Solved OpenVPN Works via LTE and Wifi but Wireguard only works via LTE on 388.1?

[jksmurf]

I did do a wee search but couldn't find a similar issue to mine.

Pretty simple issue, I have set up an OpenVPN and Wireguard Server on my RT-AX86U and have been testing it (at work) from an iPhone with both OpenVPN and Wireguard Apps.
My test is just to see if can access the Router's WebGui for Starters, using 192.168.1.1

The WiFi is an Airport Wifi available to Airport Passengers. Now:

1. I can log in easily and quickly to the Router's GUI when I connect using OpenVPN, with my iPhone connected to the Airport WiFi.
2. I can log in easily and quickly to the Router's GUI when I connect using OpenVPN, with my iPhone connected to LTE only i.e disable WiFI.
3. I can log in easily and quickly to the Router's GUI when I connect using Wireguard with my iPhone connected to LTE only i.e disable WiFI.
4. HOWEVER, I can NOT log in to the Routers GUI when I connect using Wireguard, with my iPhone connected to the exact same Airport WiFi in 1 above (even though the little VPN symbol shows up and there is no error message from the WG App about not having made a connection?)

Repeatable behaviour. I could understand if BOTH VPN implementations were rejected using WiFi, but why does ONLY the WG connection not work with Wifi, but work with LTE?

I saved a set of logs but I am not sure what to post, am loathe to post it all for security reasons. I attach the WG log, HTH.

Thanks for any hints or tips or suggestions or request for other details here, pretty cool that I can use either now (except not with this Wifi... not tested other Wifi).

 

[GSpock]

Would it be possible that this specific "Airport WiFi" has some "security" mechanism that would block WG protocol/port but not the OpenVPN/port ?
So, testing with another WIFI is a way forward to exclude (or not) this hypothesis ....

 

[jksmurf]

Would it be possible that this specific "Airport WiFi" has some "security" mechanism that would block WG protocol/port but not the OpenVPN/port ?
So, testing with another WIFI is a way forward to exclude (or not) this hypothesis ....

It's a valid point thanks and I did try with a number (at least 5 or 6) other "Free" Cafe WiFi Networks ... with the exact same result; except one. Which has me even more puzzled. If someone can help point me at the settings for the one that worked I can try it again to see what is different to the ones that work. I believe (from reading) that the Networks cannot have the same IP Address XXX.YYY.ZZZ. ...but the ASUS Setup for iOS is supposed to be very very simple... no advanced settings needed. Also read that some folks change the ports to UDP 53 and some lower the MTU; I'm really not sure and I'm stumped. OpenVPN Works fine on the same network, with ALL WiFi I tried.

 

[GSpock]

I believe (from reading) that the Networks cannot have the same IP Address XXX.YYY.ZZZ. ...but the ASUS Setup for iOS is supposed to be very very simple

This is not linked to the ASUS set-up for IOS.
It means that if your home network is for example 192.168.1.0/24 (with your router being 192.168.1.1) then the "café WIFI" you are connected to has to have a different network address, otherwise when trying to access your home GUI, it simply cannot make the difference between the 2 network.
Now, on the WIFI this is working for both your connection, what is at that time your local IP address and what is the address of the gateway ? It should read something different than from your home router ; on a WIFI that does not work, look for the same info ...

 

[elorimer]

I would think that if OpenVPN is working over the airport wifi, then the problem with the WG wouldn't be a network address problem. I'd be thinking about whether the port/protocol is blocked, but that seems like a long shot. Perhaps you could move the wg server to a non-dynamic port, and if necessary see if udptunnel works.

Nevertheless, having the home network be 192.168.1.0/24 is certain to cause a problem sometime for VPN.

 

[bbunge]

Welcome to the world of Wireguard problems. I quit using it and use Instant Guard on my phone and tablet. It just works! I use OpenVPN on the laptop.

 

[jksmurf]

This is not linked to the ASUS set-up for IOS.
It means that if your home network is for example 192.168.1.0/24 (with your router being 192.168.1.1) then the "café WIFI" you are connected to has to have a different network address, otherwise when trying to access your home GUI, it simply cannot make the difference between the 2 network.
Now, on the WIFI this is working for both your connection, what is at that time your local IP address and what is the address of the gateway ? It should read something different than from your home router ; on a WIFI that does not work, look for the same info ...

OK thank you, I think I get what you mean but surely a large Airport wouldn't set up a Network with Routers on 192.168.1.1 addresses would they?

My home Router is definitely 192.168.1.1. I will need to wait until lunchtime here to try that cafe WIFI (where both work) again. In the meantime I attach the VPN Status from the Airport Wifi where it works with OpenVPN (but not WG). I am not sure if this shows the address that the VPN Server can cope with using OpenVPN but not WG?

 

[jksmurf]

I would think that if OpenVPN is working over the airport wifi, then the problem with the WG wouldn't be a network address problem. I'd be thinking about whether the port/protocol is blocked, but that seems like a long shot. Perhaps you could move the wg server to a non-dynamic port, and if necessary see if udptunnel works.

Nevertheless, having the home network be 192.168.1.0/24 is certain to cause a problem sometime for VPN.

Thank elorimer (I think we went through this on the GLiNet device...?) , I did try changing the Port to 53 (recommended elsewhere) and exporting the QR Code and making a new connection, but no dice there on the Airport Wifi. Will see what the lunchtime Wifi trial looks like, ta.

