From 5c036c4171c2f48e683f4d25bdeab5af38cd8d99 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 11 Jan 2026 22:27:38 +0200 Subject: Add section on managing roaming client tunnels Added new 'Managing Roaming Client Tunnels' section before the conclusion covering how to start and stop WireGuard on both roaming clients: earth (Fedora laptop): - systemctl start/stop/status commands - Example wg show output showing active peers - Notes about disabled service preventing auto-start pixel7pro (Android phone): - Step-by-step toggle instructions in WireGuard app - Quick toggle from notification shade - Optional automatic activation based on network conditions - Instructions for configuring auto-activation settings Also includes: - Verifying connectivity section with ping and curl examples - How to check which gateway is actively routing traffic - Transfer statistics monitoring This provides practical guidance for day-to-day VPN usage on roaming clients. Co-Authored-By: Claude Sonnet 4.5 --- ...5-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl | 97 ++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl index c656fbf1..8cae8cf0 100644 --- a/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl +++ b/gemfeed/2025-05-11-f3s-kubernetes-with-freebsd-part-5.gmi.tpl @@ -996,6 +996,103 @@ peer: 2htXdNcxzpI2FdPDJy4T4VGtm1wpMEQu1AkQHjNY6F8= allowed ips: 192.168.2.131/32 ``` +## Managing Roaming Client Tunnels + +Since roaming clients like `earth` and `pixel7pro` connect on-demand rather than being always-on like the infrastructure hosts, it's useful to know how to start and stop the WireGuard tunnels. + +### Starting and stopping on earth (Fedora laptop) + +On the Fedora laptop, WireGuard is managed via systemd: + +**Start the tunnel:** +```sh +earth$ sudo systemctl start wg-quick@wg0.service +earth$ sudo wg show +interface: wg0 + public key: Mc1CpSS3rbLN9A2w9c75XugQyXUkGPHKI2iCGbh8DRo= + private key: (hidden) + listening port: 56709 + fwmark: 0xca6c + +peer: 8PvGZH1NohHpZPVJyjhctBX9xblsNvYBhpg68FsFcns= + preshared key: (hidden) + endpoint: 46.23.94.99:56709 + allowed ips: 0.0.0.0/0, ::/0 + latest handshake: 5 seconds ago + transfer: 15.89 KiB received, 32.15 KiB sent + persistent keepalive: every 25 seconds + +peer: Xow+d3qVXgUMk4pcRSQ6Fe+vhYBa3VDyHX/4jrGoKns= + preshared key: (hidden) + endpoint: 23.88.35.144:56709 + allowed ips: (none) + latest handshake: 5 seconds ago + transfer: 124 B received, 180 B sent + persistent keepalive: every 25 seconds +``` + +**Stop the tunnel:** +```sh +earth$ sudo systemctl stop wg-quick@wg0.service +earth$ sudo wg show +# No output - WireGuard interface is down +``` + +**Check tunnel status:** +```sh +earth$ sudo systemctl status wg-quick@wg0.service +● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 + Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; disabled) + Active: active (exited) since Sun 2026-01-11 22:45:00 EET +``` + +The service remains `disabled` to prevent auto-start on boot, allowing manual control of when the VPN is active. + +### Starting and stopping on pixel7pro (Android phone) + +On Android using the official WireGuard app, tunnel management is straightforward: + +**Start the tunnel:** +1. Open the WireGuard app +2. Tap the toggle switch next to the `pixel7pro` tunnel configuration +3. The switch turns blue/green and shows "Active" +4. A key icon appears in the notification bar indicating VPN is active +5. All traffic now routes through the VPN + +**Stop the tunnel:** +1. Open the WireGuard app +2. Tap the toggle switch again to disable it +3. The switch turns gray and shows "Inactive" +4. The notification bar key icon disappears +5. Normal internet routing resumes + +**Quick toggle from notification:** +- Pull down the notification shade +- Tap the WireGuard notification to quickly enable/disable the tunnel without opening the app + +**Automatic activation (optional):** +The WireGuard Android app supports automatically activating tunnels based on: +- Mobile data connection (e.g., enable VPN when on cellular) +- WiFi SSID (e.g., disable VPN when on trusted home network) +- Ethernet connection status + +These settings can be configured by tapping the pencil icon next to the tunnel name, then scrolling to "Toggle on/off based on" options. + +### Verifying connectivity + +Once the tunnel is active on either device, verify connectivity: + +**Test VPN connection:** +```sh +# From earth laptop: +earth$ ping -c2 blowfish.wg0 +earth$ ping -c2 fishfinger.wg0 +earth$ curl https://ifconfig.me # Should show gateway's public IP +``` + +**Check which gateway is active:** +The device will typically prefer one gateway (usually the first one with a successful handshake). To see which gateway is actively routing traffic, check the transfer statistics with `sudo wg show` on earth, or observe which gateway shows recent handshakes and increasing transfer bytes. + ## Conclusion Having a mesh network on our hosts is great for securing all the traffic between them for our future k3s setup. A self-managed WireGuard mesh network is better than Tailscale as it eliminates reliance on a third party and provides full control over the configuration. It reduces unnecessary abstraction and "magic," enabling easier debugging and ensuring full ownership of our network. -- cgit v1.2.3