Cannot access lan on AX-86U through Hub and Spoke wireguard

[Asus79]

My home network is behind a CGNAT and I would like to access a couple of computers on the network remotely. I have used the Hub and Spoke guide.
The router at home is an AX-86U running 3004.388.10.12. I have set up a VPS running a wireguard server. I have tried a couple of setups and I cannot access my lan network from remotely. I can only access the router's wireguard ip address.
On the server I have set ip forward =1, I have tried allowed ips as 0s as well as the home network ip on both the server and my remote devices with the Asus as both 0's and the server's ip. I have tried blank iptables and several other options seen from various setups found on the internet.
The router is running wireguard client and does not have the toggle for access intranet. I have added dns director to have WC1 to show my wg server ip's /24.
Is this an issue with the router not redirecting the wg ips to lan and back?

 

[ZebMcKayhan]

The router is running wireguard client and does not have the toggle for access intranet.

The setting you are looking for is called: Inbound firewall. You should set it to allow.

You also need to setup vpndirector rules.

For reference, here is my setup, which initially used an addon for witrguard: https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
Which later was migrated to a server peer:
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

 

[Asus79]

I tried to follow your directions but I am new to Linux scripting and got lost. I have attached screenshots of my set up, hoping that this will help.
I have been using WGDashboard to set most of the system up. I have used the console to adjust the tables. Traceroute to my router's ip address does not show anything from my WGDashboard

 

[Asus79]

This is my Asus setup at home

 

[ZebMcKayhan]

This is my Asus setup at home

Its tricky without knowing all the details. You will need to provide all ips involved in this. Your issue is probably in AllowedIPs somewhere. It usually is.

I can see a server ip, 192.168.3.46, is that an ip on a remote lan also connecting into the vps?
I can see the Wireguard subnet 10.0.0.0/24.
What I cant see is your lan on the asus router.

AllowedIPs should always contain destination ip addresses that is found on the other side of the tunnel so wg knows where to route data.
For example, if you want to access 10.0.0.0/24 and 192.168.3.46 on your asus router over wgc1, then both these adresses must be on asus wgc1 AllowedIPs otherwise wg will refuse to route to destinations (regardless of vpndirector).
There also must be a way back but it could be different if you are using NAT on the asus router wgc1.

 

[Asus79]

Its tricky without knowing all the details. You will need to provide all ips involved in this. Your issue is probably in AllowedIPs somewhere. It usually is.

I can see a server ip, 192.168.3.46, is that an ip on a remote lan also connecting into the vps?
I can see the Wireguard subnet 10.0.0.0/24.
What I cant see is your lan on the asus router.

AllowedIPs should always contain destination ip addresses that is found on the other side of the tunnel so wg knows where to route data.
For example, if you want to access 10.0.0.0/24 and 192.168.3.46 on your asus router over wgc1, then both these adresses must be on asus wgc1 AllowedIPs otherwise wg will refuse to route to destinations (regardless of vpndirector).
There also must be a way back but it could be different if you are using NAT on the asus router wgc1.

Home / Asus router IP is 192.168.3.1, server is the PC I want to reach located at home. 19.168.3.46. the vps tunnel server IP is 10.0.0.0. I'm trying to reach it now with my phone though cell service so it doesn't have an IP range. Should I have NAT enabled on the Asus wg client?

 

[ZebMcKayhan]

Home / Asus router IP is 192.168.3.1, server is the PC I want to reach located at home. 19.168.3.46. the vps tunnel server IP is 10.0.0.0. I'm trying to reach it now with my phone though cell service so it doesn't have an IP range. Should I have NAT enabled on the Asus wg client?

Ah, ok. So its not a site-2site? Just some clients connecting to the vps and want to reach your server on lan?

So you should set
Inbound firewall=allow
Nat=no

Keeping allowedIPs on asus router 10.0.0.0/24 should be fine.

On the vps peer asus router connects to should have AllowedIP: 10.0.0.3/32, 192.168.3.0/24.

Your vpndirector rule "server" could be removed, but the other is needed.

then finally you should allow incoming connections on your server from the 10.0.0.0/24 subnet.

