What's new

[Help] Routing VPN server through VPN client (external VPN Provider)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

GuardYaGrill

New Around Here
2 - Asus RT-AX86U‘s
Firmware: 3004.388.5

For the last few months I’ve been trying to route my VPN server(s) through my VPN client(s) however have had no luck, any time I try to route all traffic through the client(s) my VPN servers time-out and refuse to establish handshakes (This happens with both oVPN and Wireguard)



What i am trying to achieve;

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN) ➡️ Home Network (ASUS AX86U) ➡️ Tunnel (Wireguard/oVPN) ➡️ VPN Provider IP

Currently routes like this;

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN) ➡️ Home Network (ASUS AX86U) ➡️ ISP IP

Currently what is happening when I route all traffic through a VPN client (doesn’t matter if it’s oVPN or Wireguard, both achieve this result);

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN - Handshake failure) ➡️ Home Network (ASUS AX86U) ➡️ Tunnel (Wireguard) ➡️ VPN Provider IP


Some images which hopefully help lead to a possible solution;

edit; Did not realize the images would be so heavily compressed here, will delete and provide an external link.

External link for these images (via Proton Drive)
 
Last edited:
@GuardYaGrill
I'm running Wireguard with your desired setup and it works perfectly with attached VPNDirector rules.

As the server handshakes fails it may mean the server encrypted data goes over VPN as well, which is not the way it should work.
Screenshot_20231228_132947_Samsung Internet.jpg


Note, the rule "To server use MAIN" may not be needed at all on recent firmwares as wgs1 routes seems present in policy tables, but I haven't tested it.
 
Last edited:
2 - Asus RT-AX86U‘s
Firmware: 3004.388.5

For the last few months I’ve been trying to route my VPN server(s) through my VPN client(s) however have had no luck, any time I try to route all traffic through the client(s) my VPN servers time-out and refuse to establish handshakes (This happens with both oVPN and Wireguard)



What i am trying to achieve;

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN) ➡️ Home Network (ASUS AX86U) ➡️ Tunnel (Wireguard/oVPN) ➡️ VPN Provider IP

Currently routes like this;

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN) ➡️ Home Network (ASUS AX86U) ➡️ ISP IP

Currently what is happening when I route all traffic through a VPN client (doesn’t matter if it’s oVPN or Wireguard, both achieve this result);

Device (Outside of network / Cellular) ➡️ Tunnel (Wireguard/oVPN - Handshake failure) ➡️ Home Network (ASUS AX86U) ➡️ Tunnel (Wireguard) ➡️ VPN Provider IP


Some images which hopefully help lead to a possible solution;

edit; Did not realize the images would be so heavily compressed here, will delete and provide an external link.

External link for these images (via Proton Drive)
From you pictures, your VPNDirector rules are all over the place.
The use of "Remote IP" should be used with care and typically not at all unless you know what you are doing. Only use local ips (i.e lan ip or server client ip) In "Local IPs" and leave "Remote IP" blank.

You have atleast 1 Public IP in you rules. This should be removed as it may create issues.
 
Wow, i've been pulling my hair out trying to get this to work for WAY too long and your one image quite literally solved my issues, i really appreciate your help!

If you don't mind me asking, the Wireguard server doesn't provide LAN/Local-router access eh? is this an oVPN exclusive?
 
Last edited:
If you don't mind me asking, the Wireguard server doesn't provide LAN/Local-router access eh? is this an oVPN exclusive?
Sure it does. Through Wireguard I can access my router, my NAS and such when Im not at home.
But if OVPN works for you there would be no reson to change?
 
Sure it does. Through Wireguard I can access my router, my NAS and such when Im not at home.
But if OVPN works for you there would be no reson to change?
Hm good to know, i did make the switch to Wireguard as i prefer their mobile application over oVPN’s plus it’s lighter on the encryption.

Reason I ask is when my device is connected to the Wireguard server and I try to access 192.168.1.1 or my DDNS (via Https) the connection seems to fail meanwhile on oVPN i am able to access LAN. Not too big of a deal, i can just switch back n forth between Wireguard & oVPN just was curious.
 
Last edited:
when my device is connected to the Wireguard server and I try to access 192.168.1.1
This should not be any problems, altough if you are using https (I dont) then you might need to add the port number?


my DDNS (via Https)
This will probably not work due to nat-loopback.

There are some limitations when using routed vpn in general.

You may have issues with accessing certain resources due to the resource firewalls not accepting connections from ips outside your lan. This should ideally be solved on the resource whenever possible. This would not be an issue on router itself, but may be on I.e a NAS.

Certain shares (like smb) won't pop up by itself as mDNS won't work over vpn. You need to access the resource "blindly" by using its lan ip address. I use static ips for my resources and host names so I can access them using this name. But this requires that my client to use router for dns so it's tricky. Better use ips only.

Wireguard could be conflicting your lan ips with local ips on whatever network it's connected on. This could be fixed by appending your resource ips to the config file. Note that I have chosen lan ip to 192.168.128.x to have less conflicts (and it's conveniently 2^7 for CIDR notation :) )

So, lots of stuff could be going on preventing access that's not really related to Wireguard itself but more like how everything is setup.
 
