Wireguard VPN on mobile when inside LAN

[kermitxyz]

I have a wireguard VPN on my mobile which connects to OPNSense over 5G when I am away.  This works fine.  But, when I am back and the phone connects to the LAN via WiFi and the phone no longer connects to servers etc.

I understand that I need to do something to make this work, so I can just leave the VPN client connected all the time.  It would be much easier than having to manually turn the VPN client on and off every time I go out / come home.

Please could anyone help with this?  Is this best practice? 

[vimage22]

On my android phone, I noticed this as well. There was a preference to 'allow other apps to trigger wireguard', or something to that effect. I believe this defaulted to "on". It is off now, and have not noticed an auto connect. In my case, I prefer to manually activate when away.
If you lose functionality on LAN, you need to look at how "Endpoint address" is configured, on the phone. Does it route all traffic, or just LAN traffic?

[kermitxyz]

The endpoint is for example "vpn.domain" which resolves to the Static IP of the OPNSense WAN interface.

I think the issue is that from external networks this resovles to say 80.12.15.40 but inside the LAN this doesn't work as it's the IP of the external OPNSense interface.

I think I might need "split DNS"?  I have created an override in Unbound DNS so from inside the LAN "vpn.domain" resolves to the LAN IP of the OPNSense router.

But services still don't work...?

[Kinerg]

You need to set up NAT reflection :
https://docs.opnsense.org/manual/how-tos/nat_reflection.html

Alternatively, you could use WG Tunnel and have it automatically disable the VPN while on selected WiFi:
https://github.com/wgtunnel/android

[vimage22]

In addition to the answer above, here is what is working on my side, with Wi-Fi connected or not. I do get a delay to one particular service on the LAN, but it is an unusual service.

Following this, Road Warrior, using Step 4(a).

Code Select Expand

Interfaces: [wg0] = true

And this for fdxx...  ULA Generator

For "Instance", set:

Code Select Expand

Tunnel address =
10.10.1.1/24  (different than LAN)
fdxx:xxxx:xxxx::1/64  (unique to LAN) (starts with fd, not fe, see ULA above)

In config on Peer GENERATOR:

Code Select Expand


Endpoint: As you have already, vpn.domain

Allowed IPs:
x.x.x.x/24 (LAN)
10.10.1.1/24 (WG)
fdxx:xxxx:xxxx::/64
[ISP Prefix]::/64  (not sure if this is required)

Address
10.10.1.2/32
fdxx:xxxx:xxxx::2/128

DNS: fdxx:xxxx:xxxx::1

Firewall: Rules [new]

Code Select Expand

Description: WG_FW_Rule
Invert: Unchecked
Interface: WAN
Quick: Checked
Action: Pass
Direction: in
Version: IPv4+IPv6
Protocol: UDP
Invert Source: Unchecked
Source: any
Source Port: any
Invert Destination: Unchecked
Destination: "WAN address"
Destination Port: 51820


Code Select Expand

Description: WG_Router_Rule_wg0
Invert: Unchecked
Interface: wg0
Quick: Checked
Action: Pass
Direction: in
Version: IPv4+IPv6
Protocol: any
Invert Source: Unchecked
Source: "wg0 net"
Source Port: any
Invert Destination: Unchecked
Destination: "LAN net", "wg0 net"
Destination Port: any

Firewall: Settings: Normalization

Code Select Expand

Description: "WireGuard MSS Clamping v4-v6"
Interface: wg0
Direction: any
Protocol: any
Source: any
Source Port: any
Destination: any
Max mss: 1360

Turn logging on everywhere and the use: Firewall: Log Files: Live View

In the earlier post, I meant to say "Allowed IPs", not "Endpoint address". In the setup above, I am not routing all traffic, just LAN. Also, DNS was important. For example, I could not simple resolve 'host', 'host.internal' was required. There might be a setting for this in the config, but not sure.

Edit: to resolve host, change DNS to: DNS: fdxx:xxxx:xxxx::1, internal

Edit 2: NAT reflection was not required on my side.