I have a home setup with private services and Wireguard to phone in from outside, and would sometimes like to be able to access some of these services from devices that don’t have their own Wireguard client like an eBook reader.

Ideally, I would have Wireguard on my Android phone, create a WiFi hotspot and allow other devices to use that Wireguard connection. Out of the box this doesn’t work. Does anybody know how to achieve it?

  • TerkErJerbs@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    2 months ago

    You can (basically) only do this with a rooted phone. There are some permissions issues that prevent the hotspot network adapter from being shared over the VPN client otherwise. This article from Proton is just an ELI5 splainer, you can go deeper with some searches.

    If you have root and/or a custom ROM already (which usually assumes root) it’s not that complicated.

    • tofublOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      Thanks for the link. I am on Graphene, and if a fellow poster in here is correct that doesn’t help. Bummer.

      • TerkErJerbs@lemm.ee
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        2 months ago

        Yeah sorry I don’t have experience with Graphene but a quick search seems to say root is very difficult with it. Maybe look into flashing a different custom ROM if you really need this.

        One thing I’ve done quite a bit is use my travel router (I have a GL-Inet Slate but there are lots of options) to repeat my hotspot, then connect all my devices via the router. And set the VPN up on the router. This way everything going out over the hotspot is encrypted anyhow.

        For my needs, I can power the Slate by plugging it into my laptop or even my phone via usb-c. It’s very portable and versatile. Ymmv.

        • tofublOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Thanks for the ideas. I’ll consider it, although my use case doesn’t really warrant carrying a router around.

          • TerkErJerbs@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            Granted, you’re using a home setup. But you could still consider setting up the VPN on a central AP and repeating your hotspot through it to make everything going in and out of your network encrypted and more secure. None of your actual traffic (besides what your phone is emitting) will be in the clear, which is better than nothing.

            Almost any router with VPN and repeater options will accomplish this if you don’t wanna root your phone. I’ve flashed OpenWRT on the equivalent of router potatoes over the years. It’s pretty straightforward.

            • tofublOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              I agree, it’s a good solution. Just not worth the downsides for my situation currently.

    • masterofn001@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Couldn’t you just use termux or similar to run a tunnel using SSH to the interface?

      Or simply set up a socks listener and forward that IP:port to the IP of the WG interface?

    • nutbutter
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      TIL GrapheneOS does not have that option.

      • tofublOP
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        2 months ago

        Dang, also on Graphene…

        here’s a thread with official Graphene voices saying it won’t happen (and why)

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          2 months ago

          Yeah, to me it’s a absolute killer feature for a travel phone. The GOS discussion around it boils down to violating the android profile security model.

          E.x., im using a hotel wifi that only allows one device, or I have a esim for one phone only that doesn’t allow “tethering”.

          Fair enough on the security model, but at least give me the option… Maybe with a always on notification warning. Being paternalistic about how you think the phone will be used and in which context is overstepping for infrastructure

          I travel with a backup phone, and because of this I have calyxos on the backup and not gos.

          • tofublOP
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            2 months ago

            Having strong opinions is what Graphene does. 😅

            And they do seem to be an authority on all things security, so most of the time I like that about them.

  • mFat@lemdro.id
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 months ago

    There is an app called Every Proxy. It doesn’t need root. You just need to adjust proxy settings on your client devices.

    • tofublOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      This looks promising, but I can’t get it to work.

      Wireguard, even though they explicitly mention it in their tutorials, doesn’t have an allow/block list for me, so I can’t allow the proxy network bridge. Curious those settings are gone. Too bad!

      • mFat@lemdro.id
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        You don’t need to do any configuration.

        Just connect to your vpn, start every proxy and confgure your clients.

  • SK@hub.utsukta.org
    link
    fedilink
    arrow-up
    2
    ·
    2 months ago

    This can be achieved with tailscale using subnet routing. your local devices (ebook readers) can access your private servers if they are on a device thats on your tailnet (your phone).

    • tofublOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Really? How does that work? Maybe it’s time to look into Tailscale after all…