WireGuard iOS Client Issue

Jacob S. Moroni mail at jakemoroni.com
Sun Dec 30 01:15:19 CET 2018 

Hello,

I'm experiencing a small issue with the WireGuard iOS client (beta, from
the App Store), but I'm not really sure if the issue is with the WireGuard
client or iOS itself.

Sorry if this is verbose; it's kind of cumbersome to explain.

Basically, what I found is that if there's, for example, a website being
hosted on the same IP as the VPN server, any access to the site (on the
client) will fail while connected to the VPN. What's interesting is that it
always fails while using the "always on" mode, but _sometimes_ works if
using "on demand" mode.

I'm no iOS developer, but a cursory search leads me to believe that
the two ways of handling VPNs on iOS are fundamentally different.

For example, when using "on demand" mode, certain Apple services
will bypass the VPN, but this will not occur if using "always on" mode.

I have absolutely no idea how the routing works on iOS, but my best
guess is that maybe any accesses to the same IP as the VPN server
are handled explicitly outside of the tunnel and this is somehow breaking
things if you try to access the server by any means other than the VPN
client?

My setup:

- Linux server behind NAT with ports 80, 443, and UDP 51820 forwarded.
- WireGuard server running on Linux server.
- Web server also running on same Linux server.
- Hairpin route on the router to allow devices on the LAN to access
  the website via it's public IP.
- Masquerade rule and IP forwarding enabled on the Linux server to
  allow WireGuard clients to access the LAN and Internet.
- iPhone 8 (T-Mo) running the latest WireGuard client app from the App Store.
- "On Demand" option disabled.

What works:

- When VPN is disabled and the phone is on LTE, I can access the website
  via its public IP without issue.
- When VPN is disabled and the phone is on LAN, I can access the website
  via both its public and private LAN IP.
- I can connect to the VPN server without issue both from LTE and from
  LAN.
- When VPN is enabled, I can access any public IP through the VPN from
  both LAN and LTE (except the server's, sort of...).
- When VPN is enabled, I can access the website from the server's LAN IP.

The issue:

- When VPN is enabled, I can't access the website from the server's
  public IP.

My tests:

- I ran Wireshark on the server's wg0 interface while attempting to
  ping various IPs from the iPhone while it was connected to the VPN.
- I was able to ping _any_ IP from the iPhone without issue.
- I can see the ICMP messages on Wireshark for every IP that I
  ping _except_ for when I ping the server's public IP.

So, the fact that pinging any IP worked, and I can see them all
in Wireshark except for when I ping the server's IP leads me to
believe that those messages are being routed outside of the tunnel,
which itself seems kind of obvious, but doesn't explain why accesses
to the website don't work.

Thoughts?

As a side note, apart from this issue, the WireGuard iOS client has been
working very well. I'm using a mixture of T-Mobile LTE and WiFi, and I haven't
had any issues switching back and forth.

Also, WiFi calling works through the VPN, which might seem obvious, but was
impressive to me since WiFi calling barely works on a regular LAN WiFi connection...

Thanks,
-- 
  Jacob S. Moroni
  mail at jakemoroni.com

More information about the WireGuard mailing list