31

I have a home setup with private services and Wireguard to phone in from outside, and would sometimes like to be able to access some of these services from devices that don't have their own Wireguard client like an eBook reader.

Ideally, I would have Wireguard on my Android phone, create a WiFi hotspot and allow other devices to use that Wireguard connection. Out of the box this doesn't work. Does anybody know how to achieve it?

all 23 comments
sorted by: hot top controversial new old
[-] TerkErJerbs@lemm.ee 10 points 1 month ago

You can (basically) only do this with a rooted phone. There are some permissions issues that prevent the hotspot network adapter from being shared over the VPN client otherwise. This article from Proton is just an ELI5 splainer, you can go deeper with some searches.

If you have root and/or a custom ROM already (which usually assumes root) it's not that complicated.

[-] tofubl@discuss.tchncs.de 4 points 1 month ago

Thanks for the link. I am on Graphene, and if a fellow poster in here is correct that doesn't help. Bummer.

[-] TerkErJerbs@lemm.ee 5 points 1 month ago* (last edited 1 month ago)

Yeah sorry I don't have experience with Graphene but a quick search seems to say root is very difficult with it. Maybe look into flashing a different custom ROM if you really need this.

One thing I've done quite a bit is use my travel router (I have a GL-Inet Slate but there are lots of options) to repeat my hotspot, then connect all my devices via the router. And set the VPN up on the router. This way everything going out over the hotspot is encrypted anyhow.

For my needs, I can power the Slate by plugging it into my laptop or even my phone via usb-c. It's very portable and versatile. Ymmv.

[-] tofubl@discuss.tchncs.de 3 points 1 month ago

Thanks for the ideas. I'll consider it, although my use case doesn't really warrant carrying a router around.

[-] TerkErJerbs@lemm.ee 1 points 1 month ago

Granted, you're using a home setup. But you could still consider setting up the VPN on a central AP and repeating your hotspot through it to make everything going in and out of your network encrypted and more secure. None of your actual traffic (besides what your phone is emitting) will be in the clear, which is better than nothing.

Almost any router with VPN and repeater options will accomplish this if you don't wanna root your phone. I've flashed OpenWRT on the equivalent of router potatoes over the years. It's pretty straightforward.

[-] tofubl@discuss.tchncs.de 1 points 1 month ago

I agree, it's a good solution. Just not worth the downsides for my situation currently.

[-] masterofn001@lemmy.ca 1 points 1 month ago

Couldn't you just use termux or similar to run a tunnel using SSH to the interface?

Or simply set up a socks listener and forward that IP:port to the IP of the WG interface?

[-] jet@hackertalks.com 8 points 1 month ago

lineageOS, and CalyxOS both let you share vpn over hotspot connections.

[-] nutbutter@discuss.tchncs.de 4 points 1 month ago

TIL GrapheneOS does not have that option.

[-] tofubl@discuss.tchncs.de 4 points 1 month ago* (last edited 1 month ago)

Dang, also on Graphene...

here's a thread with official Graphene voices saying it won't happen (and why)

[-] jet@hackertalks.com 5 points 1 month ago* (last edited 1 month ago)

Yeah, to me it's a absolute killer feature for a travel phone. The GOS discussion around it boils down to violating the android profile security model.

E.x., im using a hotel wifi that only allows one device, or I have a esim for one phone only that doesn't allow "tethering".

Fair enough on the security model, but at least give me the option... Maybe with a always on notification warning. Being paternalistic about how you think the phone will be used and in which context is overstepping for infrastructure

I travel with a backup phone, and because of this I have calyxos on the backup and not gos.

[-] tofubl@discuss.tchncs.de 3 points 1 month ago

Having strong opinions is what Graphene does. 😅

And they do seem to be an authority on all things security, so most of the time I like that about them.

[-] mfat 3 points 1 month ago

There is an app called Every Proxy. It doesn't need root. You just need to adjust proxy settings on your client devices.

[-] tofubl@discuss.tchncs.de 1 points 1 month ago

This looks promising, but I can't get it to work.

Wireguard, even though they explicitly mention it in their tutorials, doesn't have an allow/block list for me, so I can't allow the proxy network bridge. Curious those settings are gone. Too bad!

[-] mfat 1 points 1 month ago

You don't need to do any configuration.

Just connect to your vpn, start every proxy and confgure your clients.

[-] sk@hub.utsukta.org 2 points 1 month ago

This can be achieved with tailscale using subnet routing. your local devices (ebook readers) can access your private servers if they are on a device thats on your tailnet (your phone).

[-] tofubl@discuss.tchncs.de 1 points 1 month ago

Really? How does that work? Maybe it's time to look into Tailscale after all...

[-] sk@hub.utsukta.org 3 points 1 month ago

@tofubl tailscale is a mesh network that connects your clients together. and those clients would run a tailscale client on them. There is an additional option of sharing the local network that your device is on with your main tailscale network, thus connecting all your home devices to your private self hosted server network.
This page has more details along with a video that goes in detail: #^https://tailscale.com/kb/1019/subnets

[-] tofubl@discuss.tchncs.de 1 points 1 month ago

Much obliged.

[-] ohellidk@sh.itjust.works 1 points 1 month ago

Check out the "VPN hotspot" app from the play store. You'll need root, unfortunately.

[-] tofubl@discuss.tchncs.de 1 points 1 month ago

Thanks, but not an option.

[-] maniacalmanicmania@aussie.zone 1 points 1 month ago

I think this is a limitation of Android that cannot be overcome.

this post was submitted on 06 Oct 2024
31 points (97.0% liked)

Selfhosted

40298 readers
1135 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS