My VPN provider has a limit to how many concurrent connections I can have, and a workaround I’ve been using is to run the Wireguard client as a daemon (wg-quick@my-wg-config) and a Squid proxy on my home server, and point my local devices to the HTTP proxy port, which will route the traffic through the Wireguard connection. However, this has broken randomly multiple times in the past few months, where it will randomly decide to just not allow the server to connect to ANY internet address while the Wireguard connection is active, and no amount of network or routing table configuration changes fixes it. The Squid proxy works fine as far as I can tell, it’s just the Wireguard connection that’s failing, which doesn’t even allow a ping to an internet address from the server’s terminal (which doesn’t go through the proxy). The only way I’ve been able to fix it is to completely reinstall the OS on the server and reconfigure everything from scratch, which is annoying and also only works until it randomly decides to break again. This makes me think I’m doing something wrong.
Is there a more “proper” or widely supported way of routing internet traffic on local devices through a single Wireguard connection? Everything I could read online says running Wireguard with an HTTP proxy server is the way to do it, but it clearly isn’t very reliable or my computer is just defective in some weird intermittent way? The server is running Fedora Server 43. I’ve also checked for SELinux denials but there are none.
I’m aware of wireproxy but it uses a SOCKS5 proxy which is not as widely supported as an HTTP proxy and a lot of my devices (mainly phones) won’t be able to access it. Also I’d like the server itself to also use the VPN, not just the devices on the proxy.
Does anyone have more experience with this and can give some advice?
I dunno if this is a proper way… However I remember I did a similar thing to route all my traffic from all my devices to protonVPN’s free tier.
I can’t remember exactly how, but IIRC 2 wg connections where used (wg0 and wg-ext) and with some iptables rules I was able to route all traffic from wg0 to wg-ext without issues.
While I can’t exactly remember how, I think I still have the config files arround if you’re interested I can dig into my old backups :)
The proper way to do it is connect your router to the vpn, most routers have support for it these days.
If you want to do it the harder way, connect one machine to your vpn provide on one wg network and create a second wg network for your local devices which routes all traffic (not just http) through the one device thats connected to your VPN provider. Basically make youe own home vpn server and connect to that.
Using just squid for http to relay the vpn in addition to being fragile and breaking sometimes is also just not really giving you the full vpn coverage, your ip is going to be leaking all over the place.
btw wireproxy also supports http proxy. i’m not sure how efficient it is, but i use it daily for having different vpns on each firefox container tab.
Why not route traffic through the VPN via your router? Should be pretty easy with Mikrotik
I don’t have custom firmware on my router and frankly don’t trust the stock one to handle VPN connections securely without sending “analytics” back to the manufacturer.
I’m thinking about seeing if I can get OpenWrt on it though, but I’m worried it won’t be reliable enough and I really don’t want to be in a situation where I have no internet period after my experiences with just the proxy server breaking. The only reason I’ve been able to troubleshoot it is because the internet itself still works.
The problem seems to be your router. If you can install OpenWRT at all (check the supported devices), I would be surprised if it wasn’t more reliable that whatever OEM router software is already on there. The upshot is you can trust your router.
FWIW, I have used openwrt on my main router for almost 10 years, with no issues.
I agree, I have an ASUS router with Merlin FW and there is multiple VPN client on it and it can handle all this automatically.
No particular experience with the VPN issue so feel free to completely ignore this idea, but if you do have to stick with something resembling your current solution it could make sense to put it in a VM or container so that the process of rebuilding it is not so burdensome.
Hmm, basically make a container with the VPN client and proxy server, and expose the proxy port through it? Not sure how to route the host server’s traffic through that but I suppose I can just point all the important stuff to the local container’s proxy port. I’ll see if that’s more reliable than modifying the host network configurations. Thanks!
I’ve also been thinking of switching to Nix so I can just configure it once and rebuild the entire system with all the condigurations at any time without going through manually setting everything back up with individual commands/file edits. Though I’m not sure if that’d be more reliable given it’s broken randomly on Fedora when I didn’t even change any network configurations.
If you can run WireGuard on all your devices, you may wanna set up a multihop node that forward outbound traffic to the VPN tunnel via that hub
