zlacker

Speaking of Wireguard, my current topology has all peers talking to a single peer that forwards traffic between peers (for hole punching / peers with dynamic ips).

But some peers are sometimes on the same LAN (eg phone is sometimes on same LAN as pc). Is there a way to avoid forwarding traffic through the server peer in this case?

>>Frotag+(OP)
Two separate WG profiles on the phone; one acting as a Proxy (which forwards everything), and one acting just as a regular VPN without forwarding.

>>Frotag+(OP)
I guess I'm looking for wireguard's version of STUN. And now that I know what to google for, finally found some promising leads.

https://github.com/jwhited/wgsd

https://www.jordanwhited.com/posts/wireguard-endpoint-discov...

https://github.com/tjjh89017/stunmesh-go

>>Frotag+(OP)
Have your network managing software setup a default route with a lower metric than wireguard default route based on wifi SSID. Can be done easily with systemd-networkd, because you can match .network file configurations on SSID. You're probably out of luck with this approach on network-setup-challenged devices like so called smart phones.

>>Frotag+(OP)
The way I do it is to have two different first level domains. Let's say:

- w for the wireguard network. - h for the home network.

Nothing fancy, just populate the /etc/hosts on every machine with these names.

Now, it's up to me to connect to my server1.h or server1.w depending whether I am at home or somewhere else.

>>Frotag+(OP)
I don't fully understand your topology use case. You have different peers that are "road-warriors" and that sometimes happen to be both on the same LAN which is not your home LAN, and need to speak the one to the other? And I guess you are connecting to the other peer via DNS, so your DNS record always points to the Wireguard-provided IP?