EDIT: OK this is a bug, at least on windows, right after rebooting all works as expected. but if I change the config or deactivate&activate then I can see the local address of the VPN server.
Hopefully this helps to either catch a bug or help me become less stupid, I’ll cut to the chase
My server is a raspberry pi, its IPs are
local 192.168.1.2
VPN 192.168.2.2
the client is an android phone, its IPs are
local whatever
VPN 192.168.2.37
The problem is that once connected I can see the server at these two addresses:
192.168.1.2
192.168.2.2
Although this is strange, it is ok when I am on the bus.
The problem is when I am connected on the WIFI at my parents, my IPs become:
local 192.168.1.37
VPN 192.168.2.37
And I can still see the VPN server at 192.168.1.2 (!), a thing that shouldn’t happen.
As I mentioned this only happens on Android or Windows, on Ubuntu I don’t see my VPN server at 192.168.1.2, only at 192.168.2.2 as it should be.
I’ll be happy to share more details if needed, hopefully this is some obvious, stupid overlook on my side
That’s how the weak host model, on your server, works
When a unicast packet arrives at a host, the IP stack must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). If the IP stack is implemented with a weak host model, it accepts any locally destined packet regardless of the network interface on which the packet was received.
As I mentioned this only happens on Android or Windows, on Ubuntu I don’t see my VPN server at 192.168.1.2, only at 192.168.2.2 as it should be.
It’s because of differences in the implementation of the VPN apps. On Android all IP addresses covered by the Allowed-IPs setting is routed over the VPN. With wg-quick on Linux the subnets in allowed-ips (i e all IPv4 addresses) don’t override the existing routes unless they are more specific except 0.0.0.0/0 which overrides the default route. (I don’t use Windows and can’t say anything about WireGuard on Windows.)
Thanks for the answer, should I then file a bug for android or is this expected/documented?
I think it’s expected, and changing it isn’t that easy. The WireGuard app isn’t really aware of the local network. It would need to track changes to the network configuration in case of roaming when the VPN is enabled and then exclude the current local network from allowed-ips of each peer and make dynamic updates to the runtime WireGuard configuration.
Maybe it’s WireGuard on Linux that should be changed to be similar to Android.
