How do I achieve something like a “split” tunnel? I.e. when the tunnel is established, I can reach my home network (for instance my Transmission setup at 192.168.40.150:6666) but all other traffic is NOT routed over the tunnel (so for example if I connect from my phone it uses my mobile data to connect to google.com).
With the above configuration, I can connect to my home network (e.g. Transmission) but cannot access other traffic (like google.com).
I was having the same problem and I think I just figured it out.
You have to specify public DNS servers that you will use while connected. I think with the default config, it uses a RFC1918 Private IP address (I think it’s the docker IP of homeassistant), however this will not be reachable unless you forward all traffic.
I added 8.8.8.8 and 4.2.2.2 to my DNS configuration and it works great.
Actually with the configuration in my first post I can connect to google (and my network). The issue is that when I connect to google with my mobile data, my ip is the one from my internet at home and not the one from my mobile data.
So with wireguard I would like to connect just to my home network while all the remaining connections (e.g. google) should be for instance with my mobile data if I am using my mobile data to connect to the internet.
I understand. You want a split tunnel so that the only traffic going over the VPN is the IP range of your home network. All other internet traffic goes directly out of mobile data, not across the VPN.
This is what I’m doing with my configuration and I was able to confirm access to my local network, but when I google “What’s my IP?”, I see my wireless carriers IP address, not my home router’s public IP.
192.168.255.x is what I am assigning to the VPN clients. 192.168.65.x is my home network.
Before I entered DNS servers manually, I left that section blank like you did. However, I noticed when I scanned the QR code, it automatically put in an address that I don’t use on my network, but I think it’s the address that docker uses for the home assistant instance. I believe it was 172.30.31.3, or something like that. I suspected that the DNS server was not accessible because I was only allowing 192.168.65.0/24. When I added 8.8.8.8 and 4.2.2.2 (also not accessible through VPN), this is what allowed me to split tunnel properly.
Also, when you update the home assistant server config, that doesn’t automatically update the client config. The easiest way around this is to just delete the client config after making a change and just scan the QR code again.
Wow your solution seems to work! I was expecting it would have been something easy but was just difficult for me to explain! I will test it more during the days but for the moment you definitely made my day!
Would you be able to explain more what happens under the hood? I don’t understand why just adding the google dns would redirect only my home lan network through the vpn while all the other traffic (eg. google) goes through my mobile data
Glad it worked! I’m very new to Wireguard but I work with VPNs all the time for work.
It seems like when Wireguard connects and gets it’s VPN IP address and DNS, that VPN DNS server config takes precedence over whatever local DNS configuration you have. I think the main problem is that when we leave the DNS config blank, it’s adding the 172.31.x.x address automatically. This works when we were forcing all traffic through the tunnel, but when only specifying a a single subnet it doesn’t because we aren’t allowing that subnet through the tunnel. No DNS, no internet.
I guess another fix would be to add that subnet or host (I think they are all they same if you are running Hass OS, but mine is 172.31.30.2). However, that would cause all of your DNS traffic to be resolved through the tunnel. For my use case, I don’t need to resolve anything with DNS on my local network so using external servers seemed like a valid workaround.
I’m also wondering if we just delete that automatically created DNS server from the client config would allow it to use the local servers. Scanning the QR code fills out the information on the client, but it can still be edited. I did not try these other options.
