WG Tunnel docs Help

Features

This section details all the app's existing features and behaviors.

Adding tunnel configs

There are multiple ways tunnel configs can be added to the app.

After clicking the floating action button on the main screen, the following options are available:

  1. Upload a .conf file

  2. Upload a zip containing .conf files (like an export from WG Tunnel or the official app)

  3. Scan a QR code (Mobile only)

    • This option will upload the tunnel with a randomly generated name.

  4. Create one from scratch

AmneziaWG Support

WG Tunnel fully supports a fork of WireGuard called AmneziaWG. AmneziaWG is based off of WireGuard, but adds obfuscation to WireGuard's packet signatures to prevent deep packet inspection (DPI) systems from censoring WireGuard traffic.

One of the key differences (from a user perspective) between WireGuard and Amnezia is Amnezia adds additional properties to the standard WireGuard configuration format. Without these properties populated, Amnezia will fall back to using standard WireGuard and the packet signature obfuscation will not be applied.

How to convert an existing WireGuard config to Amnezia

  1. Open the tunnel setting screen by long pressing on a tunnel and clicking the gear icon.

  2. Click the edit tunnel floating action button and select the Amnezia option.

  3. The shared WireGuard properties will already be populated. Populate the addition empty Amnezia properties with the follwing data:

Junk packet count: between 3-5 (can be anywhere between 1-128)
Junk packet minimum size: 40
Junk packet maximum size: 70
Init packet junk size: 0
Response packet junk size: 0
Init magic packet header: 1
Response packet magic header: 2
Underload packet magic header: 3
Transport packet magic header: 4

Alternatively, these values can be added to the .conf file before import:

[Interface] Address = *** PrivateKey = *** DNS = *** MTU = *** Jc = 4 Jmin = 40 Jmax = 70 S1 = 0 S2 = 0 H1 = 1 H2 = 2 H3 = 3 H4 = 4

When using an Amnezia server, this values will be different and should match the server values.

Auto-tunneling

Auto-tunneling is the core feature of the application. It allows users to automate which tunnel will be active under certain network circumstances.

A core concept when using auto-tunneling is setting a primary tunnel.

Setting a primary tunnel can be accomplished by doing a long-press on the desired tunnel config on the main screen and clicking the gear icon.

There are three auto-tunneling modes that can be used in combination or individually:

  1. Tunnel on mobile data

    • The app detects when the device has switched to using mobile data and turns on the tunnel.

    • Common use case: Connecting to home server whenever leaving the house

  2. Tunnel on ethernet.

    • The app detects when a device has switched to an ethernet connection and turns on the tunnel.

    • Common use case: AndroidTV devices (especially portable ones)

  3. Tunnel on untrusted wifi (Location required)

    • The app detects when the device has connected to a new Wi-Fi network. If the network name (SSID) is not in the list of trusted network names, start the tunnel.

    • Common use case: Disable the tunnel on my home (trusted) network, but enable it when I connect to any public Wi-Fi network.

Wildcard Wi-Fi name support

Trusted Wi-Fi names and tunnel specific Wi-Fi name now support wildcards.

Allowed wildcards:

  • Use * to allow any number of characters after or before a given string segment. Example: "Guest*" will match all Wi-Fi names that start with Guest".

  • Use ? to allow a single wildcard character. Example: "Guest?" will match any Wi-Fi with the name "Guest" and one additional wildcard character.

  • Use ! to mark Wi-Fi name to be excluded. Example: A common use case for this flag would be to use it in combination with a "*" (all Wi-Fi names) "!Guest". This would trust all Wi-Fi names and exclude "Guest" from this trusted list.

Auto-tunneling to a specific tunnel by wifi name and/or mobile data

A common scenario is when a user wants to use a specific tunnel config when they are connected to certain networks.

WG Tunnel now allows users to configure each tunnel to be used on specific Wi-Fi networks and/or mobile data. Tunnels configured with these settings will be prioritized over the primary tunnel if the app detects a match.

To configure:

  • Long press on the tunnel config you would like to configure from the main screen

  • Click the gear icon

  • Add a Wi-Fi name where you would like to prioritize using this tunnel or turn on mobile data if this is your mobile data specific tunnel.

