I set up Wireguard on my phone, server, and computer to let my phone access my home network when I’m outside of it.

It works for the most part, but the inconvenient thing is that on Android you can only have 1 VPN running at a time. I want to use Mullvad VPN for the rest of my network connections for privacy.

I could make a single Wireguard config that defines 2 peers to connect to mullvad and my home VPN at the same time, but by doing this, I lock myself to a single server without the benefits of being able to swap servers at the same time.

Locking myself to a single mullvad server results in:

  • less privacy, since my IP is more static
  • inability to switch to bypass a VPN block

On desktop, I can have multiple wireguard VPNs at once, but if I have both running at the same time, then my LAN is accessed over the home VPN which is routed through Mullvad VPN. It goes

Computer -> Mullvad server -> Home VPN -> Home server

which is pretty wasteful.

Additionally, I’d prefer not to not do something like: Phone -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

What options do I have?

  • slothrop2@lemmings.worldEnglish
    0·
    4 months ago

    Ugh, Android VPN single-process nonsense strikes again. Trying to run Mullvad and a full home WireGuard at the same time on the phone is basically fighting the OS. Don’t waste time trying to shoehorn two concurrent VPNs or a multi-peer WireGuard profile that locks you to one Mullvad server. That defeats the whole point.

    Practical choices that actually work:

    • Best for simplicity: keep Mullvad as your phone VPN, and expose a small, app-level access path to your home (SSH with dynamic SOCKS, an HTTPS reverse proxy, or a tiny web app). That way Mullvad stays flexible and your home access is an app-level exception, not a second system VPN.
    • If you want full IP-level access to your LAN from anywhere, use a cheap VPS as a relay or run Tailscale/headscale. Have your home server maintain a persistent tunnel to the VPS/Tailscale node, then connect to that node from your phone. Mullvad stays on your phone and you avoid double-hopping through Mullvad -> home VPN -> home.
    • Alternative: put Mullvad on your home router/gateway (or an exit node) so devices behind it already use Mullvad. Then your remote WireGuard can be set to only route LAN subnets, preventing the Mullvad double-hop.

    Pick the VPS/tailscale relay if you want reliability and don’t want to expose ports on your home. Pick app-level proxies if you want the easiest, lowest-maintenance setup. Anything else is fiddly and will either leak convenience or privacy.