Access my home server through my phone hotpot.

Thenuge · Apr 3, 2022, 2:03 PM

So I have my android phone set to always on VPN with OpenVPN into my home Netgate 1u PFsense box. I run Funkwhale and Jellyfin along with Nextcloud and some other stuff. So all my data and media are centered around my Unraid home server.

I went on a trip with the family and was trying to give access to the kids Android/Ios tablets to watch some stuff on jellyfine but the tablets could not access the 192.168...... address. They would get internet fine but anything on the home network doesn't work.

How would I go about getting the hotspot setup to work like that. I was even considering of getting an actual hotspot for the car instead of using my phone if I can make it work.

Thanks for any help. Also, I was not sure where to post this so if it would be better suited in a different section I can re post it.

Thenuge · Apr 7, 2022, 9:09 PM

bump

darcey · Apr 8, 2022, 9:02 AM

If I understand right, you have a vpn client on your phone and its successfully connected to your pfsense WAN. Then, you want to use the phone as hotspot and route (or possibly NAT) kids devices over the VPN. So they access both LAN (on a pfsense attached network) and possibly internet via this tunnel.

Unless the phone NATs the kids devices, this sounds more of a site-to-site VPN setup.

I have in the past (some years ago) on android found it was not possible to have the phone act as both vpn client and hotspot simultaneously. But I believe that is now possible at least in later android versions.

NogBadTheBad · Apr 8, 2022, 9:54 AM

You need the VPN clients on the kids Android / IOS devices.

They connect to your hotspot then connect to the VPN set up on their devices to home.

darcey · Apr 8, 2022, 11:07 AM

@nogbadthebad
Whilst that would work it would be neater IMO to do it in such a way that multiple VPN clients (on every kids device) are not needed.
If one can simultaneously run hostspot and vpn client on the phone, and the phone Masqerades (ie NAT) the hotspot clients the same way a home router does, I imagine
it should be possible for the kids devices to access the same resources the phone is (already) successfully accessing over the VPN. This without additonal firewall/routing rules.
I guess it comes down to how the phone handles a default 'always on' VPN tunnel AND hotspot running at the same time.

akuma1x · Apr 8, 2022, 2:09 PM

@thenuge You could use one of these little guys, GL.iNet travel router:

https://www.amazon.com/GL-iNet-GL-AR750S-Ext-pre-Installed-Cloudflare-Included/dp/B07GBXMBQF

There's a VPN client/server setup on there, so you should be able to simply setup the client version, connect it into your home network, then the wifi side will allow your kids "stuff" into your home LAN.

Be aware, if using in the car, you will have to power it and tether your phone to this box so it can get internet access. It's kinda a lot of little steps to do, but it should work just fine.

Thenuge · Apr 8, 2022, 3:27 PM

@darcey You are correct about my setup.

The tablet will get internet when attached to the hotspot. Soo.. I assume because all my traffic goes through the OpenVPN tunnel (I have it set to Block Connections without VPN) that its pulling from my house WAN.

So it gets internet but wont access anything on my lan. The funny thing is, if I had to choose I would ditch the internet and just keep the kids on the lan. At least I know whats on my servers unlike youtube.

Thenuge · Apr 8, 2022, 3:36 PM

@akuma1x Thanks, I might have to pick that up just to have even if I get the phone working the way I want.

I recently got this little guy.
https://www.amazon.com/gp/product/B09QW79DH7/ref=ppx_yo_dt_b_asin_title_o01_s00?ie=UTF8&psc=1

I have been hooking up Ethernet to it and connecting the phone as a router and messing around with HDMI port for TV hookup. I have not had much time to play with it yet but Im hopping to do some fun stuff with it.

Non of which will matter if I cannot get other devices to access my lan resources.

I know we are talking about extra stuff now but I am hoping to get the kids devices to work just using the phone.

darcey · Apr 8, 2022, 3:53 PM

@thenuge said in Access my home server through my phone hotpot.:

@darcey You are correct about my setup.

The tablet will get internet when attached to the hotspot. Soo.. I assume because all my traffic goes through the OpenVPN tunnel (I have it set to Block Connections without VPN) that its pulling from my house WAN.

If that is the case, then you probably need to look at the IP assignment either side of the VPN. Whether the phone is NATing those devices behind it or routing them over the tunnel. Also, if you've tried only LAN host names, try IPs. It may just be a name/domain resolution issue. On pfsense, capture traffic entering/leaving the VPN.

akuma1x · Apr 8, 2022, 3:53 PM

@thenuge I am not aware of any cell phone that can function like that - hotspot thru your cell provider, and wifi to other wireless clients thru to your VPN server (and therefore LAN) at home.

darcey · Apr 8, 2022, 3:54 PM

@akuma1x said in Access my home server through my phone hotpot.:

@thenuge I am not aware of any cell phone that can function like that - hotspot thru your cell provider, and wifi to other wireless clients thru to your VPN server (and therefore LAN) at home.

He believes the hotspot clients are accessing the internet via the vpn tunnel. I think he needs to validate this on pfsense side as I fear you may be right.

viragomann · Apr 8, 2022, 4:21 PM

@akuma1x said in Access my home server through my phone hotpot.:

I am not aware of any cell phone that can function like that - hotspot thru your cell provider, and wifi to other wireless clients thru to your VPN server (and therefore LAN) at home.