 

[Asus79]

Ah, ok. So its not a site-2site? Just some clients connecting to the vps and want to reach your server on lan?
Correct I'm trying to access a couple or computers from remote.

So you should set
Inbound firewall=allow
Nat=no

Keeping allowedIPs on asus router 10.0.0.0/24 should be fine.

On the vps peer asus router connects to should have AllowedIP: 10.0.0.3/32, 192.168.3.0/24.

Your vpndirector rule "server" could be removed, but the other is needed.
All of this is done.

then finally you should allow incoming connections on your server from the 10.0.0.0/24 subnet.

Just to confirm, server is switched WAN and incoming connections 10.0.0.0/24?

I'm still having the same issue. Even after rebooting everything

 

[bennor]

Couple of suggestions, some of which have likely already been made. If you want WireGuard VPN Clients to access the local network clients behind a WireGuard VPN Server (on the Asus router) then be sure to enable the option Access Intranet on the WireGuard Server settings (if available). Example (from the 3006.102.x Asus-Merlin firmware):

And if you are attempting to access a NAS (network server) through the VPN tunnel you may need to adjust that NAS's firewall to allow for IP address access outside the local network IP address subnet.

Any changes you make on the VPN server you may need to export an updated VPN Client configuration file and import that into your remote clients and have them reconnect with the new VPN configuration file.

 

[ZebMcKayhan]

Just to confirm, server is switched WAN and incoming connections 10.0.0.0/24?

What do you mean with switched wan?
The server needs to allow connections from wg network.perhaps its already done, but check?

I'm still having the same issue. Even after rebooting everything

can you trace to asus router lan ip 192.168.3.1?
Can you give me all AllowedIPs on all devices and I could take a look if something is wrong.

 

[Asus79]

What do you mean with switched wan?
The server needs to allow connections from wg network.perhaps its already done, but check?


can you trace to asus router lan ip 192.168.3.1?
Can you give me all AllowedIPs on all devices and I could take a look if something is wrong.

The server is a Window PC. Are you saying I need to accept 10.0.0.0/24 on the PC itself? I was thinking the router does the conversation from 10.0.0.0 to 192.168.3.x

I'll get the the allowed ips later today.

 

[ZebMcKayhan]

The server is a Window PC. Are you saying I need to accept 10.0.0.0/24 on the PC itself? I

Yes!

I was thinking the router does the conversation from 10.0.0.0 to 192.168.3.x

No, there is no option for that. 10.0.0.x will directly contact your server as is.

Its typical for Windows to only allow local ips unless specifically opened up for other ips. You will need to allow 10.0.0.0/24 in the Windows firewall.

 

[Asus79]

wg set wgs1 peer endpoint xx:yyy:zz:xyz:nnnnn

I've done enough reading and I think I'm beginning to understand. I am confused on the the above step, Is this the public key of the VPS server or a the VPS server peer? I get an error "key is not the correct length or format : endpoint"

 

[ZebMcKayhan]

wg set wgs1 peer endpoint xx:yyy:zz:xyz:nnnnn

I've done enough reading and I think I'm beginning to understand. I am confused on the the above step, Is this the public key of the VPS server or a the VPS server peer? I get an error "key is not the correct length or format : endpoint"

According to wg manual https://man7.org/linux/man-pages/man8/wg.8.html when you set an endpoint it does not go into the interface wgs1, but it needs to go in under a specific peer in wgs1:

set <interface> [listen-port <port>] [fwmark <fwmark>] [private-
key <file-path>] [peer <base64-public-key> [remove] [preshared-key
<file-path>] [endpoint <ip>:<port>] [persistent-keepalive
<interval seconds>] [allowed-ips

So, in order to add in an endpoint we need to specify to which peer (client) under wgs1 it should be added. As wg does not number clients instead we use its public key to tell wg to which wgs1 peer it should add the endpoint to, like this

wg set wgs1 peer <peer pub key> endpoint xx:yyy:zz:xyz:nnnnn

Where xx.yy.zz.xyz is the endpoint ip or domain and nnnnn is the port it should use.

