Hello,
I have a wireguard “server” setup at home in a hub and spoke fashion. When I am out and about, I have my android device tunnel all my traffic through this server. It has pihole and routes all outgoing traffic through a paid vpn provider.
My question is this: by using this solution I am technically broadcasting who I am all the time while out and about on public wifi and such because all my traffic goes to mydomain.com.
What I would like to do instead is route all my traffic through the paid vpn service first and be able to “embed” my personal wireguard server traffic through it when appropriate (does that make sense?)
Phone → Paid VPN → general internet
Phone → Paid VPN → my selfhosted wireguard server for DNS and traffic to my devices on my 10.11.12.0/24 network
Is this at all possible? Are there any paid VPN services that support this kind of traffic forwarding/tunneling (not sure what to call it)?
afaik wireguard doesn’t allow to daisy chain. It might be possible to use a SOCKS5 proxy while still beeing connected to your wireguard instance, but this is really just a guess.
The term your looking for is probably multi-hop vpn
I’m gonna ask a question because I honestly don’t know - would your phone support running two VPNs simultaneously. And if it did, which one get access to which interface?
How would you say X vpn operates on the local IP stack and Y vpn operates off the first vpn’s ip stack?
I admittedly may be thinking of things from a PC based interface binding thought process that may not apply here. I’m just legit lost on how this would work from your side of the equation, and intrigued.
Not sure if it is possible. You can’t connect to two VPN’s simultaneously from a phone, at least I can’t on mine (from the same interface).
I would just use a third-party VPN when needed, then quickly switch to your home VPN when needing to access any sites only available on your LAN/VPN.
I have a wg setup where all connected devices use Mullvad, and they can also connect to each other via wg whether at home or on the road. They all have a Mullvad IP and it only takes one VPN connection.
Is this the kind of setup you’re looking for? If so, just reply here and I’ll see how much I can help
I have this setup with a slightly inverted setup.
My VPS is the wireguard “server” because it has a static public IP
My self hosted server (raspberry pi) is a peer that connects to the VPS with wireguard.
My phone also is a peer which connects to the VPS.
When I connect with phone I allow all IPs to forward all traffic. I also allow 192.168 addresses from VPS.
So when I connect, I can access my pi with its LAN address (although actually I use a domain that resolves 192.168…) and then the rest of the traffic is routes through the VPS.
I verify this with going to IP location page and seeing the ISP as Linode. And the fact I can access my pi services on a LAN address
Yeah, exactly. I know phones (not sure about unrooted/custom ROMs) can only have 1 VPN active at a time.
Even on a laptop though, how would this work. Say I take my laptop to public wifi. How do I tunnel first through my vpn provider to get to the local wireguard server I host at mydomain.com?
It sounds maybe like yes?
How does your laptop on public wifi talk to your homeserver behind your firewall? If it goes to yourdomain.com, then we have the same setup. If you are somehow routing that through Mullvad so only Mullvad knows you are going to yourdomain.com, please let me know.
Right, this is what I do currently. I just realized that everywhere I go, every public wifi is seeing that I’m going to mydomain.com all the time and that could easily track movements over time.
The only thing I can think (using a laptop) would be if your paid provider software creates an interface that your personal vpn software can bind to. That might work if the service lets the traffic through. Are you just trying to keep your domain name secret? If your whois is private the average joe should be tracking it back to you. Hell, the average joe isn’t paying attention to traffic on their random free wifi at starbucks.
If it’s encrypted, it’s encrypted.
Via a WireGuard tunnel. They should be talking to one another via 10.6.66.x and not 66.66.66.66
In this example 10.6.66.x is the wg tunnel and 66.66.66.66 is mullavd
I use AdGuard home for dns at home and away and the DNS is 10.6.66.100 so to be clear they talk to each other via wireguard tunnel but access everything else via mullvad.
Sorry, I gotta learn how to read
Sure, so your DNS is your public IP when you are out and about. Probably not a big deal, I was just curious if anyone knew of a way to eliminate this.
Nope. My IP is always the mullvad IP