I use a wireguard connection to my home opnsense firewall when not at home. That way I have the advantage of adblocked traffic and access to my home servers.
When i get home however, my phone connects to the home wifi and I lose internet connection, unless I disable wireguard.
Ideally I would leave wireguard active all day long, and not have to worry about this.
I have enabled all three reflection settings.
What else could I setup?
Not really a solution based on OPNsense, and only for iPhone users:
If you got an iPhone: The official Wireguard app has a feature called On-Demand in which you can set excludes for when to be connected. You can exclude Wifi SSID's and when on cellular or not. The Android app doesn't have that feature
WG should be able to work from your home LAN. Are you losing the WG connection (check for handshakes on either end - phone client or [VPN > WireGuard > Status] on OPNsense), or is it just routing to the internet that's not happening? Do you have access to your LAN hosts? If the handshakes are not happening, you probably have some firewall rule on your LAN interface that's blocking WG (UDP 51820 or whatever).
Quote from: dseven on February 24, 2025, 11:45:32 AMWG should be able to work from your home LAN. Are you losing the WG connection (check for handshakes on either end - phone client or [VPN > WireGuard > Status] on OPNsense), or is it just routing to the internet that's not happening? Do you have access to your LAN hosts? If the handshakes are not happening, you probably have some firewall rule on your LAN interface that's blocking WG (UDP 51820 or whatever).
No more handshakes as soon as I'm on the home wifi. No internet at all really, can't even reach LAN hosts.
The firewall rules for LAN allow access to all (default allow LAN to any).
Something must be blocking it. I'd try a packet capture on the LAN interface on OPNsense, for port 51820 (or whatever you're using) as a start...
The problem seems to be DNS related.
My WG endpoint is home.<mydomain.com>:<port>.
The DNS records for this address (at my domain hosting service) point to my home IP.
This works perfectly when I'm not home, but stopped working when I arrived home.
I have set the Domain setting in Opnsense under System>Settings>General to home.<mydomain.com> as well.
I assumed that this would resolve to the opnsense IP address (where the WG server runs) when I'm home, but that's didn't seem to work (at least not for WG).
I have now added home.<mydomain.com> to Unbound's domain overrides.
This seems to have solved me being able to stay connected to WG at home, except, the switching doesn't happen smoothly.
Coming home now, I still lose internet connection. I need to manually disable WG, wait a while and then reconnect for it to use the internal IP address.
Same when I leave the house.
I'm testing this by disabling wifi on my phone, so that the WG connection needs to swith to my phone service provider.
How can I ensure a smooth transition from phone service to wifi and vice versa, while staying connected to WG?
Quote from: patient0 on February 24, 2025, 10:54:52 AMNot really a solution based on OPNsense, and only for iPhone users:
There is an android app with more functions than the reference wireguard app:
- WG Tunnel (com.zaneschepke.wireguardautotunnel)
With this app you can automatically start the wireguard tunnel when leaving trustworthy wifi networks. I haven't tried this function yet, but it looks promising
Call me paranoid, but I'm currently not trusting an app with 50k downloads and 0 reviews 😉
Quote from: Nikotine on March 01, 2025, 06:04:27 PMCall me paranoid, but I'm currently not trusting an app with 50k downloads and 0 reviews 😉
That's interesting. Of course, there is no guarantee that the software does not contain any malicious content. Your argument of 0 reviews is very weak. I don't know if there have been any (code) reviews of that app. AFAIK the same applies to the reference implementation of the wireguard android app. Furthermore, the code base of the latter is more than 17 month old. So, it's likely that the app contains any vulnerabilities, which is not the same like deliberately integrating malicious content into an app. The code base of "WG Tunnel" looks more recent, but I haven't checked in detail. If there had been any code reviews of the wireguard android app, the community would know that the app stores any credentials of wireguard profiles in clear within the file system. Any app with root privileges is able to retrieve that credentials :-(. Both apps are open source. Hence, you can review the code and build the apps by yourself.
In general it's is up to the public and community to identify malicious code and behavior of open source code. In my eyes open source projects driven by a one-man show are more susceptible to malicious code than projects maintained by a couple of people. A good example was the backdoor in the xz compression lib identified short time ago. If I remember correctly this project had only one maintainer that time and was easily infiltrated by adversaries. Log4j was another one with a critical vulnerability instead of malicious code. But the result regarding attack vectors was likewise.
Do you know what your smartphone is doing in the background apart from android?
Just my 2 cents.
My apologies, I only looked at the play store. I see now that it's open source on Github. I stand corrected.