Wireguard, iPhone, and cruise ships

Perry The Cynic perry at cynic.org
Thu Jun 13 14:42:41 UTC 2024 

I’m basically coming to the conclusion that it’s not a wg core issue, but it IS an iOS app issue. If iOS won’t support a composition that works, then the app needs to. Somehow.

Cheers
  — perry


> On Jun 13, 2024, at 7:40 AM, Amir Omidi <amir at aaomidi.com> wrote:
> 
> I think there is "technically" a way to put a VPN on a VPN and that is doing one of those VPNs as a configuration profile. I'm not 100% sure about this though.
> 
> I've run into very similar issues to this at various hotels. I've also always wished there was something to do HTTP tunneling on Wireguard officially to help with these awful network setups. But I also understand that's not a core WG issue.
> 
> 
> On Thu, Jun 13, 2024 at 2:35 PM Perry The Cynic <perry at cynic.org> wrote:
> Dear wg community,
> 
> I recently enjoyed a cruise to Alaska. Fun and easy, and with Starlink on board, the WiFi connectivity was actually not bad (some sporadic packet drops, mostly). Sadly, the cruise company’s network unceremoniously drops UDP of most kinds, leading to my Wireguard VPN (to my inside network at home) failing entirely. The cruise line is utterly immovable on this: “it’s someone else’s fault, and how dare you want to do this nonstandard thing?” Yes, I actually talked to their onboard IT guy. “It’s on the network path somewhere, and they don’t even tell me how and why."
> 
> Now I totally understand Wireguard’s attitude towards this: It’s not a “core” wg problem, and should be solved on the outside by whatever tools happen to fit the problem. If this was a linux-to-linux connection, I’d just pop in my favorite TCP-ish tunnel tool and move on. But it’s an iPhone (and iPad). And iOS doesn’t seem to like network composability. At all. Once you move outside the “it’s a VPN endpoint” paradigm, things get stuck very quickly. I realize this is all Apple’s fault, and they should allow building arbitrary network stacks in iOS. But they don’t (yet). NWConnection is getting pretty good, but it requires in-app code composition. AFAIK, you can’t stack two iOS VPNs on top of each other (right?).
> 
> So what are the practically available options here? I can set up whatever is needed on the server endpoint (it’s Debian), but what can I do on my phone to make wg work through an HTTP(s)-shaped pinhole? I’d hate to have to ditch wg for some other vpn just for that rare case… but what’s the answer?
> 
> And, to prefetch a possible ending of this discussion: if I coded up patches to the iOS client that add some tcp-wrapper option, would you take it?
> 
> Cheers
>   — perry
> ---------------------------------------------------------------------------
> Perry The Cynic                                             perry at cynic.org
> To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
> ---------------------------------------------------------------------------
>

More information about the WireGuard mailing list