Development discussion of WireGuard
 help / color / mirror / Atom feed
* Is it possible to disable wireguard on specific Wi-Fi ?
@ 2022-04-18  2:12 Nohk Two
  2022-04-22  6:16 ` Björn Fries
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: Nohk Two @ 2022-04-18  2:12 UTC (permalink / raw)
  To: wireguard

Hello,

I setup a wireguard server at home and has a public IP address. This 
server allows the clients to access my LAN (e.g. 192.168.87.0/24) and 
configuring the DNS servers as my DNS servers in my LAN (e.g. 
192.168.87.1 and 192.168.87.2).

My family members use their phones (iPhone and Android) to connect to my 
LAN via the Wireguard for iOS/Android App. And this worked perfectly 
while the phones are using the 4G/5G network.

But when the phones connect to the Wi-Fi of my home's router, the DHCP 
assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones. 
In this situation, phones' owners should manually turn off their 
Wireguard connection to have the internet accessing. I guess there are 
something conflict because the vanilla IP network and the allowed IP 
network are the same.

So, I have this idea that if it is possible to configure the Wireguard 
app to turn off or disable automatically when the network is established 
on specific Wi-Fi SSIDs ?

Or do you have better ideas ?

Thanks.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-18  2:12 Is it possible to disable wireguard on specific Wi-Fi ? Nohk Two
@ 2022-04-22  6:16 ` Björn Fries
  2022-04-22  9:51   ` Björn Fries
  2022-04-22 11:05   ` Nohk Two
  2022-04-22 13:36 ` Jason Grant
  2022-04-22 18:23 ` Kai Haberzettl
  2 siblings, 2 replies; 12+ messages in thread
From: Björn Fries @ 2022-04-22  6:16 UTC (permalink / raw)
  To: wireguard

Hello,

Am 18.04.22 um 04:12 schrieb Nohk Two:
> This 
> server allows the clients to access my LAN (e.g. 192.168.87.0/24) and 
[..]
> But when the phones connect to the Wi-Fi of my home's router, the DHCP 
> assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones. 
[...]
> Or do you have better ideas ?

the way I solve this is that I use a slightly larger /23-subnet in the
AllowedIPs=192.168.87.0/23

and when I get a local IP inside 192.168.87.0/24 at home, the kernel 
automatically uses the more specific route.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22  6:16 ` Björn Fries
@ 2022-04-22  9:51   ` Björn Fries
  2022-04-22 13:00     ` Nohk Two
  2022-04-22 11:05   ` Nohk Two
  1 sibling, 1 reply; 12+ messages in thread
From: Björn Fries @ 2022-04-22  9:51 UTC (permalink / raw)
  To: wireguard

Am 22.04.22 um 08:16 schrieb Björn Fries:
> the way I solve this is that I use a slightly larger /23-subnet in the
> AllowedIPs=192.168.87.0/23
> 
> and when I get a local IP inside 192.168.87.0/24 at home, the kernel 
> automatically uses the more specific route.

an example:
my laptop e.g. has

Address = 172.22.247.58/32
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 172.22.144.1/32, 192.168.0.0/23
Endpoint =  myhomeIP:51820
PersistentKeepalive = 25

172.22.144.1/32 is the wireguard-IP of my wireguard-server at home.

This way I can reach for example my printer at 192.168.0.10 even if I am 
on the move, because my wireguard server is installed on my router at 
home (Unifi USG-3P).
The printer sends it packets for 172.22.247.58 simply to its default 
gateway, which is my router/wg-server, that forwards it over wireguard.

When I'm in my network at home, my laptop gets the IP 192.168.1.72/24 
and automatically talks to the other devices in the LAN without taking 
the wireguard route, because the subnet is more specific.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22  6:16 ` Björn Fries
  2022-04-22  9:51   ` Björn Fries
@ 2022-04-22 11:05   ` Nohk Two
  2022-04-22 13:40     ` Björn Fries
  1 sibling, 1 reply; 12+ messages in thread
From: Nohk Two @ 2022-04-22 11:05 UTC (permalink / raw)
  To: wireguard

On 2022/4/22 14:16, Björn Fries wrote:
> Hello,
> 
> Am 18.04.22 um 04:12 schrieb Nohk Two:
>> This server allows the clients to access my LAN (e.g. 192.168.87.0/24) 
>> and 
> [..]
>> But when the phones connect to the Wi-Fi of my home's router, the DHCP 
>> assigns the IP addresses as 192.168.87.0/24, it's my LAN, to the phones. 
> [...]
>> Or do you have better ideas ?
> 
> the way I solve this is that I use a slightly larger /23-subnet in the
> AllowedIPs=192.168.87.0/23
> 
> and when I get a local IP inside 192.168.87.0/24 at home, the kernel 
> automatically uses the more specific route.
I think I know your point. And since my network is 192.168.87.0/24, I 
have to use 192.168.86.0/23 (not 192.168.87.0/23) in the AllowedIPs. 
Because "87" is an odd number and it's "1000 0111" in binary

However, it failed in my Android phone. There is no internet accessing 
as usual. I didn't try this in iPhone because Eugenio Tampieri told me 
that Wireguard for iOS has the feature I required (and worked nicely) 
but not Android.

