How do you use VPN?
from ExLisper@lemmy.curiana.net to selfhosted@lemmy.world on 09 Apr 06:14
https://lemmy.curiana.net/post/506808

I’m trying to setup my VPN and I’m a bit confused here.

I have a commercial VPN subscription that I’m using on my phone and laptop. Now I’ve set up WireGuard on my OpenWRT router to access my home network remotely. I can connect to it from my phone but from what I see there’s no way to have both commercial VPN and my local network WG active at the same time (both are using WG so I’m trying to create WG config with two peers but I don’t think it’s possible).

So what do people actually do? From what I see I have 3 options:

  1. Don’t use commercial VPN on my phone, only use WG to access my network
  2. Switch between VPNs manually whenever I want to access my network
  3. Setup commercial VPN on my router, move all my networks traffic through this VPN and move all traffic from my phone through my home network.

Am I missing something? What’s the typical approach here? I thought that what I’m trying to do is basic scenario but it looks like it’s not that simple if at all possible.

#selfhosted

threaded - newest

tal@lemmy.today on 09 Apr 06:23 next collapse

I have not used such a configuration, but I believe that it’s fine to have multiple WireGuard VPNs concurrently up, at least from a Linux client standpoint. I have no idea whether your phone’s client permits that — it could well be that it can’t do it.

Your routing table would have the default route go to a host on one of them (and your Internet-bound traffic would go there), but you should be able to have it be either. Or neither — I’ve set up a WireGuard configuration with a Linux client where the default route wasn’t over the WireGuard VPN, and only traffic destined for the LAN at the other end of the WireGuard VPN traversed the WireGuard VPN.

From Linux’s standpoint, a WireGuard VPN is just like another NIC on the host. You say “all traffic destined for this address range heads out this NIC”. Just that the NIC happens to be virtual and to be software that tunnels the traffic.

EDIT:

It sounds like this is an Android OS-level limitation:

…stackexchange.com/…/are-there-technical-limitati…

In the Android VPN development documentation you can find a clear statement regarding the possibility to have multiple VPNs active at the same time:

There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.

That same page does mention that you can have apps running in different profiles using different VPNs at the same time. That might be an acceptable workaround for you.

ExLisper@lemmy.curiana.net on 09 Apr 07:01 collapse

The Android limitation is exactly what I found - only one VPN at a time. I checked the work profile trick and it does work, I can have two VPNs running. This is not ideal as apps from one profile still won’t use the commercial VPN but maybe I can live with that. I will do some more testing. Thanks for the tip.

scott@lem.free.as on 09 Apr 06:27 next collapse

If you use an app like RethinkDNS, it will allow you to run multiple, simultaneous VPN connections and then choose how you want to route your traffic.

I have the same situation as you. I run two VPN connections. One to home and one to a VPS. I route all traffic to 10/8 to the home VPN, certain apps to my VPS VPN and then the rest of the traffic via the local connection.

RethinkDNS also does local DNS filtering and allows you to specify which DNS service to use. I run my own DoT service that backs off to the PiHole at home.

tal@lemmy.today on 09 Apr 07:30 next collapse

Ah, so I bet what they’re doing is looking like a single VPN from the Android OS level, setting a default route into that, and then doing routing in userspace.

dieTasse@feddit.org on 09 Apr 07:39 collapse

Can it connect to the VPNs simultaneously though? I don’t have it, but from what I see it can have configurations from multiple vpns but only one can be up at a time.

scott@lem.free.as on 09 Apr 10:08 collapse

Yep. I have two at the same time.

stratself@lemdro.id on 09 Apr 07:23 next collapse

I use Tailscale with an exit node container that forwards all traffic to the commercial VPN via a wireguard config. This “hopping” solution serves me well enough, and works for Android too.

If you want to simultaneously have two VPN interfaces, you may wanna consult this and this guide. The principle should apply with non-Tailscale wireguards too I think

ExLisper@lemmy.curiana.net on 09 Apr 07:50 collapse

So you’re using tailscale android app as the only VPN and all traffic from your phone goes through your local network, yes?

Your tailscale exit node is deployed on some server in your network, right? (I’ve set up my WG server on my router) Does your router just port forward all tailscale traffic to it?

stratself@lemdro.id on 09 Apr 08:50 collapse

Yes, the app is the only “Android VPN”. The exit node is deployed on another network, but there should be no problem deploying it locally.

My phone would be attempting to make direct WireGuard connections to my other Tailscale nodes (be it the server, the exit node, or any other device), so it’ll prefer local connections. When it can’t (e.g. in a different and restrictive network), it will relay these traffic through DERP servers. Tailscale automate these processes very well, so no port forwarding is needed.

Note that to establish these encrypted direct tunnels, Tailscale clients have to talk to a control server to fetch required metadata. I selfhost this piece via Headscale along with the DERP servers. The stack would be quite complicated for those who already had a wireguard tunnel, but I found myself liking it because Tailscale has other cool features too.

Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different AllowedIPs for them.

