I want to use wireguard only to “phone home” i.e. to be in “LAN with what I selfhost”.
Does anyone do this? Any best practices?
What bothers me is that default usage for VPN is to mask browsing and this does not interest me. Especially due to my home internet upload speed bottleneck.
So I would like to be able to start the VPN connection only when I want to access directly my services.
On Android Wireguard starts automatically and did not found a way to steer conviniently…
On my Linux machines I can stop it, but there I need to research a bit more how I can do it in the most comfortable way.
Any thoughts / best practices by you?
Later edit: first of thank you to all of you with helping contribution! Thank you also to the other commenters the atmosphere come to show that there is a beautiful community here!
and now my conclusions: even though I set it up wireguard correctly I was living under the impression that the entire traffic is directed through the VPN, where now I understand that this is not the case. If wg is correctly setup only the traffic to home will go through it. And in that case I should not be worried about having it all the time on, which I think it will be my usage scenario.
What bothers me is that default usage for VPN is to mask browsing and this does not interest me.
This is only because the PROXY companies that call themselves VPNs have bastardized the term VPN. VPN was a thing long before these companies ruined it.
I want to use wireguard only to “phone home” i.e. to be in “LAN with what I selfhost”.
Your use case is literally what VPN was designed for. Access to resources on a private network from a remote location.
So I would like to be able to start the VPN connection only when I want to access directly my services.y…
Why do you feel the need to? Just let it run all the time. If it’s configured correctly your traffic is not exiting out your home internet while you are remote.
Yeah, I have done this. VPN is far more useful to me to be virtually present at home than to be anonymous.
My Android doesn’t start the Wireguard VPN automatically and I just add the Wireguard widget to the control area (swipe down from the top of the screen ) so I can control it easily. When I want to be “at home”, I just turn on the VPN. I have set up a Full and Split configuration too, so I can use it depending on my needs (sometimes networks have weird MTU requirements and/or using a split network is acceptable to speed up Internet traffic)
Also have Wireguard on my laptops and such for the same reason. You can disable the Wireguard service on Linux and then just start it up when you need it.
What you’re talking about is a split tunnel, all you have to do is changed the allowed i.p’s for the device. Set the allowed i.p’s to 192.168.0.0/24 or whatever the range is for your private network, only that traffic will now be routed over the vpn.
0.0.0.0/0 is what you would use for a full tunnel, this routes all traffic over your vpn connection.
That’s literally what a VPN is designed for lol. I use WireGuard almost daily to check my security cameras or anything else I don’t have port forwarded…
This is pretty much what I do. If you look in the config for your client, you should see allowed IPs of 0.0.0.0/0. Change that to the VLAN you have your self hosted stuff on. ie. 192.168.1.0/24. That will ‘split route’ the VPN so only requests to those IPs will go over the VPN.
Change your home subnet to be somewhat unusual (so not the ‘usual’ 192.168.0.x, 10.0.0.x etc.).
Will make your life a lot easier if you take everyone’s advice here about using AllowedIPs to route only home subnets over your VPN as theres less chance of it matching the subnet your phone finds itself on, should it also need to access local resources.
Yeah, wireguard is a good choice for this, it’s low overhead and it’s overkill-levels of quick. I do this so that I can use my pihole as an adblock even when I’m out of the house.
Personally I use weejewel/wg-easy and I give the container an ipvlan.
I do-it using Wireguard and Headscale/tailscale (wireguard basically), I do both because sometimes I can’t access Wireguard when on airport wifi for example, for Wireguard, it’s just as a simple as forwarding a port, and running the Wireguard peer on my OpenWrt router, headscale is the de-facto tool to access this.
Use cases:
- Allow my brother (in another country to access my Jellyfin instance and watch together), speeds are reasonable looking at my upload speed of 30Mb/s, 1080p 10bit 5.1 AAC is no problema.
- Access my LAN including the local DNS resolver as I hate remembering IPs
- Remote work from other countries as I’m not allowed to login anywhere except from an EU Country (I use a small Gl-inet router connected to my home Wireguard peer, so far as my work laptop is concerned, he’s connected to home wifi as it’s the same SSID+Password).
I have also Cloudflare tunnels running, just-in-case something breaks.
I use wireguard on my phone to just have home LAN access plus DNS so I can keep using pihole even while on cellular.
You just need to set the “allowed IPs” parameter on your client device to the ones of your home network. Say you have everything under 192.168.0.x you put 192.168.0.0/24 in the client config.
This way when you need to open a website that gets router normally, but when you request an IP in range that will go trough the VPN.
There’s no need to complicate things by having the VPN turn on only when you try to open something from home. Keep it on.
I’m no expert but I just have WG set to only the ip of the device and the applicable subnets in the client WG config. I don’t think you tunnel all traffic unless allowed IPs (routes) is 0.0.0.0/0 (iOS devices and PCs). Tailscale also works well if I want free access to the lan you designate a device as a subnet router.
Sounds like you want to do exactly what I do with Wireguard on my phone. I don’t remember if wireguard starts automatically (I haven’t noticed that behavior at least) but it adds the little toggle icon to the slide down menu so controlling it is very convenient.
I have a PFSense router as my firewall so the set up was extremely easy, there are plenty of step by step guides to set that up. Since you know that your phone will be the client already you should focus on what device you can use to host it. I think once you sort that out you will be very satisfied with the results.
This is exactly how I use WireGuard, it’s a very simple configuration. I run a wg client on my iPhone and MacBook, and it allows me to access devices on my home network when I’m away from home.
You do not need TailScale for this.
I’d be happy to post sample config and steps if you’re interested.
Primary purpose of VPN (Virtual Private Network) is to… reach another (remote) network, hence the name. This is what many enterprises are doing for their employees to be able to securely connect to the enterprise network from home.
So nothing surprising about doing the same to reach your home network - i’m doing also exactly this, through Wireguard.
On my side with the embedded wireguard servers available in recent ASUS firmware (old ASUS routers had an old linux kernel, without the wireguard module, but most or even all recent models have now a recent linux kernel and wireguard easiliy configurable there - i have a GT-AX6000) + wireguard on phone, allowing me to access my whole network when i’m away (and everything self hosted + devices like 3D printer, …). This is way better / simpler than exposing any ports outside. Doing this at network level is even easier (no risks of misconfiguration, …)
the atmosphere come to show that there is a beautiful community here!