Maybe I have to adjust my LAN's network to even number to make /24 
enlarge to /23 happy.

Thank you very much.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22  9:51   ` Björn Fries
@ 2022-04-22 13:00     ` Nohk Two
  0 siblings, 0 replies; 12+ messages in thread
From: Nohk Two @ 2022-04-22 13:00 UTC (permalink / raw)
  To: wireguard

On 2022/4/22 17:51, Björn Fries wrote:
> Am 22.04.22 um 08:16 schrieb Björn Fries:
>> the way I solve this is that I use a slightly larger /23-subnet in the
>> AllowedIPs=192.168.87.0/23
>>
>> and when I get a local IP inside 192.168.87.0/24 at home, the kernel 
>> automatically uses the more specific route.
> 
> an example:
> my laptop e.g. has
> 
> Address = 172.22.247.58/32
> PrivateKey = xxx
> 
> [Peer]
> PublicKey = xxx
> AllowedIPs = 172.22.144.1/32, 192.168.0.0/23
> Endpoint =  myhomeIP:51820
> PersistentKeepalive = 25
> 
> 172.22.144.1/32 is the wireguard-IP of my wireguard-server at home.
> 
> This way I can reach for example my printer at 192.168.0.10 even if I am 
> on the move, because my wireguard server is installed on my router at 
> home (Unifi USG-3P).
> The printer sends it packets for 172.22.247.58 simply to its default 
> gateway, which is my router/wg-server, that forwards it over wireguard.
> 
> When I'm in my network at home, my laptop gets the IP 192.168.1.72/24 
> and automatically talks to the other devices in the LAN without taking 
> the wireguard route, because the subnet is more specific.
I referred to your example and the Android phone is now:

[Interface]
Address = 192.168.19.30/32
DNS = 192.168.87.1, 192.168.87.2
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 192.168.19.1/32, 192.168.86.0/23
Endpoint = myhomeIP:4999
PresharedKey = xxx

192.168.19.1/32 is my wireguard-IP address of my wireguard-server at home.

It work nicely if the Android phone is on 4G network. But it still 
failed when I connect to my LAN's Wi-Fi (no internet accessing and no 
LAN accessing). The phone got the LAN IP address 192.168.87.11/24 from 
the DHCP server.

Maybe the routing implementation in Android doesn't fit this solution.

Anyway, thank you very much. :)

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-18  2:12 Is it possible to disable wireguard on specific Wi-Fi ? Nohk Two
  2022-04-22  6:16 ` Björn Fries
@ 2022-04-22 13:36 ` Jason Grant
  2022-04-22 18:23 ` Kai Haberzettl
  2 siblings, 0 replies; 12+ messages in thread
From: Jason Grant @ 2022-04-22 13:36 UTC (permalink / raw)
  To: wireguard

On 17 Apr 2022, at 21:12, Nohk Two wrote:

> So, I have this idea that if it is possible to configure the Wireguard 
> app to turn off or disable automatically when the network is 
> established on specific Wi-Fi SSIDs ?

The MacOS WireGuard client has exactly this feature. You can 
enable/disable on-demand access for particular SSIDs, and it’s very 
useful for a situation where you’re moving your device around, between 
home and office say. Any timetable for adding this feature to other 
platforms, like Windows or Android?

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22 11:05   ` Nohk Two
@ 2022-04-22 13:40     ` Björn Fries
  2022-04-22 15:55       ` Nohk Two
  0 siblings, 1 reply; 12+ messages in thread
From: Björn Fries @ 2022-04-22 13:40 UTC (permalink / raw)
  To: wireguard



Am 22.04.22 um 13:05 schrieb Nohk Two:
> However, it failed in my Android phone. 
I don't use wireguard on my phone on the moment, but perhaps there was a 
difference whether you use the (non-root) wireguard-go implementation or 
the kernel module on android.
I guess I used the kernel module as I nearly weekly try new custom roms 
on my phone.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22 13:40     ` Björn Fries
@ 2022-04-22 15:55       ` Nohk Two
  0 siblings, 0 replies; 12+ messages in thread
From: Nohk Two @ 2022-04-22 15:55 UTC (permalink / raw)
  To: wireguard

On 2022/4/22 21:40, Björn Fries wrote:
> 
> 
> Am 22.04.22 um 13:05 schrieb Nohk Two:
>> However, it failed in my Android phone. 
> I don't use wireguard on my phone on the moment, but perhaps there was a 
> difference whether you use the (non-root) wireguard-go implementation or 
> the kernel module on android.
> I guess I used the kernel module as I nearly weekly try new custom roms 
> on my phone.
I just checked my Wireguard for Android App, the settings page shows:

   WireGuard for Android v1.0.20211029
   Go userspace backend eb6302c

So my wireguard on my Android phone is the non-root wireguard-go 
implementation.

