In my Wireguard setup articles, I use the "server" and "client" terminology to simplify our understanding and make the transition to this idea a bit more comprehensible. The truth is, that Wireguard as a protocol simply creates secure "tunnels" between peer devices. How we interact with these tunnels, and how those tunnels connect is what gives Wireguard its flexibility.
Previously, I described Wireguard Mac OS client setup. In this post, let us look at how to setup Wireguard client on Android and configure it.
Requirement: An already running Wireguard server. If you do not have have, check out our Wireguard server setup guides for Linux and Windows.
You will sometimes hear about a "Road Warrior" setup with regards to Wireguard. This approach embraces the traditional server/client model - no matter where we go, our device is always able to connect to a static "home" server. This article will follow this approach and give a basic walk-through on connecting our Wireguard Android "client" to a Wireguard "server".
Wireguard In The F-Droid App Store.Wireguard App In The Google Play Store
Launch the newly installed app, and we are greeted by an empty Wireguard window.
First Launch Empty Wireguard Screen.
A note on the Android Wireguard App permissions: You probably won't be surprised that the Wireguard Android App will ask for a number of permissions. Some of the obvious ones are "have full network access" and "run at startup". A less obvious one is the "Camera" access. One easy way to import tunnel configurations is by using a generated QR code (shown below). To scan the QR code, the Wireguard app must use your camera. However, after the import, you may "Deny" the camera permission.
2. Create the Local Wireguard Adapter
Wireguard works by creating a virtual adapter to route your traffic through. There are 2 ways to connect your Android device as a client to a Wireguard server. Both require a set of configurations which can either be delivered to you as a single file/QR Code, or created through the Wireguard Android App itself. Let's look at both ways.
Option 1a: Importing a Given Configuration via QR Code
What is a QR Code?
QR Codes are a simple way to visually represent data. They are designed in such a way that cameras (along with basic software) can easily decode the data into something we recognize. This is often used to encode URL's. For example: the website address of a menu at a restaurant might be QR encoded so you can just take a photo and get the URL to avoid typing in a long website address by hand.
Generate the QR Code
In our case, the Wireguard config file is simply a bunch of text in a small file. If we want to import the config to our Android phones from say a Linux server (or computer), we just need to install a QR encoding software and pass the config into it. For example, on an Ubuntu machine we would need to:
Replace peer.conf with the name of your config file
This will output a large QR code in your terminal. Leave it open while we import it from the Android device.
Scan the QR code into the Android Wireguard App
Now onto the Android device. As instructed, click the big blue (+) button in the bottom corner of the screen. Select "Scan from QR Code":
Select The Scan Qr Code Option.
If you haven't yet given the Android Wireguard App permission to use the camera, you might get a security pop-up. When in doubt, select "Only this time":
If Unsure, Select The 'Only This Time' Option.
Your camera should now start. Point it at the QR Code. Make sure that the whole code fits inside the light-colored square on your screen.
Point Your Camera At The Qr Code, Make Sure It Fits Inside The Brighter Box.
Note: I'm a little too close in the screenshot above. As soon as I pull back just a bit, putting the edges of the code within the lightly colored box, the phone vibrates and accepts the QR Code. If there is a problem with the QR code or the config file, you will see a small notification at the bottom of the screen.
Lastly, you are asked to give the newly created tunnel its name. I wasn't feeling very creative and simply called mine "homeserver":
Give Your New Wireguard Tunnel A Memorable Name.
Click "Create tunnel" when you are finished and move ahead to activating the tunnel.
Option 1b: Importing a Given Configuration via File
Begin by transferring the config file(s) to your Android device.
Generally speaking, I would not recommend sending the file via an insecure method like Facebook Messenger or e-mail. Remember, this file would allow anyone to connect to your server, device, or potentially see the traffic occurring. While it's highly unlikely for that to happen, a better choice is to transfer it securely via an encrypted messenger service, a private cloud, or copy directly to the device.
Now onto the Android device. As instructed, click the big blue (+) button in the bottom corner of the screen. Select "Import From File or Archive":
Select The 'Import From File Or Archive' Option.
We are greeted with a screen in which we must choose the config file. Navigate to the location where it is stored, and open the file.
The app will automatically generate the name from the config file. So, if your config file name is wg0.conf, the tunnel will simply be named "wg0".
Edit the Interface (Optional)
At this point you can click the toggle to the right of the tunnel name to get started. But before we do, let's click on the name of the tunnel itself to see the details of the adapter. We are now shown a more verbose overview of the tunnel including the configuration settings we imported.
After Clicking On The Tunnel Name, We Are Shown More Details.
Here we can edit any details including the name if you would like something different than "homeserver". Click the "pencil" icon in the top right corner to begin editing the tunnel.
After Clicking The 'Edit' Icon, We Can Change Details Of The Tunnel.
When finished, simply click the 'Save' icon in the upper right corner. Continue to activating the tunnel.
