Cannot access lan on AX-86U through Hub and Spoke wireguard

[Asus79]

My home network is behind a CGNAT and I would like to access a couple of computers on the network remotely. I have used the Hub and Spoke guide.
The router at home is an AX-86U running 3004.388.10.12. I have set up a VPS running a wireguard server. I have tried a couple of setups and I cannot access my lan network from remotely. I can only access the router's wireguard ip address.
On the server I have set ip forward =1, I have tried allowed ips as 0s as well as the home network ip on both the server and my remote devices with the Asus as both 0's and the server's ip. I have tried blank iptables and several other options seen from various setups found on the internet.
The router is running wireguard client and does not have the toggle for access intranet. I have added dns director to have WC1 to show my wg server ip's /24.
Is this an issue with the router not redirecting the wg ips to lan and back?

 

[ZebMcKayhan]

The router is running wireguard client and does not have the toggle for access intranet.

The setting you are looking for is called: Inbound firewall. You should set it to allow.

You also need to setup vpndirector rules.

For reference, here is my setup, which initially used an addon for witrguard: https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
Which later was migrated to a server peer:
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

 

[Asus79]

I tried to follow your directions but I am new to Linux scripting and got lost. I have attached screenshots of my set up, hoping that this will help.
I have been using WGDashboard to set most of the system up. I have used the console to adjust the tables. Traceroute to my router's ip address does not show anything from my WGDashboard

 

[Asus79]

This is my Asus setup at home

 

[ZebMcKayhan]

This is my Asus setup at home

Its tricky without knowing all the details. You will need to provide all ips involved in this. Your issue is probably in AllowedIPs somewhere. It usually is.

I can see a server ip, 192.168.3.46, is that an ip on a remote lan also connecting into the vps?
I can see the Wireguard subnet 10.0.0.0/24.
What I cant see is your lan on the asus router.

AllowedIPs should always contain destination ip addresses that is found on the other side of the tunnel so wg knows where to route data.
For example, if you want to access 10.0.0.0/24 and 192.168.3.46 on your asus router over wgc1, then both these adresses must be on asus wgc1 AllowedIPs otherwise wg will refuse to route to destinations (regardless of vpndirector).
There also must be a way back but it could be different if you are using NAT on the asus router wgc1.

 

[Asus79]

Its tricky without knowing all the details. You will need to provide all ips involved in this. Your issue is probably in AllowedIPs somewhere. It usually is.

I can see a server ip, 192.168.3.46, is that an ip on a remote lan also connecting into the vps?
I can see the Wireguard subnet 10.0.0.0/24.
What I cant see is your lan on the asus router.

AllowedIPs should always contain destination ip addresses that is found on the other side of the tunnel so wg knows where to route data.
For example, if you want to access 10.0.0.0/24 and 192.168.3.46 on your asus router over wgc1, then both these adresses must be on asus wgc1 AllowedIPs otherwise wg will refuse to route to destinations (regardless of vpndirector).
There also must be a way back but it could be different if you are using NAT on the asus router wgc1.

Home / Asus router IP is 192.168.3.1, server is the PC I want to reach located at home. 19.168.3.46. the vps tunnel server IP is 10.0.0.0. I'm trying to reach it now with my phone though cell service so it doesn't have an IP range. Should I have NAT enabled on the Asus wg client?

 

[ZebMcKayhan]

Home / Asus router IP is 192.168.3.1, server is the PC I want to reach located at home. 19.168.3.46. the vps tunnel server IP is 10.0.0.0. I'm trying to reach it now with my phone though cell service so it doesn't have an IP range. Should I have NAT enabled on the Asus wg client?

Ah, ok. So its not a site-2site? Just some clients connecting to the vps and want to reach your server on lan?

So you should set
Inbound firewall=allow
Nat=no

Keeping allowedIPs on asus router 10.0.0.0/24 should be fine.

On the vps peer asus router connects to should have AllowedIP: 10.0.0.3/32, 192.168.3.0/24.

Your vpndirector rule "server" could be removed, but the other is needed.

then finally you should allow incoming connections on your server from the 10.0.0.0/24 subnet.

 

[Asus79]

Ah, ok. So its not a site-2site? Just some clients connecting to the vps and want to reach your server on lan?
Correct I'm trying to access a couple or computers from remote.

So you should set
Inbound firewall=allow
Nat=no

Keeping allowedIPs on asus router 10.0.0.0/24 should be fine.

On the vps peer asus router connects to should have AllowedIP: 10.0.0.3/32, 192.168.3.0/24.

Your vpndirector rule "server" could be removed, but the other is needed.
All of this is done.

then finally you should allow incoming connections on your server from the 10.0.0.0/24 subnet.

Just to confirm, server is switched WAN and incoming connections 10.0.0.0/24?

I'm still having the same issue. Even after rebooting everything

 

[bennor]

Couple of suggestions, some of which have likely already been made. If you want WireGuard VPN Clients to access the local network clients behind a WireGuard VPN Server (on the Asus router) then be sure to enable the option Access Intranet on the WireGuard Server settings (if available). Example (from the 3006.102.x Asus-Merlin firmware):

And if you are attempting to access a NAS (network server) through the VPN tunnel you may need to adjust that NAS's firewall to allow for IP address access outside the local network IP address subnet.

Any changes you make on the VPN server you may need to export an updated VPN Client configuration file and import that into your remote clients and have them reconnect with the new VPN configuration file.

 

[ZebMcKayhan]

Just to confirm, server is switched WAN and incoming connections 10.0.0.0/24?

What do you mean with switched wan?
The server needs to allow connections from wg network.perhaps its already done, but check?

I'm still having the same issue. Even after rebooting everything

can you trace to asus router lan ip 192.168.3.1?
Can you give me all AllowedIPs on all devices and I could take a look if something is wrong.

 

[Asus79]

What do you mean with switched wan?
The server needs to allow connections from wg network.perhaps its already done, but check?


can you trace to asus router lan ip 192.168.3.1?
Can you give me all AllowedIPs on all devices and I could take a look if something is wrong.

The server is a Window PC. Are you saying I need to accept 10.0.0.0/24 on the PC itself? I was thinking the router does the conversation from 10.0.0.0 to 192.168.3.x

I'll get the the allowed ips later today.

 

[ZebMcKayhan]

The server is a Window PC. Are you saying I need to accept 10.0.0.0/24 on the PC itself? I

Yes!

I was thinking the router does the conversation from 10.0.0.0 to 192.168.3.x

No, there is no option for that. 10.0.0.x will directly contact your server as is.

Its typical for Windows to only allow local ips unless specifically opened up for other ips. You will need to allow 10.0.0.0/24 in the Windows firewall.