Automatic on-demand activation of WireGuard for Android /e/

screenshot of a bit of the flow for automatically connecting to WireGuard

I like WireGuard as a VPN system.

I also like my phone to be connected to the VPN whenever it is not on a trusted Wi-Fi network, so that all my traffic routes via an encrypted tunnel back through our systems.

The iOS application for WireGuard makes this easy. You can set the conditions under which WireGuard activates and deactivates, and it "just works".

The Android client for WireGuard does not offer this.

In Android's own network settings, I could configure my phone to always connect to WireGuard. This was better than nothing, but not quite what I wanted. (It also has a feature of blocking all Internet traffic if it is not connected to WireGuard, and I like this. I want to replicate it.)

However, I don't really want the WireGuard connection to be up when I am on a trusted Wi-Fi network, as I could not make it work with KDE Connect, to allow me to control my phone (e.g. send and receive SMS) from my computer.

Automate for Android

A kind person on Twitter mentioned an application for Android called "Automate", and said that there was a "flow" to activate WireGuard on-demand.

I have finally got around to trying this out, and the basic functionality worked.

I tinkered with it slightly, so that it pinged one of my own boxes rather than pinging a third party server, and I had to:

  • spend a bit of time setting device permissions, so that it could access my Wi-Fi network details
  • set my own Wi-Fi SSID (just set the network name, not the MAC address, if, like me, you have multiple access points with the same SSID)
  • set the profile name within the WireGuard application.

Bits I have not yet worked out

I have yet to work out:

  • how to make it start automatically when I reboot my phone. The setting which seems to offer that doesn't seem to do what I am expecting, and I've yet to work out why.

    • The comment "Fibers are saved to the internal storage, so if the device shutdown they’ll continue to run from the last block when the device has restarted, see the Run on system startup option in settings." doesn't seem to do what I am expecting.

    • It's not a big deal, as I don't restart my phone that often.

    • I've tried adding some additional conditions to check state (rather than just watching for changes) of interfaces, and I think that might be the way to go.

  • how to deny Internet access if my phone is connected to neither my trusted Wi-Fi network, nor WireGuard. I'd like it to "fail safe".

  • how to restart the flow automatically if it fails.


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.

You can find me (and follow me) on Mastodon and Twitter.