Option 2: Create a Configuration of Your Own
In this scenario, we will create the configuration ourselves, and only pass the "Public Key" to the server to add it as a new [Peer]. You will need, however, a few details from the Wireguard server you intend to connect to: Public Key, Endpoint IP Address and Port, Allowed IP(s).
Create a new tunnel
At the bottom of the Android Wireguard app screen, click the plus sign (+) and select 'Create from Scratch':
Click The Last Option To Create A New Tunnel From Scratch Or Enter Details Manually.
We are greeted with a new screen.
The Details For The Android Device Go Here, Server Details Under The 'Add Peer' Section.
Add Known Information
Completed 'Interface' Section.
Start by giving our new tunnel a name. I will be using "wireguard".
The 'Private Key' can either be copied manually if you have already created one on the "server", or we can generate one using the "double-arrows" icon to the right of the box.
The 'Public Key' will be automatically generated for us, using the Private key from above.
Addresses is the IP address we wish to assign on the Android device. To simplify and avoid overlapping IP mapping, I generally use the same range as the server and pick an unused address. If following along with my other articles, this could be something like: 10.254.0.2/32
Listen port can be left blank and let the app assign its own.
Persistent keepalive as stated is optional and generally not recommended as it will cause frequent pings to the server and use more battery. If you are really struggling to hold a connection to the server, you can consider putting in a number here (in seconds).
Endpoint is the IP address (or domain name) of our server along with the port it is listening on.
Allowed IPs sets which IP addresses we want routed through our Wireguard tunnel. To start, I will just be using the same set of addresses available to our Wireguard server.
Click the "Save" icon to close the window.
3. Add Client Details to your Wireguard Server
Now that the Android Wireguard client is set, a few details need to be shared with the machine hosting the Wireguard VPN server. The client has to be added as a peer on the server. This has been described in our Linux Wireguard server guide.
At the very least, the server will need your client's Public Key and Address. Once added to the server, we can continue!
Note: In the photo above, the Public Key is the one beginning with "I+7fjR..." and the Address is 10.254.0.2/32.
4. Activate the Tunnel!
Click the gray toggle switch to the right of the tunnel name and after a second or so you should see the toggle change to blue and a new "key" icon should appear in the upper notification bar.
The Tunnel Is Active!
Test Your Connection
You can test to make sure your connection is working a few different ways. As Android is roughly based on the Linux kernel, we can use the same Terminal command ping. An example of an app that can act as a Terminal is Termux. In this case, since our server is running on IP address 10.254.0.1, we can simply ping the address and look for a response:
Successfully Received A Ping Response From The Wireguard Server.
I had also setup a Jellyfin instance on my Wireguard Server to test with, and was easily able to access it using the Wireguard server IP:
Connecting To Jellyfin Using The Wireguard Server Address.Success! We Reached Our Jellyfin Login Page Via Our Wireguard Vpn Route.
The setup above allows you to connect directly to your Wireguard server and access anything running on it. If you have IP forwarding setup on the server, you can also access other Wireguard peers who are connected to the same Wireguard server.
However, we might have other devices on the local network that the Wireguard server is part of. To connect to those, we simply need to modify our interface just slightly so that the Android device knows to pass requests to those IP's through the Wireguard tunnel (and not directly to the local network you are currently using).
The 'AllowedIPs' Section
Let's say I have an additional device on my home network that isn't attached directly to my Wireguard server; a Raspberry Pi running my Nextcloud server. It is running on our home network with the IP address 192.168.124.109.
Currently, we are at Friend's house, and we type that address into our browser. Our Android device would not be able to find the Nextcloud server. This is because 192.168.124.109 isn't included in the AllowedIPs section of our Wireguard interface. Our browser looks for the device in Friend's network instead of through the Wireguard tunnel to our home network. Let's modify our 'AllowedIPs' to make sure the request is passed through Wireguard:
Edit Our Wireguard Client Adapter Settings
Open your Android Wireguard App and edit the tunnel. Let's add the IP of our Raspberry Pi at home: 192.168.124.109.
We Can Add As Many Allowedips As We Like, But Try To Avoid Overlap With Common Ranges!
Click the 'Save' icon in the upper right corner. We will see a message at the bottom of the screen saying it was successfully saved.
Note: A single IP address uses the /32 CIDR notation at the end, while a range (like 192.168.124.0-192.168.124.254) would use 192.168.124.0/24
Head to your browser (or app) and now we type in the 192.168.124.109 address to see if we can reach our Nextcloud.
Now We Are Able To Reach Our Nextcloud Server Through Our Wireguard Tunnel!
Success!
User Defined DNS servers
This section applies to anyone using Pi-Hole/AdGuard Home or who wishes to set custom DNS for their Android device. If you decide not to route ALL of your traffic (described below) through your Wireguard server, you can still add DNS servers to your config. In this example, we add a declaration using Cloudflare's DNS servers.