So said that I don't use custom ROMs, I always use official ROMs.

At least I still can turn off the wireguard manually. :)

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-18  2:12 Is it possible to disable wireguard on specific Wi-Fi ? Nohk Two
  2022-04-22  6:16 ` Björn Fries
  2022-04-22 13:36 ` Jason Grant
@ 2022-04-22 18:23 ` Kai Haberzettl
  2022-04-23  2:01   ` Nohk Two
  2 siblings, 1 reply; 12+ messages in thread
From: Kai Haberzettl @ 2022-04-22 18:23 UTC (permalink / raw)
  To: Nohk Two; +Cc: WireGuard mailing list

On Fri, Apr 22, 2022 at 2:26 AM Nohk Two <nohktwo@gmail.com> wrote:
>
[...]
> So, I have this idea that if it is possible to configure the Wireguard
> app to turn off or disable automatically when the network is established
> on specific Wi-Fi SSIDs ?
>
> Or do you have better ideas ?

As a workaround, you can achieve what you want with tasker.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22 18:23 ` Kai Haberzettl
@ 2022-04-23  2:01   ` Nohk Two
  0 siblings, 0 replies; 12+ messages in thread
From: Nohk Two @ 2022-04-23  2:01 UTC (permalink / raw)
  To: Kai Haberzettl; +Cc: WireGuard mailing list

On 2022/4/23 02:23, Kai Haberzettl wrote:
> On Fri, Apr 22, 2022 at 2:26 AM Nohk Two <nohktwo@gmail.com> wrote:
>>
> [...]
>> So, I have this idea that if it is possible to configure the Wireguard
>> app to turn off or disable automatically when the network is established
>> on specific Wi-Fi SSIDs ?
>>
>> Or do you have better ideas ?
> 
> As a workaround, you can achieve what you want with tasker.
Indeed, this "tasker" app might work. Though it's some kind of overkill.

I will consider this workaround on the Android phone when there are no 
other solutions.

Thank you very much.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
  2022-04-22  9:29 ` wireguard
@ 2022-04-22 12:08   ` Nohk Two
  0 siblings, 0 replies; 12+ messages in thread
From: Nohk Two @ 2022-04-22 12:08 UTC (permalink / raw)
  To: wireguard

On 2022/4/22 17:29, wireguard@qupfer.de wrote:
> 
> On 18.04.22 04:12, Nohk Two wrote:
>>  I guess there are something conflict because the vanilla IP network 
>> and the allowed IP network are the same.
> 
> Thats right, but you can simply use other IPs for your WG clients 
> (192.168.187.0/24 or 172.16.0.0/24)
> 
Hello,

I'm not sure if I understand your idea correctly.

It's not easy to configure my router's DHCP server to assign specific IP 
addresses (192.168.187.0/24 or 172.16.0.0/24) to the specific phones 
which connect to my LAN.

Even I did it eventually, the phones can't access to my LAN when the 
wireguard is turned off because "192.168.187.0/24 or 172.16.0.0/24" 
can't reach to my LAN (i.e. 192.168.87.0/24).

By the way, the WG tunnel interface's IP address (e.g. 192.168.19.0/24) 
is already different from my LAN's (i.e. 192.168.87.0/24).

Regards :)

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: Is it possible to disable wireguard on specific Wi-Fi ?
       [not found] <77422@imapsync>
@ 2022-04-22  9:29 ` wireguard
  2022-04-22 12:08   ` Nohk Two
  0 siblings, 1 reply; 12+ messages in thread
From: wireguard @ 2022-04-22  9:29 UTC (permalink / raw)
  To: Nohk Two, wireguard


On 18.04.22 04:12, Nohk Two wrote:
>  I guess there are something conflict because the vanilla IP network 
> and the allowed IP network are the same.

Thats right, but you can simply use other IPs for your WG clients 
(192.168.187.0/24 or 172.16.0.0/24)


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-04-23  2:03 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-18  2:12 Is it possible to disable wireguard on specific Wi-Fi ? Nohk Two
2022-04-22  6:16 ` Björn Fries
2022-04-22  9:51   ` Björn Fries
2022-04-22 13:00     ` Nohk Two
2022-04-22 11:05   ` Nohk Two
2022-04-22 13:40     ` Björn Fries
2022-04-22 15:55       ` Nohk Two
2022-04-22 13:36 ` Jason Grant
2022-04-22 18:23 ` Kai Haberzettl
2022-04-23  2:01   ` Nohk Two
     [not found] <77422@imapsync>
2022-04-22  9:29 ` wireguard
2022-04-22 12:08   ` Nohk Two

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).