------------------------------------------------------------------- +title: GrapheneOS with hotspot and VPN +date: Sat, 08 Mar 2025 02:03:23 +0100 +author: -fab- ------------------------------------------------------------------- ________ .__ / _____/___________ ______ | |__ ____ ____ ____ / \ __\_ __ \__ \ \____ \| | \_/ __ \ / \_/ __ \ \ \_\ \ | \// __ \| |_> > Y \ ___/| | \ ___/ \______ /__| (____ / __/|___| /\___ >___| /\___ > \/ \/|__| \/ \/ \/ \/ ____ _____________________ \ \ / /\______ \ \ \ Y / | ___/ | \ \ / | | / | \ \___/ |____| \____|__ / \/ <== I broke my OnePlus smartphone ==> Because the 'official' /E/OS on my old OnePlus Nord has discontinued support, I tried to flash the /E/OS 'community' edition onto it. And either during the flashing process, I damaged the WiFi on my phone, or it simply does not support it. I hoped for another few years of using this phone, but now it's unusable for me. Bad luck for me. So I was in need for another smart phone with WiFi hotspot support. And for my usecase I also need VPN. On my old OnePlus the hotspot traffic was completely sent through the installed WireGuard VPN client which I installed with F-Droid. <== My new Pixel 8a ==> I always wanted to use GrapheneOS because of it's security and privacy features and this incident was an opportunity to try it. So I just ordered a Pixel 8a which I received today, and naturally, I immediately flashed GrapheneOS onto it. Unfortunately, I was unable to utilize the WebUI Installer, but manual installation wasn't overly challenging either. Although I had never used GrapheneOS before, it always seemed a good solution. I opted for a relatively new Pixel phone model (8a), which supports GrapheneOS up until May 2030, ensuring at least 5 years of use. <== Problems ==> But the device running GrapheneOS has some frustrating limitations I wasn't aware of: If you activate a VPN on your phone, the VPN is bypassed when using a WiFi hotspot, and unfortunately, this functionality isn't developed. This was a significant disappointment initially, and many users have requested this feature, but the developers don't care to implement it. Initially, it seemed like a deal-breaker, but after flashing GrapheneOS, I couldn't return it. <== The solution ==> But then an easy solution for this issue came to my mind: I merely employed WireGuard on my laptops, which subsequently linked to my home VPN via the unprotected hotspot. This was surprisingly effortless to implement, even on my Artix machines. Because I already had a WireGuard server and the necessary configuration files for the clients, the setup was incredibly straightforward. All I needed to do was install the 'wireguard-tools' and 'openresolv' packages, then copy the old config file (named Triangle.conf) into /etc/wireguard. Next, I connected to the insecure GrapheneOS hotspot and executed 'sudo wg-quick up Triangle' on the laptop. 'Triangle' represents the related configuration file. To shut it down, it's as simple as 'sudo wg-quick down Triangle', followed by disconnecting from the hotspot. And there you go! <== Conclusion ==> It might initially be challenging to create a WireGuard server and the corresponding configuration files; however, it's a viable solution for those demanding a VPN through the hotspot feature, which GrapheneOS likely will never support. Given that many people are requesting this feature, they are probably familiar with VPNs, so they should be able to set up WireGuard or any other VPN they prefer to use. And having the VPN client on the laptop instead the phone has some more advantages. I can also use the VPN if I connect to an open or otherwise unknown WLAN. There are numerous guides available online on how to set up a WireGuard server and clients. Just search the web. All in all - Have fun! -fab-