Open your Android Wireguard VPN App, and edit the tunnel. Add the following in the DNS servers box:
1.1.1.1, 1.0.0.1
Your finished client configuration should look like below:
Set As A Local Dns Resolver Like Pi-Hole Or Use Any Public Dns Servers You Like.
Click the 'Save' icon and you will see a message at the bottom of the screen confirming the successful configuration change.
I wasn't able to verify via Termux that the new DNS servers were in fact the ones being used due to a 'feature' of Termux. Termux by default uses Google's DNS servers regardless of the device's settings, leading you to believe it didn't work properly. So digging around the internet for a few minutes showed me an app that can help called Network Info II.
Another easy way to verify is by using a DNS leak testing site like https://dnsleaktest.com.
Route All Traffic Through Wireguard Server
Caution: The Wireguard server must be setup properly with Network Address Translation (NAT) for this to work. If not set properly, you will have no Internet connection while the tunnel is active.
Routing all traffic through our Wireguard server is generally quite easy to accomplish from the Android Wireguard App. Open your Android Wireguard App, and edit the tunnel. Next we change AllowedIPs to 0.0.0.0/0.
Setting Allowedips To Pass All Traffic Through Our Tunnel.
Excluding Private IP Ranges
At the bottom of the window you might notice there's an additional checkbox that did not exist before we typed in 0.0.0.0/0 - "Exclude private IPs". This setting allows you to pass all of your traffic through your Wireguard VPN EXCLUDING private addresses like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Ensure the device you are trying to connect to is within your 'AllowedIPs' range. Remember that you can set individual IP's or a whole set of IP's. Most home routers use DHCP (dynamic host configuration protocol) which means that a device's IP can change occasionally (especially on router restarts). In this case, you can give a range such as 192.168.1.0/24 to cover all devices in the 192.168.1.1 - 192.168.1.254 range. Also, check your firewall rules.
Can I have more than one Wireguard tunnel active at a time?
If your device is rooted you might be able to run multiple simultaneous tunnels as long as the address ranges do not overlap.
If rooted, using the Termux app, you can install the wireguard-tools package which will give you access to the wg-quick command. This should work the same as it does in the Linux clients and allow you to bring 'up' as many tunnels as you like.
How do I add better security with a Preshared Key?
While not strictly necessary, the Preshared Key adds a layer of security to better protect our tunnel against attacks by advanced threats. Again, not strictly necessary but easy to add in my opinion. The generated key will need to be included in both the server's config file and in your Wireguard Android App.
To generate one from your Android you must use the CLI version of Wireguard. To use the CLI, you must install the wireguard-tools package. I installed it using Termux (as linked above) and installed the package with:
pkg install wireguard-tools
This next part follows the Wireguard Linux article, so I will not go in depth. The short version is to use your terminal to generate a Preshared Key (PSK), copy it into both your Android Wireguard App (shown above), and into the server config.
wg genpsk
Generating A Pre-Shared Key Is A Simple Terminal Command.
Can I use Wireguard for Android with IPv6?
Absolutely. Anywhere you see an IPv4 address, you can add a valid IPv6 address as well. Make sure your server can handle IPv6 requests or you might have trouble with the Wireguard tunnel.
How do I export my config if I generated it myself?
In your Android Wireguard App homesecreen, click the three-vertical-dot menu button in the top right corner. Select "Export tunnels to zip file". By default, the .zip file will go to your "Downloads" folder. Be careful what you do with that file, and don't share it with anyone.
Why can't I connect to the Internet after starting my Wireguard tunnel?
As the joke goes... "It's Always DNS". If using 0.0.0.0/0, double check your server is able to resolve domain names (server is connected to the internet). Double check to see if your config settings were entered properly (like mixing keys). Try setting a DNS server as stated earlier in this article. You can also set it to the IP of the server itself if you have something like unbound running.
How do I Include/Exclude an app from using the Wireguard tunnel?
Open your Android Wireguard App, and edit the tunnel. Click on the "All Applications" button at the bottom of the Interface frame. Here you can select to allow/exclude certain apps from using the tunnel.
How can I automatically disconnect the tunnel when I am home, and automatically connect when I leave?
The Wireguard Android App doesn't have this feature natively included (as of this writing). I haven't tried it myself, but a common recommendation is using the Tasker App to automate actions based upon triggers (like joining/leaving a specific WiFi SSID).
Concluding Thoughts
The Wireguard for Android App is a great compliment to the family of Wireguard applications. I find it to be user friendly, but is lacking a bit if you install it with no other notion of how the Wireguard VPN protocol works.
Either way, I appreciate the simplicity and flexibility it offers while abstracting the more complex aspects of VPN's. Wireguard has simplified the VPN setup process so much most enthusiasts and homelab beginners can now implement it easily.
Kristopher is a tech enthusiast interested in teaching and simplifying technology for others. Online privacy and responsibility has become of upmost importance and he aims to help others reduce their reliance on tech giants.
