I’m trying to setup my VPN and I’m a bit confused here.
I have a commercial VPN subscription that I’m using on my phone and laptop. Now I’ve set up WireGuard on my OpenWRT router to access my home network remotely. I can connect to it from my phone but from what I see there’s no way to have both commercial VPN and my local network WG active at the same time (both are using WG so I’m trying to create WG config with two peers but I don’t think it’s possible).
So what do people actually do? From what I see I have 3 options:
- Don’t use commercial VPN on my phone, only use WG to access my network
- Switch between VPNs manually whenever I want to access my network
- Setup commercial VPN on my router, move all my networks traffic through this VPN and move all traffic from my phone through my home network.
Am I missing something? What’s the typical approach here? I thought that what I’m trying to do is basic scenario but it looks like it’s not that simple if at all possible.
I use Tailscale with an exit node container that forwards all traffic to the commercial VPN via a wireguard config. This “hopping” solution serves me well enough, and works for Android too.
If you want to simultaneously have two VPN interfaces, you may wanna consult this and this guide. The principle should apply with non-Tailscale wireguards too I think
So you’re using tailscale android app as the only VPN and all traffic from your phone goes through your local network, yes?
Your tailscale exit node is deployed on some server in your network, right? (I’ve set up my WG server on my router) Does your router just port forward all tailscale traffic to it?
Yes, the app is the only “Android VPN”. The exit node is deployed on another network, but there should be no problem deploying it locally.
My phone would be attempting to make direct WireGuard connections to my other Tailscale nodes (be it the server, the exit node, or any other device), so it’ll prefer local connections. When it can’t (e.g. in a different and restrictive network), it will relay these traffic through DERP servers. Tailscale automate these processes very well, so no port forwarding is needed.
Note that to establish these encrypted direct tunnels, Tailscale clients have to talk to a control server to fetch required metadata. I selfhost this piece via Headscale along with the DERP servers. The stack would be quite complicated for those who already had a wireguard tunnel, but I found myself liking it because Tailscale has other cool features too.
Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different
AllowedIPsfor them.That’s exactly what I’ve been trying but it doesn’t work. Only one peer is able to do a handshake. It looks like it should work but I actually haven’t seen anyone recommending this or saying they manged to set it up. Everyone just ends up routing everything through private VPN. I will read some more about tailscale but I think it’s an overkill for me. I will probably just use different VPNs in separate android profiles.