Connecting to WireGuard when on same network as 'server'

I’ve searched far and wide for a solution for my problem and haven’t been able to find it, so thanks in advance for the patience if this is a noob question.

I’ve set up WireGuard on my home server, my personal laptop and phone. The connection works fine if I, e.g., use my phone while on a friend’s WiFi (i.e. at their house) or using mobile data. The same applies to my laptop. In summary, both work fine with the wg0 interface up whenever I don’t use the same network as my home server.

However, whenever I set WireGuard to be up on my devices while connected to the same network as my home server (that is, my home network), I cannot access the internet, only local addresses (localhost:XXXXX etc.). My workaround has been to disable WireGuard when I’m at home, which isn’t a big deal on my phone — I use Android and can simply tap the WireGuard tile from the notification view and it’s all good —, but can be annoying on my laptop (open terminal, wg-quick down wg0, and done).

Admittedly, it isn’t that big of a deal, but I’d like for it to “just work”, i.e. simply not needing manual intervention to be connected to my home network, unless it is down or something.

So there you have it: how could I set up WireGuard on my devices so that I don’t have to touch it to use it regularly?

Just for the record, I’ve used this script to install WireGuard quickly on my phone and laptop, after fiddling around with it manually. Moreover, this is how the configuration on my laptop looks like:

[Interface] Address = 10.7.0.4/24, fddd:2c4:2c4:2c4::4/64 DNS = 192.168.0.2 PrivateKey = PK

[Peer] PublicKey = PbK PresharedKey = PSK AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = mydomain.net:51820 PersistentKeepalive = 25\

Finally, I’ve come across this Reddit link, which seems to address my problem, though I couldn’t figure out for the life of me what is meant by “typing the internal IP of [my] server peer in the phone’s Wireguard config”.

Also, maybe off-topic, but how are you able to connect to WireGuard on some public networks? I tried connecting while on a cafe, but, apparently, the port I used was blocked.

On-Demand feature on Wireguard VPN “seamlessly creates a protected VPN connection to keep your device away from cyber threats once you leave your home WiFi environment, and use public WiFi or mobile cellular.”

Link to article:

https://www.asus.com/support/FAQ/1048916

Simply add the SSID of your home Wi-Fi network to be whitelisted or blacklisted. There is an option for Ethernet on the Wireshark macOS version (can’t confirm windows at the time of writing this) and cellular option on mobile Wireguard app.

I had the same issue, exactly as you described.
After searching far and wide and not finding an answer, I decide to tweak the settings on my own. I got the following to resolve this issue for me:

Create another WireGuard configuration that is only used when you’re on the same network as your server, call it wg0-local for example.

wg0-local will be a copy of wg0 except that in the Endpoint you will specify your server’s IP address on your local network instead of a public IP or a dynamic DNS URL.

Example: instead of Endpoint = mydomain.net:51820 you will have Endpoint = 196.168.1.200:51820

My best understanding of why this works is that when you’re connected to the same network as the WireGuard server, traffic from your client (laptop, phone, etc.) needs to be routed through the VPN tunnel. However, since both the client and server are on the same local network, the routing table might prioritize local routing instead of sending the traffic through the VPN. This can result in issues where DNS resolution fails or traffic doesn’t get routed correctly through the VPN.

Since you mentioned that you just turn it off when this happens, I’m assuming you don’t need your VPN to access anything on your home network. But others (like me) may have hidden all their services and ports behind the VPN, so they can only be accessed you are connected to the VPN, in which case this workaround is still useful. (Ex: I only allow SSH connections coming from the wg0 interface and make the listen address to be that of my server which works due to the masquerade rules I have added)

hey man, so apparently you can in the app click on demand activation tick both wifi and cellular and there you can set except this ssid and set it your home wifi. works great on iPhone

Perhaps use a split tunnel? Its been a while since I set mine up, but under allowed IPs I put the IP range of my work network in there

You can solve this by creating a dns server at home and mapping your services domain to:

Wireguard ip on public dns
Or add a dns server to your wireguard network
Local ip on your local home network

Hi, did you happen to get this working? I’m not able to figure out how to do this also. When I’m connected to lan where my wireguard server is, I can access the internet but I can’t access my services. When I’m connected to another network other than my lan and connect to wireguard, I can access all my services.

Thanks!

Wow, thanks for answering after such a long time. This would’ve been the perfect solution for me, but, sadly (for this purpose, I mean), I’m on Linux and on Android, so this isn’t an option.

Again, thanks for the heads up, anyway!

Hey, I looked around a bit and I think I could grasp the concept of split tunnels… So I thought I might ask: how did you go around doing your set up?

I have a Pi-hole set up at home, so I think this could be done. Could you elaborate on what you mean? I’m afraid I couldn’t quite understand the options you listed.

Yeah.

I’m also having the exact same ( i think) problem as OP.

I implemented Split DNS (for many years now - it is always a headache but i can somehow tame this beast to do what i want).

When i’m in the same network, almost next to the wg-server, when i monitor traffic in Wireshark it won’t come past the “Handshake”.

If i connect the very same laptop to my Mobile Phones hotspot (to reach the Wireguard server from outside), it works flawlessly.

I can’t figure out why…

So my home network is a 192.168.0.x network, the work is 192.168.1.x

192.168.1.0/24

By having that as allowed IPs, only 192.168.1.x will go through VPN, all other IPs just work as normal

So it works like this:

Your home network, will have a dns server, pihole would be great, in the dns server, you map out the domains for your local network. For example:

seafile.ppugliesi.com - → 192.168.3.40

nextcloud.ppugliesi.com - → 192.168.3.55

proxmox.ppugliesi.com - → 192.168.3.75

You also configure your router to use your new pihole as a dns server. So when a client connects to your home network, the DHCP lease will have your pihole’s address for dns. The clients will ask your pihole for the dns mappings. Your phone will get the local ip of the service.

Globally you will assign the dns addresses for your services as

seafile . ppufliesi.com - → 10.0.0.10

nextcloud . ppugliesi .com → 10.0.0.11

proxmox . ppugliesi . com → 10.0.0.12

I assume 10.0.0.1/24 is your subnet for your wireguard vpn network. So outside whenever you want to use your services, the global dns will map it to the vpn ip address, and your phone will go through the vpn (while the vpn is on)

while at your own house, your services will be mapped to local ips, so your phone will not try to go through the vpn.

Thank you for the simple explanation, I will experiment with this.

Makes sense. Thank you so much for the detailed answer; this seems a little bit involved to setup for each service I want to serve, but I think I’ll definitely learn a lot from this.

Hope you get it sorted mate
This works for a bunch of computers connected through the wireguard
And yep had the same problems as you describe before setting it

how do you map your dns right now?

Uh, I hope it’s not weird to get back to you such a long time after, but I figured this out just recently. I have the Endpoint pointed at a DDNS service I use to indicate my homeserver’s IP address. What I did was map mydomain.net to my local IP (192.168.0.2) on my pihole and everything works as expected. I did map my other services as you indicated on your earlier reply, which was nice, so thank you.

you can map your external dns to vpn or your public ip, so when you are out of home (out of reach of your pihole) you can still use the same dns name to reach your server