Routing to local network when always-on

[brianjmurrell]

If I have the tunnel to my LAN activated even when I am connected to said LAN's WiFi (i.e. an always-on configuration), my phone seems to use the WG tunnel to reach hosts on the local network. As a seasoned (retired even) network engineer I find this odd.

Typically when a host has a route to a network through a network path as well as a route to a network through a locally attached interface, it should prefer the route via the attached interface.

If WGTunnel were to do this, an always-on tunnel would simply ignore the path to the WG peer when connected to the local network, eliminating any load (or more importantly, firewalling requirements) on the gateway/WG peer and making the tunnel a NOOP.

Maybe metrics are needed for Android to effect this?

[zaneschepke]

Hello!

Unfortunately, this is an annoying Android limitation.

The best way to solve this would be to use the auto tunnel feature and add your network as a trusted network so auto tunnel brings down the tunnel when you connect to this network. The downside is you would also have to disable the native AndroidOS kill switch (if you're using it).

If you still want kill switch capabilities, I would recommend using WG Tunnel's Lockdown mode + LAN bypass (if you have local services you would like to access) and set a different tunnel to be used on this network (remove it from trusted).

[brianjmurrell]

Hello!

Hi!

Unfortunately, this is an annoying Android limitation.

Annoying indeed!

If they would just let the Linux kernel route as it's designed to and not use PBR to override that and force VPN routing, things would "just work" (i.e. like they do on any other Linux machine I use WG on) and the kernel would prefer the arp-able local network over the tun0 network when both routes exist.

This would allow WG to be run in always-on mode without using the local router/WG host to access the local network, when in the local network.

The best way to solve this would be to use the auto tunnel feature and add your network as a trusted network so auto tunnel brings down the tunnel when you connect to this network.

This is what I am doing now. But it requires the app to allowed to run in the background without battery optimizations and with location permissions so that it can continuously monitor the state of WiFi networks.

I was wondering if disabling all of that and simply having WG run continuously but of course bypassing the tun0 interface when the same route(s) exist to local (i.e. arp-able) interfaces would be easier on battery.

The downside is you would also have to disable the native AndroidOS kill switch (if you're using it).

I don't think I am using that. Is this an accurate description of it? If so, I cannot see why I would want that or how it would even work considering my use-case for WG is split-tunneling to be able to access my home network for services that are behind the firewall, not for VPN tunneling all of my traffic.

[zaneschepke]

The AndroidOS kill switch is the setting "Block connections without VPN" setting right under Always-On. Yes, this would indeed break your use-case if you have a split-tunnel configuration.

For the background running, it should use minimal battery. As for the location permissions, you can bypass the need for this by using Shizuku which allows WG Tunnel to read the Wi-Fi SSID without location permissions.