Can I leave the Wireguard VPN on when I am at home, on the wifi?

I just set up wireguard today on my home network (as an add-on to home assistant, which should just be a container on a little computer on my home network).

I played around with it a bit. I turned off the wifi on my android phone (using the wireguard app), connected to my duckdns address and was able to browse some of the services on my home LAN. I was able to change the peer addresses from global (0.0.0.0/0) to local (10.0.1.0/24). Still works. Neat!

Then I turned on the wifi, leaving the VPN active (this is still on my android phone). But now I can’t reach any of the home network stuff. If I turn off the VPN, then I can reach the LAN stuff again.

I know it doesn’t really make sense to leave the VPN on when I am at home, on my wifi. But really, I am too lazy to turn it on and off all the time manually. Is there a setting I am missing to make 10.0.1.0/24 go through the wifi first (but maybe only on a specific ssid), and then go to the wg adapter second?

Or is there something in my router’s that is broken? It seems like it should still go to my duckdns address, even if it was preferring the vpn, and that it would get forwarded back to wg and end up at the right place anyway.

Edit: Thank you to all the suggestions. IMO, this is the summary:

- ttech32 pointed out that my router isn’t support NAT hairpinning, or NAT loopback, which is causing it to not work when I’m on my LAN

- LundiMcPuffin suggested I configure a second DNS record to avoid the loopback, which works, but wg won’t figure out when it should try to resolve the IP again.

- Packet1 suggested that my internal DNS would refuse to resolve the address, which should make wg fail while on the LAN, which would let the traffic flow as usual. I couldn’t figure that out on my dnsmasq dns server.

- ContinuousEscalation suggested I install the Automate app, which would toggle the VPN when the wifi changed. That would work, but I am hoping to not install any more apps.

Thank you all. I will keep trying new things if anyone suggests them. But for now, I will just play with doing it manually, and if I get annoyed, install automate.

So I’m new to WG, but I think you might want to look around split tunnel setups for WG.

I use an address that is only resolvable when I am outside of my home network.

At home since the address doesn’t resolve, no WireGuard vpn.

Or is there something in my router’s that is broken? It seems like it should still go to my duckdns address, even if it was preferring the vpn, and that it would get forwarded back to wg and end up at the right place anyway.

This is called NAT hairpinning and unfortunately not all routers do it properly, so that might potentially be your issue.

I was having the same issue as you. I used to have a dmz for a specific machine back in the day. Once I removed it, NAT loopback started to work automatically and now I can access internet with WireGuard connected even on my lan.

Testing. Even though my hairpin NAT works fine with always on. Cheers.

This is good advice, and a perfectly good answer to my question. But I don’t really want to install another app. At least not if I can avoid it.

Thanks for the reply. I think that is what I am doing when I set my peer address to 10.0.1.0/24.

But the issue is that when I am on the wifi at home, I have a wifi adapter with an address like 10.0.1.100. When I try to connect to 10.0.1.10, the wireguard interface decides it should do the work, and it sends it to myaddress.duskdns.org:51820, instead of letting the wifi handle it.

I want that behavior from the cell network, but not when I’m on wifi.

How is it only resolvable from outside? I tried adding a BS entry to my lan dns (dnsmasq) to point to another computer, and I tried making it point to an unused address, but neither worked.

This.

Suppose that I can access my WireGuard server from global_ip:forwarded_port from WAN.

Now, if I’m on the LAN and still try to connect via global_ip:forwarded_port, the router should loopback/hairpin the connection directly/seamlessly.

Most routers are capable of doing this. Otherwise, you may need to create 2 versions of your WireGuard .conf files: 1 for when you’re on WAN and 1 for when you’re on LAN.

This is called

NAT hairpinning

and unfortunately not all routers do it properly, so that might potentially be your issue.

Huh, I knew this was a thing from playing around with my network, didn’t know the name of it though.

Yeah… I think I have had this problem before now that I look at that wiki page. I have a dd-wrt router for my lan, but I also have a centurylink modem/router on the outside. I have a vague recollection of the century link router having this problem before.

Is there a way around it with the settings on wireguard? I assume it would have to be fixed on the wireguard android app or android itself.

Interesting. I don’t have DMZ on. I think this century link/actiontec router sucks.

This is the answer, hairpin NAT or NAT reflection allows the wan ip to be routable from within the Lan itself. It’s a router feature and not all routers have it, and some have it on always and cannot be turned off. I’m glad I purchased my own router that gives me access to these kinds of things.

Cheers!

Ah. So I run a split-brain DNS setup with a single domain that’s served by different servers internally and externally.

When I am on my home network, a single host like vpn.domain.com doesn’t resolve to anything. But when I am out and about, that same host does resolve and I’m connected to my WireGuard instance.

They key is to not have it resolve at all when you’re home.

OK. Confirmed by random support forum post:

https://actiontecsupport.zendesk.com/hc/en-us/community/posts/115019049643-Web-Server-behind-C1900-

ER-X here for the 5 year win. I’ll see next month when on GigSpeed if I’m still happy with it though.

OK. I can’t figure out how to make that happen on my dnsmasq running on dd-wrt. If anyone knows which option to look into, I will. But I can only see options to add hosts, and everything else is going to default to the main dns record, which is going to be something on the internet, or from the ISP, and will include the vpn.domain.com pointing to the external IP.

Do you have a pi hole or any custom dns server on your LAN? We solved the issue with split dns. At least the iOS wireguard client does a fresh name resolution on a network change. So when it connects to your wifi it resolves the Lan ip, if it disconnects it resolves the Wan ip

ER-X here as well! Been happy so far. The Microtek Hex line looks like a good alternative as well.