This is an automated archive.

The original was posted on /r/wireguard by /u/palomban on 2024-01-21 17:09:51+00:00.

I have a WireGuard VPN server set up on an always-on Linux box on my home network, which also acts as a file server as well as a DNS server with Pi-hole. On my iPhone, I had “Allowed IPs” set to “0.0.0.0/0, ::/0” to send all traffic through the VPN, where my Linux box functions as a default gateway. Over time, I had noticed that I was unable to reach the Pi-hole web interface and file server only when connected to some WiFi networks away from home, even though DNS queries were still adequately being resolved by Pi-hole. I could instantly resolve this problem by turning off WiFi and using cellular data. After some troubleshooting, I discovered the subnet mask of my home network and WiFi network being used (away from home) were the same (e.g., 192.168.1.0/24). This made me suspect the root of the issue, which is that evidently some network data is being leaked to the iPhone’s local network. For example, entering the default gateway IP (e.g., 192.168.1.1) into a browser results in the web interface of the WiFi router away from home and not my home router’s web interface. Note that the “Exclude private IPs” setting is toggled off. As such, it is evident that the “Allowed IPs” setting is not working as I expected.

To apparently resolve the issue, I’ve changed the “Allowed IPs” setting to, say, “0.0.0.0/0, ::/0, 192.168.1.2/32”, which now explicitly includes the IP address of my Linux box. This allows me to to use all of the functions on my Linux box through the VPN. Note that I still get the web interface of the WiFi router away from home, but this should be because I did not explicitly add the entire subnet to the list of allowed IPs.

Is this a known issue with iPhone or the WireGuard app? Am I doing something wrong?