* WireGuard iOS Client Issue
@ 2018-12-30 0:15 Jacob S. Moroni
0 siblings, 0 replies; 1+ messages in thread
From: Jacob S. Moroni @ 2018-12-30 0:15 UTC (permalink / raw)
I'm experiencing a small issue with the WireGuard iOS client (beta, from
the App Store), but I'm not really sure if the issue is with the WireGuard
client or iOS itself.
Sorry if this is verbose; it's kind of cumbersome to explain.
Basically, what I found is that if there's, for example, a website being
hosted on the same IP as the VPN server, any access to the site (on the
client) will fail while connected to the VPN. What's interesting is that it
always fails while using the "always on" mode, but _sometimes_ works if
using "on demand" mode.
I'm no iOS developer, but a cursory search leads me to believe that
the two ways of handling VPNs on iOS are fundamentally different.
For example, when using "on demand" mode, certain Apple services
will bypass the VPN, but this will not occur if using "always on" mode.
I have absolutely no idea how the routing works on iOS, but my best
guess is that maybe any accesses to the same IP as the VPN server
are handled explicitly outside of the tunnel and this is somehow breaking
things if you try to access the server by any means other than the VPN
- Linux server behind NAT with ports 80, 443, and UDP 51820 forwarded.
- WireGuard server running on Linux server.
- Web server also running on same Linux server.
- Hairpin route on the router to allow devices on the LAN to access
the website via it's public IP.
- Masquerade rule and IP forwarding enabled on the Linux server to
allow WireGuard clients to access the LAN and Internet.
- iPhone 8 (T-Mo) running the latest WireGuard client app from the App Store.
- "On Demand" option disabled.
- When VPN is disabled and the phone is on LTE, I can access the website
via its public IP without issue.
- When VPN is disabled and the phone is on LAN, I can access the website
via both its public and private LAN IP.
- I can connect to the VPN server without issue both from LTE and from
- When VPN is enabled, I can access any public IP through the VPN from
both LAN and LTE (except the server's, sort of...).
- When VPN is enabled, I can access the website from the server's LAN IP.
- When VPN is enabled, I can't access the website from the server's
- I ran Wireshark on the server's wg0 interface while attempting to
ping various IPs from the iPhone while it was connected to the VPN.
- I was able to ping _any_ IP from the iPhone without issue.
- I can see the ICMP messages on Wireshark for every IP that I
ping _except_ for when I ping the server's public IP.
So, the fact that pinging any IP worked, and I can see them all
in Wireshark except for when I ping the server's IP leads me to
believe that those messages are being routed outside of the tunnel,
which itself seems kind of obvious, but doesn't explain why accesses
to the website don't work.
As a side note, apart from this issue, the WireGuard iOS client has been
working very well. I'm using a mixture of T-Mobile LTE and WiFi, and I haven't
had any issues switching back and forth.
Also, WiFi calling works through the VPN, which might seem obvious, but was
impressive to me since WiFi calling barely works on a regular LAN WiFi connection...
Jacob S. Moroni
WireGuard mailing list
^ permalink raw reply [flat|nested] 1+ messages in thread
only message in thread, back to index
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-30 0:15 WireGuard iOS Client Issue Jacob S. Moroni
WireGuard Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
Newsgroup available over NNTP:
AGPL code for this site: git clone https://public-inbox.org/ public-inbox