This works on my iphone though.
I connect to my firewall from outside using OpenVPN connect and provide a hotspot on the phone which I join my laptop to. And then I'm able to access devices in my home LAN.

But I cannot say if this works with Android as well.

akuma1x · Apr 8, 2022, 4:27 PM

@viragomann said in Access my home server through my phone hotpot.:

This works on my iphone though.
I connect to my firewall from outside using OpenVPN connect and provide a hotspot on the phone

Ok, my bad then, sorry. I am using the built-in IPSEC connection on my iPhone to get into my home network. I never added OpenVPN software to do anything like this.

Thenuge · Apr 8, 2022, 6:09 PM

@darcey OK, I am wrong. I thought the device would block all internet traffic but that does not apply to the hotspot. Android wont let the hotspot clients use the VPN it just gives them internet access.

I jumped over to the graphine os matrix chat (the os I use) and was asking the guys over there about it and they said the only way to do it is with a proxy.

darcey · Apr 8, 2022, 6:23 PM

@thenuge That's a shame. It would have been a compact, elegant solution.
I have an lineageOS on my aging android phone and that allows simultaneous vpn and hotspot. But I never attempted to send hotspot clients over the tunnel. By the sounds of things, could be one good reason to get an iPhone.

Thenuge · Apr 11, 2022, 4:28 AM

Does anyone know if what I am trying to do is possible with the new IOS? After looking at a few different solutions now that I know android wont support passing all the Hotspot traffic through the tunnel, the Iphone might be a better solution for me over a Hotspot/travel router.

darcey · Apr 11, 2022, 5:34 AM

@thenuge
Sorry can't help with your search but I came across this project. The fact it exists and is currently being maintained suggests/confirms what you want to do with android is still not possible (unless you root the phone).
I was really late to the party with smart phones and only use mine for specific tasks that tend to leverage built-in devices like camera and GPS. It surprised me this (secure mobile access point) is still not possible with vanilla android.

viragomann · Apr 13, 2022, 2:59 PM

I have to revoke my proposition above.

I tested this again on iPhone with iOS 15.4, but it didn't work now. I started an OpenVPN connection on the iPhone and connected my laptop with the its hotspot. But I was not able to connect to a remote resource with this.
So obviously that's not possible with a recent iOS as well.

Maybe it worked with an earlier version or I remembered wrong and I established the VPN on the laptop using the phone's hotspot.

Gertjan · Apr 13, 2022, 3:00 PM

@viragomann said in Access my home server through my phone hotpot.:

I started an OpenVPN connection on the iPhone and connected my laptop with the its hotspot. But I was not able to connect to a remote resource with this.
So obviously that's not possible with a recent iOS as well.

I tried just that several days ago.

I use the OpenVPN OpenConnect app on my iPhone
When you use it, and check log files on both sides, you'll see that your iPhone gets one IPv4 - and one IPv6 if you asked for it / set up IPv6.
That"s one IP for one device, the iPhone.

If the hotspot would use the OpenVPN connection, would it use the same attributed IP for the hotspot connected device ?
No, of course not, that would be an error.
This means that the iPhone VPN App should behave as a router ? Can't be, as the app (my words) has been created to connect 'a device' to a OpenVPN server, not multiple devices.

I'm pretty sure that what you want, exist.
It will be a dedicated small box, a router, with an AP build in, a 3/4/5G connections, thus a SIM card, and it should have a special case of OpenVPN Client usage so every device connected to the AP will get tunneled to the OpenVPN server.

darcey · Apr 13, 2022, 3:40 PM

@gertjan said in Access my home server through my phone hotpot.:

@viragomann said in Access my home server through my phone hotpot.:

I started an OpenVPN connection on the iPhone and connected my laptop with the its hotspot. But I was not able to connect to a remote resource with this.
So obviously that's not possible with a recent iOS as well.

I tried just that several days ago.

I use the OpenVPN OpenConnect app on my iPhone
When you use it, and check log files on both sides, you'll see that your iPhone gets one IPv4 - and one IPv6 if you asked for it / set up IPv6.
That"s one IP for one device, the iPhone.

If the hotspot would use the OpenVPN connection, would it use the same attributed IP for the hotspot connected device ?
No, of course not, that would be an error.

If the phone behaves as a NAT home router and successfully masquerades hotspot connected devices over the WAN based VPN tunnel, then I believe you would still only see one VPN client on the pfsense side.
Is this not what many higher end home routers (pfsense included) do? They masquerade LAN connected devices via an VPN client connection. The limitation seems imposed by android's design rather than the underlying Linux kernel/network stack. It appears neither Android or IOS permit NAT of hotspot network over the vpn client 'interface'.
The project I linked to above appears to offer a UI to manipulate iptables to achieve this but requires root.

This means that the iPhone VPN App should behave as a router ? Can't be, as the app (my words) has been created to connect 'a device' to a OpenVPN server, not multiple devices.

I'm pretty sure that what you want, exist.
It will be a dedicated small box, a router, with an AP build in, a 3/4/5G connections, thus a SIM card, and it should have a special case of OpenVPN Client usage so every device connected to the AP will get tunneled to the OpenVPN server.

Yes, and I bet it's quite expensive.