Created on November 12, 2023 at 11:39 am

For reasons beyond the scope of this entry, we recently got new Android ORG smartphones at work. In the process of setting mine up, I (re)discovered that from Android ORG

12 CARDINAL onward, there’s no native way to set up either of our types of VPNs (OpenVPN and L2TP). Since I was going to need a client and go through extra hassle, I decided to try to make WireGuard ORG work, since I like WireGuard ORG better than OpenVPN. The experience was so pleasantly easy that I then did it on my own iPhone.

Now, I’m not sure I’d describe this experience as user friendly overall, because it involved writing a WireGuard ORG configuration file and manually generating the WireGuard ORG client key on a Linux PRODUCT machine. But I already know how to do both of those, and it was actually quite easy to do what I’d expected to be the hard part, namely to get the configuration into the WireGuard ORG

Android PRODUCT and iOS apps. On both, the official app supports reading a QR code that encodes your configuration file, and so I followed these directions to generate the QR code in a PNG, displayed it on my desktop screen (enlarged a time or two CARDINAL , partly due to HiDPI displays), and pointed each smartphone at their QR code until they imported it. The whole process was pretty painless and the result just worked.

As a smartphone VPN, WireGuard ORG is pleasantly functional and seems to just work. My current feeling is that WireGuard ORG ‘s session-less nature makes it an especially good fit for smartphones, which go inactive and silent on a quite frequent basis and which can also hop networks and IPs at the drop of a hat. WireGuard ORG ‘s sessionless nature keeps things going along where a session-based VPN ORG would have broken your current session and had to resume it, either automatically or worse, manually.

(After I set up the configurations, I belatedly realized that on smartphones, you probably don’t want persistent keepalives PERSON ; you want to let the phone go silent, powering itself and the wireless or the cellular radio down. Fortunately the WireGuard ORG app allows you to modify that after you’ve loaded your configuration.)

In the past I’ve worried about the challenges of provisioning WireGuard ORG clients. Going through this experience has convinced me that it’s not all that difficult for smartphone people. It wouldn’t be too hard to build a ‘WireGuard registration’ web application (similar to our existing system for other VPNs) that generated a WireGuard ORG keypair, allocated an IP ORG , expanded a template configuration with this information, and turned it into a QR code the web application would display to you and that you’d scan with the WireGuard ORG app (then the web application would save the information so you could get the QR code again if necessary). Provisioning non-smartphone devices now seems like the bigger problem, since you usually can’t have them just scan a QR code. Hopefully they could download or copy the text version of the configuration (which the web application could also display, of course).

(As before, Tailscale PERSON isn’t currently an option, and I don’t feel happy building a production VPN that uses their clients for free with an alternate control server such as headscale ORG .)

Connecting to blog.lzomedia.com... Connected... Page load complete