Wireguard, iPhone, and cruise ships
Perry The Cynic
perry at cynic.org
Thu Jun 13 14:34:32 UTC 2024
Dear wg community,
I recently enjoyed a cruise to Alaska. Fun and easy, and with Starlink on board, the WiFi connectivity was actually not bad (some sporadic packet drops, mostly). Sadly, the cruise company’s network unceremoniously drops UDP of most kinds, leading to my Wireguard VPN (to my inside network at home) failing entirely. The cruise line is utterly immovable on this: “it’s someone else’s fault, and how dare you want to do this nonstandard thing?” Yes, I actually talked to their onboard IT guy. “It’s on the network path somewhere, and they don’t even tell me how and why."
Now I totally understand Wireguard’s attitude towards this: It’s not a “core” wg problem, and should be solved on the outside by whatever tools happen to fit the problem. If this was a linux-to-linux connection, I’d just pop in my favorite TCP-ish tunnel tool and move on. But it’s an iPhone (and iPad). And iOS doesn’t seem to like network composability. At all. Once you move outside the “it’s a VPN endpoint” paradigm, things get stuck very quickly. I realize this is all Apple’s fault, and they should allow building arbitrary network stacks in iOS. But they don’t (yet). NWConnection is getting pretty good, but it requires in-app code composition. AFAIK, you can’t stack two iOS VPNs on top of each other (right?).
So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?
And, to prefetch a possible ending of this discussion: if I coded up patches to the iOS client that add some tcp-wrapper option, would you take it?
Cheers
— perry
---------------------------------------------------------------------------
Perry The Cynic perry at cynic.org
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------
More information about the WireGuard
mailing list