redterminal.org Gopher Hole
gopher://redterminal.org:70/0/phlog/2025-03-08-GrapheneOS_with_hotspot_and_VPN.txt
-------------------------------------------------------------------
+title: GrapheneOS with hotspot and VPN
+date: Sat, 08 Mar 2025 02:03:23 +0100
+author: -fab- <fab@redterminal.org>
-------------------------------------------------------------------
________ .__
/ _____/___________ ______ | |__ ____ ____ ____
/ \ __\_ __ \__ \ \____ \| | \_/ __ \ / \_/ __ \
\ \_\ \ | \// __ \| |_> > Y \ ___/| | \ ___/
\______ /__| (____ / __/|___| /\___ >___| /\___ >
\/ \/|__| \/ \/ \/ \/
____ _____________________
\ \ / /\______ \ \
\ Y / | ___/ | \
\ / | | / | \
\___/ |____| \____|__ /
\/
<== I broke my OnePlus smartphone ==>
Because the 'official' /E/OS on my old OnePlus Nord has
discontinued support, I tried to flash the /E/OS 'community'
edition onto it. And either during the flashing process, I damaged
the WiFi on my phone, or it simply does not support it.
I hoped for another few years of using this phone, but now it's
unusable for me. Bad luck for me.
So I was in need for another smart phone with WiFi hotspot support.
And for my usecase I also need VPN. On my old OnePlus the hotspot
traffic was completely sent through the installed WireGuard VPN
client which I installed with F-Droid.
<== My new Pixel 8a ==>
I always wanted to use GrapheneOS because of it's security and
privacy features and this incident was an opportunity to try it.
So I just ordered a Pixel 8a which I received today, and naturally,
I immediately flashed GrapheneOS onto it. Unfortunately, I was
unable to utilize the WebUI Installer, but manual installation
wasn't overly challenging either. Although I had never used
GrapheneOS before, it always seemed a good solution. I opted for a
relatively new Pixel phone model (8a), which supports GrapheneOS up
until May 2030, ensuring at least 5 years of use.
<== Problems ==>
But the device running GrapheneOS has some frustrating limitations
I wasn't aware of: If you activate a VPN on your phone, the
VPN is bypassed when using a WiFi hotspot, and unfortunately,
this functionality isn't developed. This was a significant
disappointment initially, and many users have requested this
feature, but the developers don't care to implement it. Initially,
it seemed like a deal-breaker, but after flashing GrapheneOS, I
couldn't return it.
<== The solution ==>
But then an easy solution for this issue came to my mind: I merely
employed WireGuard on my laptops, which subsequently linked to
my home VPN via the unprotected hotspot. This was surprisingly
effortless to implement, even on my Artix machines.
Because I already had a WireGuard server and the necessary
configuration files for the clients, the setup was incredibly
straightforward. All I needed to do was install the
'wireguard-tools' and 'openresolv' packages, then copy the old
config file (named Triangle.conf) into /etc/wireguard.
Next, I connected to the insecure GrapheneOS hotspot and executed
'sudo wg-quick up Triangle' on the laptop. 'Triangle' represents
the related configuration file. To shut it down, it's as simple as
'sudo wg-quick down Triangle', followed by disconnecting from the
hotspot.
And there you go!
<== Conclusion ==>
It might initially be challenging to create a WireGuard server
and the corresponding configuration files; however, it's a viable
solution for those demanding a VPN through the hotspot feature,
which GrapheneOS likely will never support. Given that many people
are requesting this feature, they are probably familiar with VPNs,
so they should be able to set up WireGuard or any other VPN they
prefer to use.
And having the VPN client on the laptop instead the phone has some
more advantages. I can also use the VPN if I connect to an open or
otherwise unknown WLAN.
There are numerous guides available online on how to set up a
WireGuard server and clients. Just search the web.
All in all - Have fun!
-fab-