Problem that I’m trying to solve is that if possible I’d like to have always on VPN. This is because Android Wireguard client is either manual or always on and I would like to do setup and forget kinda deal. So it would be always on. It seems that Android Wireguard will only do DNS search for server once at connect state. This seems to be the problem in my setup. Let me explain a bit and if you have any recommendations what would be best to try.
So I have this is sort of simple home lab server setup. Version of ultimatehomeserver but cheap
I have dynamic external IP and port forwarding to Raspberry. Pi-hole is doing DNS + DHCP to internal network. WireGuard was setup through PiVPN scripst. DuckDNS is setup so that it resolves to my external IP.
In default setup it’s not possible to use Wireguard in internal LAN as myhostname.duckdns.org resolves to my external IP and traffic does not flow. What I did try to solve this was to add local DNS name to Pi-hole that myhostname.duckdns.org would resolve to 192.168.1.5 in local lan. This works sort of. Now one can connect manually in internal network and also external. But one always needs to manually connect and disconnect. This seems to be because Wireguard client does only resolve DNS once and not if connection goes offline and comes back again (going from local WLAN to mobile data).
How should this be best fixed so that one could always have Wireguard on and no need to manually toggle it if switching to other networks? I’m thinking if I could get rid of that ISP router then it would simplify things. But would it be possible even in that case?
@sami_m I don’t think replacing the ISP router would simplify your task; it probably gives you more options. Since you don’t mention who your ISP is or the make of the provided router, I can’t advise which manufacturer would be better. Is there a particular reason you are using Wireguard? You might consider switching to OpenVPN instead. The documentation for OpenVPN is a lot better than Wireguard’s.
I mainly chose Wireguard as it seemed simpler. Also thought of OpenVPN but it seemed somewhat more involved. I have to look it if I can’t make WG to work seamlessly.
@Trooper_ish I was going to recommend Tailscale but thought it wasn’t a good fit for @sami_m. So I have changed my mind. I have researched Tailscale and believe it would be the best fit for Sami_m.
I am not sure if OP can share the internet once the phone connects to the pi via TailScale, but I hoped it would help pass through the router with less need to port forward.
So, it might not help any, or it might “fix” one problem OP already solve, and replace it with a new one…
Unfortunately Persistent Keepalive in the config didn’t help. It seems that there is not much that can be configured on client side.
For WG the issue seems to be related to my local DNS config where I added local DNS record for myhostname.duckdns.org and as mobile exist local WLAN it newer does re-try to DNS resolve. So, it still tries to connect 192.168.1.5 and this of course will fail in external network. If I do manual disconnect and reconnect it works. I think local DNS record should not be needed? I just tested that I can ping that external IP also from inside my local WLAN. So this might be firewall issue after all. I’m running pretty tight UFW config. I need to do some investigating.
Why not edit the allowed ips section if your wireguard config so 192.168.1.5 is accessible through the tunnel?
Another option is to set the wireguard ip of the pi as your dns
Edit: if you see this message with is edit bit, then i am on a phone. Once i get back on a pc, i can likely help with your predicament as i used wireguard with my internal dns all the time on my phone.
I haven’t had much time to investigate this further. Hopefully things get better now in the coming weekend. Currently it seems that ISP router (Huawei) drops packets that come from internal network to its external interface (it seems i’m not sure). And I’m not sure should it even work? Or is there some routing magic needed. This is not my area of expertise
I have been investigating how to setup Raspberry as access point (so that Huawei wouldn’t be needed). But there is few gotchas as there are 5G and 2.4G devices in our wifi network so additional external wifi dongle is needed and of course some firewall/routing and other setup.
Thanks for the tip. Currently Wireguard server, DHCP, DNS are all running from pi 192.168.1.5. And if the tunnel opens in local wifi, then mobile can access 192.168.1.5.
I’m not sure if I understand correctly what you mean by another option. I tried to add DNS name (myhostname.duckdns.org - 192.168.1.5) in my local network and with that I could access VPN in my local network, but only if I do reconnect. Could you elaborate?
I see only my client configs. I haven’t researched wireguard very much that, I don’t know where server configs are set. Although there are few UFW rules that I see.
PS. I have tried to setup Pi as access point (to replace ISP router) and had some success. I just got external web access through Pi. But still only 2.4G and it seems pretty slow. Have to do some more digging to get 5G and 2.4 with external dongle. And it seems that for that work one needs to learn howto setup bridge so that 2.4G and 5G devices share the same network / interface (to get same ip address space).
