> It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.

What do you mean? I've had great luck using specific routes over wireguard with the official app on my phone. It works great with "on-demand" wg, and only routing my home subnet over it.

Now, some "business" vpns suck donkey balls, but these are usually borked beyond belief without any external help. I'm specifically thinking about the dotted red square one.

▲

EnigmaCurry 5 days ago | parent [-]

This is at least a limitation in Android itself:

https://developer.android.com/reference/android/net/VpnServi...

"There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created."

Note this is not about routing some traffic to the VPN and other traffic to the clear net. This is about running two VPN connections simultaneously.

▲

vladvasiliu 5 days ago | parent [-]

Fair enough. I haven't used an Android device since 2017... Do people have these issues on iOS too?

On Linux, I have no problem running either bare wireguard or tailscale alongside Forticlient. On Windows and macOS it's a bit more janky, specifically the DNS resolution, but I don't daily drive these platforms so I may be missing some kind of knowledge to fix this.

▲

standard_indian 3 days ago | parent | next [-]

On a linux box, is it possible to run tailscale/wireguard as an exit node along with Forti vpn?

Aka what I want to achieve is (my-machine + tail/wireguard) --> (server with tailscale/wireguard + forti vpn) --> Corporate network. So wireguard or tailscale to receive traffic and forward it through forti.

Or another option (my machine fortivpn over tail/wireguard) --> (server as exit node) --> corporate network

Rather than using the official forticlient I am using https://github.com/adrienverge/openfortivpn. It has some options to configure custom pppd/routes/dns etc if necessary, which I have not touched as I don't know enough :P DNS resolution is not important for my usecase, only traffic.

	▲	juhovh 9 hours ago \| parent \| next [-]
		I have heard not so great things about Forti VPNs, sorry to hear you have to work with those. In theory, as long as the Forti VPN does not overlap with the Tailscale IP address range, the simplest solution is to just run Tailscale and openfortivpn on a single node. You can then advertise the Forti VPN subnets within Tailscale, that's effectively what my image does as well in a nutshell, except that it's parsing the WireGuard config and setting up firewall rules for convenience. Tailscale does NAT automatically by default, so it will look like all traffic is coming from the openfortivpn client itself.
	▲	vladvasiliu a day ago \| parent \| prev [-]
		I don't know about FortiClient specifically, it's a sorry piece of crap that's more often borken than not. With openfortivpn, you can usually ignore whatever routes you receive and set up your own. I haven't tried the specific set up you talk about, but I don't see why it wouldn't work. However, you would most likely need to NAT on the machine running the Fortinet client.

▲

EnigmaCurry 5 days ago | parent | prev [-]

Yea on Linux I can run 10 different VPNs (or 10 wg peers) no problem, this limitation of Android is super annoying to me. I think OPs solution is quite a good one for Android users.

	▲	juhovh 4 days ago \| parent [-]
		Yeah you're exactly on point here, and this limitation exists on both iOS and Android alike. I got very frustrated with switching between VPNs and connections breaking every time I did that.