Last edited:
This should not be any problems, altough if you are using https (I dont) then you might need to add the port number?
When accessing 192.168.1.1 it’s via Http while my ddns address is accessed via Https (https://www.ddns.com:8443/)
There are some limitations when using routed vpn in general.

You may have issues with accessing certain resources due to the resource firewalls not accepting connections from ips outside your lan. This should ideally be solved on the resource whenever possible. This would not be an issue on router itself, but may be on I.e a NAS.
Yeah I have noticed other LAN devices like my raspberry pi or smart home devices not allowing me access to their resources when connected via the Wireguard server, i did allocate 192.168.1.2 to 192.168.1.25 for manual assignment of LAN addresses and provided the devices in this range with local hostnames however, no luck.
Wireguard could be conflicting your lan ips with local ips on whatever network it's connected on. This could be fixed by appending your resource ips to the config file. Note that I have chosen lan ip to 192.168.128.x to have less conflicts (and it's conveniently 2^7 for CIDR notation :) )

So, lots of stuff could be going on preventing access that's not really related to Wireguard itself but more like how everything is setup.
I might consider making the change to 192.168.128.x if it causes less of an internal conflict that’s good to know, and yeah my setup is kinda all over the place aha doesn’t surprise me that I’m having this many issues.

I really do appreciate you sharing your knowledge with me! Hope the New Years treats you well!

edit; Stumbled upon your comment(s) Here which I think will solve my LAN issues mentioned above!
 
Last edited:
When accessing 192.168.1.1 it’s via Http while my ddns address is accessed via Https (https://www.ddns.com:8443/)
You should really consider to turn off wan access to router gui as it's a big security risk. Use your vpn instead.
Not sure if these settings affects your issue accessing from Wireguard. I have mine to http only.

edit; Stumbled upon your comment(s) Here which I think will solve my LAN issues mentioned above!
Probably. But it has some adverse effects, like taking up resources (limiting speed) and prevents you from seeing who is accessing your resources.
There are also other ways of getting around this, like placing wg ip next to your lan ip, like lan on 192.168.128.x and wg on 192.168.129.x and change the lan netmask to /23 (mask: 255.255.254.0).
 
You should really consider to turn off wan access to router gui as it's a big security risk. Use your vpn instead.
Not sure if these settings affects your issue accessing from Wireguard. I have mine to http only.


Probably. But it has some adverse effects, like taking up resources (limiting speed) and prevents you from seeing who is accessing your resources.
There are also other ways of getting around this, like placing wg ip next to your lan ip, like lan on 192.168.128.x and wg on 192.168.129.x and change the lan netmask to /23 (mask: 255.255.254.0).

Hi,

I am having a similar issue with Wireguard you can elaborate on this?

The Wireguard server is running in an outside server (static IP). Wireguard IP range is 192.168.2.x
The router has Wireguard client which connects to the Wireguard server. The router IP range is 192.168.50.x
The cell phone has a Wireguard app that connects to the Wireguard server. Cell VPN IP 192.168.2.x


I know it works because I can connect to the router over VPN from my cell phone and access AGH without an issue. (VPN Director with Remote IP 192.168.2.x/24 with blank LocalIP. No other routes in VPN Director)

Problem: I cannot access the router homepage and cannot ssh over VPN. connection refused. From your other post I see that it may be my wireguard IP is out of range for Router firewall. So what is this thing below you are referring to, how/where is it done?


There are also other ways of getting around this, like placing wg ip next to your lan ip, like lan on 192.168.128.x and wg on 192.168.129.x and change the lan netmask to /23 (mask: 255.255.254.0).

I have a Firewall Rule with VPN IP to Ports allowed but it does not work.
 
I am having a similar issue with Wireguard you can elaborate on this?
I don't think that your problem is the same. If I were to guess I would think your problem comes from router firewall access. I have not studied this in detail but Im not sure the "allow inbound" setting in VPN Client grants access to router homepage or SSH (but I could be wrong). AGH would probably set up its own firewall rules so it may behave different.

Edit: please confirm that you have set "Inbound firewall" to "Allow" in the wg client setting in router gui. That should allow both router access and lan access according to the source code.

There is also another possibility, if you have turned off NAT, your cloud server needs to be aware of your LAN ip in this peer AllowedIPs.
Edit: Nat will not help you, infact it should be disabled for inbound access. Your cloud server wg peer needs to include your lan ip else routing will not work. But it could be 0.0.0.0/0.

you may attempt to add custom firewall rules to see if it helps, like:
Code:
iptables -I INPUT -i wgc1 -j ACCEPT
(assuming wgc1 is your wg client)


