2023-10-18
WireGuard is pleasantly easy to set up on smartphones (if you're experienced)
For reasons beyond the scope of this entry, we recently got new Android smartphones at work. In the process of setting mine up, I (re)discovered that from Android 12 onward, there's no native way to set up either of our types of VPNs (OpenVPN and L2TP). Since I was going to need a client and go through extra hassle, I decided to try to make WireGuard work, since I like WireGuard better than OpenVPN. The experience was so pleasantly easy that I then did it on my own iPhone.
Now, I'm not sure I'd describe this experience as user friendly overall, because it involved writing a WireGuard configuration file and manually generating the WireGuard client key on a Linux machine. But I already know how to do both of those, and it was actually quite easy to do what I'd expected to be the hard part, namely to get the configuration into the WireGuard Android and iOS apps. On both, the official app supports reading a QR code that encodes your configuration file, and so I followed these directions to generate the QR code in a PNG, displayed it on my desktop screen (enlarged a time or two, partly due to HiDPI displays), and pointed each smartphone at their QR code until they imported it. The whole process was pretty painless and the result just worked.
As a smartphone VPN, WireGuard is pleasantly functional and seems to just work. My current feeling is that WireGuard's session-less nature makes it an especially good fit for smartphones, which go inactive and silent on a quite frequent basis and which can also hop networks and IPs at the drop of a hat. WireGuard's sessionless nature keeps things going along where a session-based VPN would have broken your current session and had to resume it, either automatically or worse, manually.
(After I set up the configurations, I belatedly realized that on smartphones, you probably don't want persistent keepalives; you want to let the phone go silent, powering itself and the wireless or the cellular radio down. Fortunately the WireGuard app allows you to modify that after you've loaded your configuration.)
In the past I've worried about the challenges of provisioning WireGuard clients. Going through this experience has convinced me that it's not all that difficult for smartphone people. It wouldn't be too hard to build a 'WireGuard registration' web application (similar to our existing system for other VPNs) that generated a WireGuard keypair, allocated an IP, expanded a template configuration with this information, and turned it into a QR code the web application would display to you and that you'd scan with the WireGuard app (then the web application would save the information so you could get the QR code again if necessary). Provisioning non-smartphone devices now seems like the bigger problem, since you usually can't have them just scan a QR code. Hopefully they could download or copy the text version of the configuration (which the web application could also display, of course).
(As before, Tailscale isn't currently an option, and I don't feel happy building a production VPN that uses their clients for free with an alternate control server such as headscale.)