Mobile Client Workflow

[dionorgua]

It would be cool to hear your proposal on how to use it with Android phones.

I think the goal should be somehow close to tailscale:

• ability to 'roam' from home wifi to LTE or guest wifi networks with ability to access home resources with best possibly speed

The most easy way I see it:

• Phone runs regular wireguard client
• Relay at "home" that gives access to network with best possible speed (limited by wifi for LAN and ISP for external nodes)
• Nothing else if "home" has publicly routable IP. Otherwise we'll need a another node in cloud.

I think that this "home router" is best usage scenario for selfhosting: just use router closer to infrastructure.

Downsides:

• Same relay is used to access "external" resources with most likely higher availability.
• There is chance to lost connectivity to cloud like email if "home router" fails.
• Most likely requires wireguard client that supports transparent switching between nodes.

I don't think phone should have full featured client like Tailscale. Just because it'll be just waste of battery to use it as gateway or participate with all of these FRR/BGP-like conversations. But ability to somehow deal automatically with such scenarios is desired.

ideas: maybe somehow integrate it with dyndns-like providers? So that certain hostname is always reserved with "best" gateway for device. But I'm not sure that this will and where to host that gateway.

[encodeous]

Hey! It sounds like this is a use case for the backwards compatibility already baked into nylon.

Static IP at home:

If you have a static IP at home, then you can just connect to the public ip even at home.

No static IP at home, with a VPS:

I have an iPhone, but I think the setup should be very similar for an Android phone. Just as you suggested, we can simply use the regular WireGuard client. There is a feature in iOS that allows you to run a shortcut when you are connected to a specific WiFi name. I just have it configured to switch between the two VPNs below:

Home:
I have a nylon node at home (lets say with 192.168.x.x:57175 endpoint), I have a wg client config to connect to that endpoint, with the local node's public key for the peer.

Away from Home:
I have a cloud VPS with a public ip, which the nylon node at home is also connected to. I have another wg client config (with the same private key) to connect to the public endpoint, with the public key of the vps for the peer.

Nylon lets you use the same private key to connect to two different nodes, as long as you don't connect to them at the same time. When you swap between the nodes, it is pretty seamless (your phone loses access to the rest of the nylon network for typically less than 10s, as the routes need to adjust)

Without static IP, and no VPS:

This situation is a little bit more tricky.

Using DDNS with the regular WireGuard client can be flaky, as it does not re-resolve the domain name. So you might have to turn your VPN on and off to resolve the new ip address if it changes.

I don't really have any plans to add mechanisms for NAT traversal, or design special mobile clients for nylon. If there are existing wg clients which have better DDNS support you can try that!

In this situation, I probably recommend using Tailscale, as they have the infrastructure specifically for this scenario. Nylon is geared towards more techy folk, who likely have a VPS or two.

If anyone has any elegant ideas for this last case, it would be great!

[dionorgua]

Thanks for reply!

Well. I'm using Tailscale right now.. It's amazing thing and covers much more than wireguard even with nylon. With one huge problem: battery consumption on phone. It's just insane.

You can check this reddit comment from me: https://www.reddit.com/r/Tailscale/comments/1o8270h/comment/njrwltc/ with my current setup. I've dynamic routable IP home. My personal opinion is that NAT traversal on phone is mostly useless. It consumes too much battery. It still have some value but very limited.. So offloading battery consuming tasks to some 'relay' with minimal glue code to switch configs is much better.

I know that normally DNS resolving happens only once. But on Android there are a few clients that can do DDNS queries and update peer IP address automatically.

What's important here is that you're saying that it's ok to use same key to connect to two nodes. It's fully doable to switch wireguard configs depending on current wifi network. But for me I still want different condition:

• Prefer "home" node when it works (because it's closer
• Use cloud VPS as fallback

I think I'll try to reproduce such setup in VMs first.

I want to eventually stop using Tailscale at all just because with this phone use case it adds a lot of complexity or consumes a lot of battery. My current setup with Tailscale for servers/laptops and plain wireguard gateway for phone sort of works.. I like that I can keep using tailscale ACL's.. But it looks fragile and one extra layer that I want to get rid of