As your reason for VPN is to have a private connection, i.e. all traffic over VPN is "trusted" it becomes a little backwards to use a VPN client on the router as all bits and pieces may not be setup the way you want it to be. also, you really dont have any use for policy routing as it only serves as a distraction (policy routing is foremost usable when there are more than one routes to the same target)

ideally you would want the router to setup everything as you were running a server on the router, like an extended private network, although in your case I would assume this is not really possible. Perhaps your router are behind CGNAT like me? to avoid issues like yours I too used a cloud server with a static ip to relay data to my network but I setup as a server instead on the router.
Wireguard itself does not have any concept of server/client, they are all peers. fully capable of initiating connection from any way. so, why cant we setup a server peer that connects out to our client? well, since Wireguard can, we can:
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

I can confirm that access to router homepage and SSH works with this setup. I know it's not quite as simple as just import a client config file and since we are doing away with NAT (which is a good thing!) the cloud server needs to be aware of our LAN network in order for routing to/from LAN to work.

some more background info on how my system was setup: https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
 
Last edited:
I don't think that your problem is the same. If I were to guess I would think your problem comes from router firewall access. I have not studied this in detail but Im not sure the "allow inbound" setting in VPN Client grants access to router homepage or SSH (but I could be wrong). AGH would probably set up its own firewall rules so it may behave different.

Edit: please confirm that you have set "Inbound firewall" to "Allow" in the wg client setting in router gui. That should allow both router access and lan access according to the source code.

There is also another possibility, if you have turned off NAT, your cloud server needs to be aware of your LAN ip in this peer AllowedIPs.
Edit: Nat will not help you, infact it should be disabled for inbound access. Your cloud server wg peer needs to include your lan ip else routing will not work. But it could be 0.0.0.0/0.

you may attempt to add custom firewall rules to see if it helps, like:
Code:
iptables -I INPUT -i wgc1 -j ACCEPT
(assuming wgc1 is your wg client)


As your reason for VPN is to have a private connection, i.e. all traffic over VPN is "trusted" it becomes a little backwards to use a VPN client on the router as all bits and pieces may not be setup the way you want it to be. also, you really dont have any use for policy routing as it only serves as a distraction (policy routing is foremost usable when there are more than one routes to the same target)

ideally you would want the router to setup everything as you were running a server on the router, like an extended private network, although in your case I would assume this is not really possible. Perhaps your router are behind CGNAT like me? to avoid issues like yours I too used a cloud server with a static ip to relay data to my network but I setup as a server instead on the router.
Wireguard itself does not have any concept of server/client, they are all peers. fully capable of initiating connection from any way. so, why cant we setup a server peer that connects out to our client? well, since Wireguard can, we can:
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

I can confirm that access to router homepage and SSH works with this setup. I know it's not quite as simple as just import a client config file and since we are doing away with NAT (which is a good thing!) the cloud server needs to be aware of our LAN network in order for routing to/from LAN to work.

some more background info on how my system was setup: https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
thanks a bunch, that has fixed it.

I updated couple of things in WG conf in the WG server

I am still using wireguard client in router, but I updated my POSTUP and POSTDOWN to the following. I am still not confident to add more, but will try it soon.

PostUp = iptables -I INPUT -p udp --dport #### -m state --state NEW -j ACCEPT;
PostDown = iptables -D INPUT -p udp --dport #### -m state --state NEW -j ACCEPT;
PostUp = iptables -I FORWARD -i VPS -o VPS -j ACCEPT;
PostDown = iptables -D FORWARD -i VPS -o VPS -j ACCEPT;

and allowed IPs in router peer

AllowedIPs = router IP/24, VPN IP/24

removed Firewall rules in router.

Amazing thanks again.🙏
 
I am still using wireguard client in router, but I updated my POSTUP and POSTDOWN to the following. I am still not confident to add more, but will try it soon.
Great! Everything you need is in the link I sent you. Everything under "Setup Cloud Server" part should still work for you.

But I'm curious, did you also named your VPS wg config VPS.conf same as me? The iptables command in FORWARD chain refers to interface names to allow access which wg-quick gets from your config file name. So unless we have the same name this rule won't do you any good. And since it worked with AGH before I assume you don't need it?

and allowed IPs in router peer
Not to be picky but in your case the AllowedziPs should probably be:
Code:
AllowedIPs = router IP/24,192.168.2.x/32
Where x is the actual wg ip of your router. However, it's not a big deal and will work anyway.
 
But I'm curious, did you also named your VPS wg config VPS.conf same as me?
yes I updated it to the same.

Not to be picky but in your case the AllowedziPs should probably be:

Thanks for that, I have updated it indeed.

One other question on router peer allowed IP in server conf for example

This works, but
AllowedIPs = 192.168.50.0/24,192.168.2.x/32

This does not, why?
AllowedIPs = 192.168.50.2/32,192.168.2.x/32
 
This does not, why?
AllowedIPs = 192.168.50.2/32,192.168.2.x/32
/32 means this ip explicit so it will only send packets to 192.168.50.2 over the tunnel. While /24 means entire 192.168.50.x subnet.

So each peer should have all destinations on the other end of the tunnel here for wg to do routing. And it's natural that same peer have different AllowedIPs on each side of the tunnel.
For example a lone road-worrior device, like a phone have 0.0.0.0/0 (all ips) on its side but on the server side it's only that device ip /32.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top