WireGuard Interface with Multiple Peers

edebbbb

Hey everyone, I figured since many of you use wireguard and have deep knowledge on Android, you may be able to help me out. I haven't been able to find something that helps me anywhere else.

Basically, my goal is to have a wireguard interface on my phone which connects to two peers. One peer is an upstream VPN provider, and the other peer is my home network so I can access it on the go. I have the upstream peer set to allow all IPs (0.0.0.0/0) and route them through there. On my home peer, the allowed IPs is (something like) 10.8.6.128/28.

A handshake is successful on both peers, however, I can only actually connect through the upstream peer, and reach the internet. Attempts to connect to 10.8.6.128/28 fail, even to the home peer endpoint and home peer wireguard address 10.8.6.129. If I separate the peers and only try connecting to one at a time, they both work completely, but combining them causes traffic to not be routed to the home peer.

I have an identical setup on my laptop (macos), which works flawlessly, connecting to both the home peer and upstream peer with no issues routing my desired IPs to home. This leads me to believe there is some quirk with android or wireguard on android that causes this sort of split tunneling to fail.

Here is an example of the config on my phone. Again, the config on my laptop is identical and it does work.

[Interface]
Address = 10.8.6.131/32
DNS = <upstream dns>, 10.8.6.129
PrivateKey = <phone private key>

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = <upstream endpoint>:51820
PublicKey = <upstream public key>

[Peer]
AllowedIPs = 10.8.6.128/28, <home endpoint>/32
Endpoint = <home endpoint>:51820
PublicKey = <home public key>

Chipper

edebbbb I was planning on installing wireguard ap for specifically this reason at some point but have moved on to other projects, so take my words as wanting to help but realise i havent installed or troubleshooted the problem myself yet.

My understanding is your 10.8.8.128/28 range falls in the 0.0.0.0/0 range so essentially both are attempting to be authenticated with your 0.0.0.0/0 credentials.

You could resolve this by:

specifying your vpn servers address ranges more specifically (assuming they are static) but that could be time consuming if there are potentially thousands of servers you may want to connect to
you could specify a dns resolvable hostname if thats suitable for your situation
you could use this calculator to subtract your internal ip range from the 0.0.0.0/0 range and then specify the external ranges that specifically exclude the internal range.

I think, haha.

trilogy6202

edebbbb When you have both peers in the config and you try to access a service on your local network is that by a locally resolved domain name or by ip?

Eg. if you have termux installed on your phone, can you ping a host on your local subnet?

trilogy6202

edebbbb The reason I ask is that in my experience, the wireguard client for android is configured so that it will never really use the secondary dns server as long as the primary (first) dns server is reachable. So if you are trying to access a private domain that is not resolvable by your <upstream dns> server it will fail.

edebbbb

Chipper Thanks for your response.

As I understand, WireGuard is smart enough to route traffic to the more specific peer. What I mean is, because 10.8.6.128/28 is more specific of a subnet than 0.0.0.0/0, it will know to send traffic to that peer if the destination is within that subnet. This however doesn't seem to be the case on Android. I did try excluding all private addresses from the peer that has 0.0.0.0/0 already, and that unfortunately didn't work.

Also, both peers are on the same interface because Android doesn't allow two interfaces to be enabled at once. So I have set it up so the public key that my home network expects is the same as the public key that the upstream VPN server expects. There is no issue authenticating with either peer; handshakes are successful on both. WireGuard refuses to, or doesn't know how to, send traffic to my home peer.

Chipper

edebbbb does this work:

[Interface]
Address = 10.8.6.131/32
DNS = <upstream dns>, 10.8.6.129
PrivateKey = <phone private key>

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = <upstream endpoint>:51820
PublicKey = <upstream public key>

[Peer]
AllowedIPs = 10.8.6.128/28
Endpoint = <home endpoint>:51820
PublicKey = <home public key>

Id ignore mac, cause your on Android, id use /32 for clarity while trouble shooting, but yeah it may be it needs a seperate interface.

You could try this

yellow-leaves

Just like you I wanted to be connected to two wireguard servers at the same time, since you only have one VPN slot on android I tried adding them as peers inside the same config file.
Unfortunately I ran in to the same problem as you, only one network was route able at any one time.
I even split the IP space between the peers in order to make sure that they weren't conflicting.

Here is a tool for calculating IP ranges
https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

edebbbb

Chipper This appears to be the exact same as the configuration I showed in my original post, with the exception that the home endpoint is no longer in the AllowedIPs.

I did indeed try that originally. I put the home endpoint into the AllowedIPs to see if it would work if I routed traffic to that IP through the tunnel, instead of through the upstream VPN tunnel.

Again, the reason I bring up mac is because I have the exact same setup on there, and it works exactly as desired. So I came here to find out if there is some discrepancy with android that makes this setup impossible, or that makes it so the setup has to be tweaked slightly the achieve the desired outcome.

edebbbb

trilogy6202 That's a good question. I am just trying to access by the IP. For example, I go in the browser and type 10.8.6.129 which is the peer's address in Wireguard, and it times out. To clarify, the peer does have a web server running and accessible, which is why I test by going in the browser.

trilogy6202

edebbbb Okay then it's not a dns issue.

One way to get around this issue could be to route all your traffic through your local vpn and configure your upstream vpn on your router. Then you configure a 'static route' on your router to route all access from your phone (that is not within your local subnet) through your upstream vpn provider.

Chipper

edebbbb I think the discrepancy you may be looking for is that wireguard is running in the user space on android as opposed to a kernel module which limits its functionality. installing as a kernal module requires root which grapheneos doesnt support.
the reason i say to ignore mac is cause whether it works or not has no bearing on android.
yeahthe config was the same except for the home endpoint as a peer as i wanted to ensure it wasnt trying to send the authentication packets through an unestablished tunnel... which makes no sense based on your comment that handshakes are being established.. but regardless its nice to remove all potential problems, which is also why i would try just using /32 ranges for everything initially.. but maybe thats just a me thing i like to keep things simple.

sorry i couldnt be of more help.

edebbbb

trilogy6202 I had thought about that configuration before, but I don't think I will go with that because it becomes quite a pain to switch servers on the upstream provider. I can pre-configure several servers on my phone and switch them with a single press, even having them pre-configured to connect to my home peer. Switching servers on my router wouldn't be so simple.

trilogy6202

edebbbb Fair enough. By the way, as @Chipper also mentioned, I think it's wrong to have the <home endpoint>/32 in the second peer configuration. I'd suggest removing it from both the mag and the android config as you are basically telling wireguard to route traffic to your routers wan ip through the tunnel which is wrong in my opinion.

edebbbb

trilogy6202 Yeah that makes sense, the reason I put it is because I know the peer can resolve the endpoint address since it is the endpoint. Either way, with it there or not it doesn't work.

Chipper i say to ignore mac is cause whether it works or not has no bearing on android.

Yeah I know, my point is to show that I do have a working Wireguard configuration.

Anyway, seems like you're probably right that Wireguard isn't able to do so much since it's running in the user space. I hope someone who is knowledgeable on this can pop in to confirm that this is the case.

rclemmer

I use Tailscale with Mullvad. You can set it up to connect to your home network with subnets, and route all traffic destined to WAN through Mullvad. Its pretty slick.

graphuser

I may have read that's a limitation of the mobile app that it does not go to the most specific "route" (read encryption key + peer) but I'm far from certain.

Can you check if the packages meant for peer B are going through peer A?