"correct" setup

[pbathuk]

Hi,
I just wanted to validate that I have read the documention correctly and my understanding and setup is correct for using the app, as I still get weird quirks where I need to restart the tunnel... But see others have raised similar issues.

My usecase:

• When I am on my home WiFi then I want No VPN, as I manage and secure that (plus VPN within my network seems to half the speed).
• when I leave the range of my home WiFi (mobile or otherwise) then the VPN should be active
• I want the VPN to self resolve issues, so if I lose internet, it should restart itself when it loses access to the VPN end point (the DNS might have updated IP address etc)
• I don't want the VPN to use loads of battery, so if there is no signal it should turn off until my signal is back and then turn back on.
• this should work on an unrooted Android device, i.e. Samsung S25 Ultra, pixel 7 or above etc

My current setup:
I will use the page names from the app.
Tunnel

• imported tunnel from wireguard via QR code (unique to this device as is wireguard setup)
• nat for tunnel is set to 15 seconds (as an fyi)
• enabled amnezia comparability, but not changed anything on my wireguard server
• primary tunnel: on
• auto tunneling left as default (off)
• ipv4 name resolving: on
• split tunneling left as default (none)
• restart in ping fail (none)
  Auto-tunnel
• tunnel on untrusted WiFi: on
• WiFi detection: default
• use name wildcarss: on
• trusted WiFi names: WiFi name setup and entered
• stop killing switch on trusted: on
• tunnel on mobile data: on
• tunnel on ethernet: on
• stop on no internet: on
• advanced setting : default
  Settings
• enable app shortcuts: on (not 100% sure what this does)
• allow always-on VPN : on
• kill switch options:
  • native kill switch: (wg tunnel enabled, block connections without VPN off)
  • VPN kill switch : on
  • allow lan traffic : off
• restart on boot : on
• rest of settings : defaults (off)

Other things (phone ones)

• I have two VPN apps - wg tunnel and tailscale, but tailscale is set to off and no permanent VPN on for that (it is a failsafe incase something goes wrong on the server that runs the wireguard I have)
• battery settings for wg tunnel are set to unrestricted
• manage app if used is set to off
• application data usage is set to allow background usage and also allow when data saver is on
• notifications are set to on, but just allow notification, sounds and vibrations are turned off.

So the question is around - for my usecase, is this the correct setup.

Do I actually need the native kill switch enabled? For example.

I've read through the documentation, and think this is right, but wanted to check it was the most optimal at keeping the VPN going when out of the house.

If it helps my wireguard is setup as:
Interface :
Address - matches what is given
Listening port - nothing set (never noticed this before)
DNS server - set to the docker address of my local DNS server (as the wireguard has host mode, but runs in docker and has direct access to the local DNS server I run)
MTU - 1384 (I'm on mobile when out of the house most of the time and found this works best with my mobile)
Peer :

• endpoint - URL for address that resolves to my home WAN IP - I have a separate process to validate that this is working correctly and update the IP on change (non-static IP) (with valid port that is uses externally)
• persistent keep alive - 15 seconds
• allowed IPS - 0.0.0.0/0, ::/0

Sorry for the long post, wanted to get as much info down as possible to see if I have missed something or done something incorrectly.

To be clear, it works, if I am on WiFi it has no VPN, when I turn off WiFi / leave the house it flicks to mobile + starts the tunnel. It's just that I notice through the day, say if I'm at work, then I will pick up my phone, say after an hour or two of not using it and although the VPN says it's there (key icon on top right) nothing on the internet works.. and normally, after waiting like 20 secs, I have to go into the app to enable the tunnel manually, or turn it off and on again (the tunnel that is).. so it's that which I would love to resolve.

It could be that my wireguard at home is not configured correctly, but I struggle to see how as have spent a lot of time making sure the firewall rules and other settings don't block that traffic etc, it's through a 910mbps/120mps connection so I don't think it's the bandwidth etc.
And it's using port forwarding on the router to just push the traffic.

Any help / guidance would be great