As the router already use nvram to store the public key, we could snatch it directly in the command so we dont have to hardcode it. The router numbers the peer so it could be for peer nr 1 (the first created):

wg set wgs1 peer $(nvram get wgs1_c1_pub) endpoint my.endpoint.com:58651

Infact, you can execute this command on a running wgs1 and check that the endpoint got set by looking at it:

wg show wgs1

Note that wg only displays the endpoint ip as it looks it up before adding it.

With that said, Im not convinced that converting your client to a server will solve your issue.

 

[ZebMcKayhan]

Is this the public key of the VPS server or a the VPS server peer?

The keys are indeed confusing for me as well.
Each interface (like wgs1) have a private key and a public key. But wgs1 only have its own private key in its config. Whoever connects into wgs1 has wgs1 public key under its peer directive.

Wgs1 also have 1 or more clients that can connects to it in its config. Each client has a private and a public key but wgs1 config only contain each client public key.

So, in order for wgs1 to work you will need to set wgs1 private key correct and all clients public keys correct. All other keys is mainly for when adding new clients to wgs1 (then it needs wgs1 pub key to put in the config) and when generating client config files (then it needs wgs1 pub key and client priv key)

A god idea is to collect all 4 keys (or 5 if you are using psk) related between vps and the router in a document somewhere and update them all in wgs1 according to my link. This way you dont need to keep track of what is used when.

And to more directly answer your question, the key you need to put in the wg command is the VPS public key which you should have put in nvram variable wgs1_c1_pub already so my command should read it and put it there automatically so you dont have to. You should just update the endpoint ip/ddns and the port and execute it.

 

[Asus79]

After a long time mucking around with it I have it working. All the reading has blurred my definitions but I think what I have is multi-hop.
-Home behind CGNAT so I'm running Asus router Wireguard server IPV6. LAN on home is running IPV4 only because I have some devices behind a commercial VPN and some behind a DNS Proxy
-VPS client wg0 back to home
-Same VPS server wg1 running to my devices using IPV4 remotely

Iptables to forward traffic to and from wg0 and wg1.

The system works but there is a bit of a lag opening files. The transfer speed is not great but it could also be part of the Starlink upload limitation.

 

[ZebMcKayhan]

After a long time mucking around with it I have it working. All the reading has blurred my definitions but I think what I have is multi-hop.
-Home behind CGNAT so I'm running Asus router Wireguard server IPV6. LAN on home is running IPV4 only because I have some devices behind a commercial VPN and some behind a DNS Proxy
-VPS client wg0 back to home
-Same VPS server wg1 running to my devices using IPV4 remotely

Thats great news!! So do you know what you problem really was? Please share.

The ipv6/ipv4 stuff should not matter.

The system works but there is a bit of a lag opening files. The transfer speed is not great but it could also be part of the Starlink upload limitation.

If you have a very unsymmetrical speed this could very well be the case. Additionally if you are accessing smb shares, the added latency over vpn is a killer for smb due to how the protocol is. https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#why-is-my-smb-share-slow-over-vpn
SMB is designed for local lan only and was never intended for high latency situation.

 

[Asus79]

That write up makes sense. It is mostly the SMB shares that are slow. Thank you for all the help!

 

[Asus79]

Thats great news!! So do you know what you problem really was? Please share.

The ipv6/ipv4 stuff should not matter.

I struggled for days tryin to have the VPS as the server and the Asus router as the peer/wireguard client. I was not getting LAN access with that set up. I then got it working with the Asus as the server and the VPS as the client peer. This will also be helpful next summer because our cottage has IPV6 so I will be able to to site to site.

If you have a very unsymmetrical speed this could very well be the case. Additionally if you are accessing smb shares, the added latency over vpn is a killer for smb due to how the protocol is. https://github.com/ZebMcKayhan/WireguardManager?tab=readme-ov-file#why-is-my-smb-share-slow-over-vpn
SMB is designed for local lan only and was never intended for high latency situation.