run out. And my wife wants vpn access too, even if she’s away from me.

Cheers
  — perry


> On Jun 13, 2024, at 7:45 AM, Antonio Quartulli <a@unstable.cc> wrote:
> 
> Hi,
> 
> On 13/06/2024 16:34, Perry The Cynic wrote:
>> So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?
> 
> How about simply getting a small travel router that you can install between your devices and the uplink connection (being this wifi or ethernet)?
> 
> The travel router could be running OpenWRT and thus allow you to play any wanted trick.
> 
> Cheers,
> 
> -- 
> Antonio Quartulli