An example workflow to solve a problem

When I do tedious administrative work I like to listen to music, and I prefer if I can scrobble what I am listening to unto listenbrainz, to know what I like, and later being able to see what I have listened to. And as a second objective, I would like to be able to see my private calendars on my work phone. So how do I solve this problem with my work iPhone? The function to scrobble does not exist within the IDAGIO app which I am using to listen to music, or any other streaming app, not at least am I aware of any app that do. And I have at home a Navidrome music server with a great music collection, which is scrobbling to listenbrainz, and I am soon in the phase where I can skip streaming all together, but at the same time I do not want to open up this music server to the internet. This is the background, and problem

So my conclusion is that I want to use a split-VPN tunnel via WireGuard, meaning that I only want my music to go through the tunnel, and of-course DNS traffic to filter away ads and other unwanted internet rubbish, the rest of the traffic will go through the Phone’s LTE connection or Wi-Fi at work. How do I accomplish this in a safe and convenient way?

I start with my internal firewall, an OpenBSD machine, which already has two WireGuard tunnels, and I create a third tunnel which is called in an OpenBSD manner for /etc/hostname.wg2. Let us start. You can find many guides on the internet, one you may find here.

doas cat /etc/hostname.wg2
wgkey = private-key-for-the-interface 
wgport 51722
inet 192.168.35.1/30
# workphone
wgpeer client's-public-key wgpsk preshared-key wgaip 192.168.35.2/32
up
group services

Then we put the third virtual interface up via the commando: doas sh /etc/netstart wg2, and through the group name services the client is allowed to query both the AdGuard home DNS server and the NTP server (AdGuard is querying Unbound, and for the internal domain is Unbound querying NSD). So let us create a WireGuard config for the client.

cat wg.client.conf
[Interface]
PrivateKey = Clients private key
Address = 192.168.35.2/32
DNS = 192.168.4.1, domain.com

[Peer]
PublicKey = Server’s public key
PresharedKey = Preshared key
AllowedIPs = 192.168.4.1 (DNS server), 192.168.45.2 (music server), 192.168.4.8 (dav server)
Endpoint = vpn.domain.com:51822
PersistentKeepalive = 25

In this config, we can see the client’s ip-address, which DNS server, and domain suffix to use, and which addresses to use for the tunnel, these have real DNS names and are looked up through the internal DNS.

Then we make for the iOS client a QR code which is easy to import: qrencode –read-from=wg.client.conf –type=UTF8, and we import this config via the iOS WireGuard client. Let us also make a firewall rule for this client.

### The interface that holds the default route is automatically  identified as egress by OpenBSD, in my case is it my edge firewall. 
### PASS IN RULES ###
pass in quick on egress inet proto udp to egress port 51822 keep state set prio (3, 5) label "WIREGUARD_WORK"
### dns rules ###
pass in quick on services inet proto { tcp, udp } to $ns1 port { 53, 443, 853 } modulate state set prio 7 label "allow DNS on ns1"
pass in quick on services inet proto udp to $ns1 port 123 modulate state label "allow NTP traffic on ns1"
### work phone ###
pass in quick on wg2 inet proto tcp to { $music, $dav } port 443 modulate state label "allow work phone to use navidrome and dav server"
### block all other lan traffic (end of pf.conf file) ###
block return in log quick from any to self label "BLOCK all other traffic to SELF"
block return in log quick from any to <blocked> label "BLOCK all other traffic to SUBNETS"

And as our last mission, we create the firewall rules on the edge firewall.

### DNAT RULES ###
pass in log on egress inet proto udp from <specified_country> to egress port 51822 rdr-to $fw port 51822 keep state set prio (3, 5) label "WIREGUARD_WORK"

Let us reiterate what we have done:

  • We have created a WireGuard tunnel and client configuration for the work iPhone which is allowed to reach my internal DNS, NTP, and Navidrome music server, and the Baikal server for my calendars, and nothing more.
  • We have created the necessary firewall rules on the internal firewall for this client.
  • We have created the necessary firewall rules on the edge firewall to reach the WireGuard tunnel on the inside.

The WireGuard app has these On-demand (an iOS feature) rules activated that it is always connected through the VPN tunnel except if I bring the iPhone home and use my own Wi-Fi, then the VPN tunnel is brought down, and the firewall rules applied to that SSID apply to it. This has worked very well, and I have accomplished my objectives.

WireGuard is truly an outstanding piece of VPN software, it works so well, and has revolutionised how I use VPN, and I am today able to host more and more services at home, and soon nearly be completely free of all cloud services. On my Proxmox server am I running virtual machines that hosts my calendars and contacts (Baikal), photos (Piwigo), music (Navidrome), media (Emby), notes through Joplin and a WebDAV backend by nginx, and on my internal firewall DNS services as AdGuard home, Unbound, and NSD, and storage on my NAS with ZFS and Syncthing and Samba, and always available to me through WireGuard and OpenBSD, and other open-source software.

This article was updated on March 30, 2024