So I’ve set up a WireGuard VPN to allow my mobile phone to access my self hosted services at home. It all works fine, I can stream music, videos and use private DNS.
The only issue is that when I’m back home I have to disable WireGuard in order to access these ressources.
I’m looking for a more seamless operation.
Services are behind a reverse proxy.
Possible approches I’m thinking about:
using different ressource names in DNS/reverse proxy
not routing private lan though WireGuard
overriding DNS resolution depending on client location
There is an “On-Demand” activation feature (at least on iOS) that you can use to automatically activate or deactivate your VPN when connected to certain networks.
What I found was that a combination of point two and three can be best provided you have a reliable connection to your DNS via wireguard.
What I’ve tested but not deployed is split horizon DNS with BIND9. Split horizon is when your response to a DNS request depends on the inbound interface. Since WG is an interface, you can reply with WG IPs for a given host via WG interface, and with a lan address if it’s on that interface. E.g. at home you’d get your 192.168 address, and away you’d get your 10.x or whatever address scheme you have for wireguard hosts. This lets you skip wireguard stack when you’re on the LAN.
This won’t solve the question of what interface your phone decides to use. For that I think the on-demand feature and hairpin nat could be helpful to ensure continuity, but I know less about hairpin nat and I’ll bow out on that one