WG Tunnel auto-tunneling will now prioritize using this specific tunnel if it detects a matching network scenario.

Auto-tunneling pausing

Auto-tunnel pause is a feature of WG Tunnel that allows users to temporarily pause auto-tunneling.

This feature may be useful when a user wants to quickly make a change to a tunnel or quickly disable auto-tunneling without completely shutting it down.

The status of the pause can be viewed on the main screen of the app when auto-tunneling is enabled.

pause

There are two statuses:

This feature can be activated two different ways:

  1. Clicking the pause button from the main screen

  2. Toggling the auto tunnel quick tile

It is common for users to need to manually toggle a tunnel quickly in certain situations when auto-tunneling is active. This temporary override was created to meet this need.

Split tunneling

Split tunneling is a feature that allows a user to route only selected app's traffic through the tunnel. Currently, this is configured on a per-tunnel basis.

A common use-case could be that a user wants apps that only function in another country to be tunneled to a VPN server in that country while all other apps use the normal network.

To configure split tunneling:

  1. Long press on a tunnel config to show options

  2. Press the gear icon to navigate to the tunnel setting screen

  3. Press the pencil floating action button to edit the tunnel config values

  4. At the bottom of the Interface section is a Tunneling apps to open the tunneling apps selection dialog.

  5. Select which apps to either include or exclude from the tunnel

  6. Click Done

  7. Click the floating action button to save

Auto restart on boot

When enabled, auto start on boot will automatically start a tunnel on reboot in the following order of priority:

  1. The last tunnel that was active

  2. The primary tunnel

  3. The first tunnel in the list of tunnels

Auto restart on app update

This feature will automatically restore your running tunnel and/or auto tunnel service after an app update has completed.

Pre/Post Up/Down Script Support

WG Tunnel now supports PreUp, PostUp, PreDown, PostDown scripts.

These can be configured as properties in a tunnel .conf file and imported into the app.

For more details and example use cases for these scripts, see the unofficial docs.

Restart on ping fail (beta)

This feature attempts to restart the tunnel if it is failing to ping your server. This feature is still in beta and will likely change in the future.

  • Pings vpn server address on an interval: 1-minute(s)

  • Cooldown after a failed ping/restart is triggered: 60-minute(s)

Enable app lock

This feature allows the user to set an app-specific pin when launching WG Tunnel.

The primary use case for this feature is to serve as a parental control mechanism to prevent phone users from being able to disable auto-tunneling.

To config:

  • Navigate to app settings

  • Toggle "Enable app lock"

  • Set your pin

Tunnel statistics

Clicking on a tunnel while it is running will show per peer tunnel statistics including:

  • Rx in MB

  • Tx in MB

  • Last successful handshake in seconds

  • First characters of peer public key

statistics

Quick tile settings

Quick tile settings is a feature of WG Tunnel that allows users to quickly control and see the status of the active tunnel or auto tunneling without opening the app.

quick-tile

There are two tiles available. One is for toggling the currently active and/or primary tunnel. The other tile is for toggling the state of auto-tunneling from pause/resume.

Always-on VPN

Turning on the Always-On VPN setting (mobile only) in WG Tunnel allows the Android OS to control your primary tunnel (or an app selected tunnel if no primary is set) through the Android OS Always-On VPN feature.

Android will attempt to keep the tunnel always connected.

An added benefit to Always-On VPN is the ability to use the Block connections without VPN native Android feature for added security, but this will prevent split tunneling from working properly.

Exporting tunnel configs

WG Tunnel offers the ability to export all of your tunnel configurations to a zip folder (mobile only).

  1. Navigate to the Settings screen.

  2. Click Export configs near the bottom of the screen.

  3. Complete the biometrics prompt.

  4. All configs are now saved to the Downloads folder on your device in a zip folder called wg-export_<timestamp>.zip.

Kernel Module Support

If you are on a rooted device, WG Tunnel also supports the use of WireGuard's native kernel implementation on Android (mobile only). This has some performance benefits, but it has been known to be less reliable than the userspace implementation.

Last modified: 23 September 2024