ExLisper@lemmy.curiana.net on 09 Apr 09:04 collapse

Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different AllowedIPs for them.

That’s exactly what I’ve been trying but it doesn’t work. Only one peer is able to do a handshake. It looks like it should work but I actually haven’t seen anyone recommending this or saying they manged to set it up. Everyone just ends up routing everything through private VPN. I will read some more about tailscale but I think it’s an overkill for me. I will probably just use different VPNs in separate android profiles.

FauxLiving@lemmy.world on 09 Apr 16:49 collapse

If you’re using Mullvad as your VPN Tailscale supports it right out of the box. You could use Tailscale only and use Mullvad’s VPN as an exit node. This is probably the easiest and most out-of-the-box ready solution.

dieTasse@feddit.org on 09 Apr 07:34 next collapse

I am running tailscale to access my homelab and my exit node and I use wireguard protonVPN connection for that exit node. It involved messing with nftables, check this for more info. In theory, you could do the same with two wireguard connections. One connection in and one as an exit. Maybe easier solution would be having these on separate machines/vms. Having the exit vpn on the openWRT as default for all connections and then the connection in on a separate container or vm, and it would exit through the router. I am not sure but I think the wireguard then naturally exits trough the router (gateway).

DownByLaw@sh.itjust.works on 09 Apr 07:59 next collapse

I‘m using two different setups:

Phone with wireguard app:

  • VPN client installed on my router
  • WireGuard server Running on Router
  • Phone connects to the routers wireguard server and from there my phone is routed through the VPN client for web traffic (but I’m not using OpenWRT so you have to check if this is possible for you)

Laptop with wireguard app and VPN installed as browser extension:

  • WireGuard app is configured to only route traffic to my local subnets through the wireguard VPN.
  • Web browser is encrypted through the VPN extension.

Really depends on what you need. For me this setup fits my bill.

But there’s also tailscale (which you can also selfhost: headscale)

Additionally you could also set up your own independent wireguard server to get more granular control for routing and firewalling. But you would need a device that’s running 24/7 (same for headscale). A raspberry pi would probably be enough for that.

ExLisper@lemmy.curiana.net on 09 Apr 08:28 collapse

Looks like most people are doing some version of option 3, routing everything through home network. I hoped there’s a simpler way but maybe I just have to go in this direction.

One question, the VPN client on your router routes everything from your network or just the phone?

DownByLaw@sh.itjust.works on 09 Apr 18:19 collapse

I can route selected devices/groups/VLANs through the client. That’s how I’m using it with my phone. Phone connects to wireguard server. Wireguard server IP is in the router’s VPN client list for outbound traffic.

➡️ local access + VPN for web

Decronym@lemmy.decronym.xyz on 09 Apr 08:00 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
PiHole Network-wide ad-blocker (DNS sinkhole)
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #225 for this comm, first seen 9th Apr 2026, 08:00] [FAQ] [Full list] [Contact] [Source code]

mittyta@lemmy.world on 09 Apr 12:41 next collapse

I create an work profile in my android phone with Insular app from f-Droid (but there is alternatives from Google play too). And connect tailscale to home server there and put all necessary app here too. Basic profile has commercial VPN with split tunneling per app.

But I check threads and there are better alternatives.

ExLisper@lemmy.curiana.net on 09 Apr 13:05 collapse

Netmaker looks really nice. Has the lowest requirement, self-hosted and open-source. I will give it a shot but if the setup is too complicated I will just go with separate profile and wireguard.

irmadlad@lemmy.world on 09 Apr 17:33 next collapse

but from what I see there’s no way to have both commercial VPN and my local network WG active at the same time

Does you commercial VPN have a Kill Switch? I had trouble getting both Tailscale and commercial VPN to play nice together until I turned of the Kill Switch.

[deleted] on 09 Apr 17:39 next collapse

.

SpacePirate@feddit.nu on 09 Apr 18:17 next collapse

I have done what you are looking for on OPNsense. And I’m pretty sure it can also be done with OpenWRT.

You will need to setup multi WAN and setup some static routes and use your RoadWarrior setup.

Aka you want this:

Phone › Via Wireguard › OpenWRT › Via Wireguard › VPN provider

I don’t have a guide on how to do it but I will try to find one and update this comment if I do. But here are some Guides that might help you in creating it!

Multi WAN Guide

MullvadVPNs OpenWRT Guide for Wireguard (Should work with other providers)

OpenWRT Wireguard Guides

I’m also including the guide to setup Roadwarrior & External VPN provider for OPNsense so you can get a idea of how it should be done and work

OPNsense guide I used to create my Wireguard WAN

OPNsense guide I also used for Wireguard WAN

OPNsense Guide I used for my Roadwarior Setup

ExLisper@lemmy.curiana.net on 09 Apr 19:32 collapse

Thanks, for now that what I will try to do but using Netmaker. I think it’s an overkill for what I need but it will be good practice.

kaotic@lemmy.world on 09 Apr 20:02 collapse

I just route everything through my home connection.