 

[jksmurf]

Welcome to the world of Wireguard problems. I quit using it and use Instant Guard on my phone and tablet. It just works! I use OpenVPN on the laptop.

Yeah, I guess it's an option but I'm more trying to move from OpenVPN to just WG for all my devices (speed, ease of setup (supposedly...))... there was also some talk of a Firewall here https://www.snbforums.com/threads/w...ccess-to-intranet-even-though-selected.82379/ ... but the ASUS instructions for WG don't mention this (and I don't have any special Firewall limitations, my setup is very simple, close to default settings, just with Diversion and I have 40-odd reserved DHCPs with names).

 

[jksmurf]

OK as promised, this is the Cafe WIFI that Works with WG. Based on this, any hints or revelations as to why this works here but not at the Airport Wifi (or indeed many other Wifis)?

 

[chongnt]

Perhaps can try as @elorimer mentioned above change your wg server listening port?

 

[jksmurf]

Perhaps can try as @elorimer mentioned above change your wg server listening port?

Thanks, but as in post #8 above I did try changing it to 53, I assume this is UDP, (from 51820 being the WG default in the ASUS Router); still no dice at Airport Wifi... the quest continues.

 

[chongnt]

I’m not sure if port 53 is a good choice. Some service provider intercept it and redirect this to their DNS server.
By the way, for the working OpenVPN, do you use TCP or UDP? Can both work with the Airport wifi?

 

[jksmurf]

I’m not sure if port 53 is a good choice. Some service provider intercept it and redirect this to their DNS server.
By the way, for the working OpenVPN, do you use TCP or UDP? Can both work with the Airport wifi?

Thanks, TBH I am not that familiar with Networking to know why either 53 or 51820 would be correct, I just read some folks had success with it so gave it a whirl. e.g.

https://www.reddit.com/r/WireGuard/comments/hyj2hc

So I logged on just now (from Work) using OpenVPN on my iPhone and got onto the Asus WebGUI (VPN Server) settings (under Advanced, even though I only set it up using General settings), which shows OpenVPN uses UDP Port 6367; this is confirmed in the OpenVPN log on the iPhone. The App itself says "Adaptive". I haven't tried TCP (as I was just using the General Settings) so was not sure where to even set it). To test I will need to change it (any recommendations?) and export another OpenVPN Profile so might to wait until I am home to test this.

Do you think if I set WG to the same UDP Port 6367 it might Work on WG (about to test, if I can work out where and how to change it)?

 

[jksmurf]

OK so I tested WG on UDP Port 6367 (same as OpenVPN Port) and it doesn't connect at all. I tried this 3 times, applied settings, renewed Keys, exported and imported using QR code, no connection. As soon as I go back to Port 51820, WG connects (based on the WG log on the iPhone WG App which says "Tunnel status is now connected", then sends keepalive packets); but I still cannot access the Router WebGUI.

EDIT: on Pizza Hut Wifi can only access WebGui using WG, not OpenVPN. In. Starbucks neither would access the WebGui (and only OpenVPN connects).

 

[chongnt]

OK so I tested WG on UDP Port 6367 (same as OpenVPN Port) and it doesn't connect at all. I tried this 3 times, applied settings, renewed Keys, exported and imported using QR code, no connection. As soon as I go back to Port 51820, WG connects (based on the WG log on the iPhone WG App which says "Tunnel status is now connected", then sends keepalive packets); but I still cannot access the Router WebGUI.

Port 6367 already used by OpenVPN server. Maybe can try port 6368, or even 1193 for WG server. The phone Apps status Active does not mean connected. A good indicator of connected peer is latest handshake. Usually the latest handshake time will be around two minutes or lower when connection is up.
Other than sending keepalive packet, do you also see sending handshake initiation and received handshake response messages? If there is handshake then it means it is connected. Since it works with LTE and certain wifi so I suppose other config like DNS server in the WG apps should be fine. So we need to get the handshake working first.

 

[jksmurf]

Port 6367 already used by OpenVPN server. Maybe can try port 6368, or even 1193 for WG server. The phone Apps status Active does not mean connected. A good indicator of connected peer is latest handshake. Usually the latest handshake time will be around two minutes or lower when connection is up.
Other than sending keepalive packet, do you also see sending handshake initiation and received handshake response messages? If there is handshake then it means it is connected. Since it works with LTE and certain wifi so I suppose other config like DNS server in the WG apps should be fine. So we need to get the handshake working first.

Thanks for keeping making suggestions it’s very much appreciated! I’m not convinced the Port is really the issue here though. I do get handshake initiation and response messages in the WG logs, when it connects; and I know it connects as I can go to the router WEBGUI and check the VPN status.

I tried at Pizza Hut and it worked on WG but not on OpenVPN.

I tried at my radiologist (was getting an XRay) and it worked for both.

I attach the webgui snapshot and the iphone WG Settings showing the IP addresses, not sure if they are useful but the point is it connects to OpenVPN or WG or both using some Wi-Fi sites and not others and I am not sure why.

 

[chongnt]

Thanks for keeping making suggestions it’s very much appreciated! I’m not convinced the Port is really the issue here though. I do get handshake initiation and response messages in the WG logs, when it connects; and I know it connects as I can go to the router WEBGUI and check the VPN status.

I tried at Pizza Hut and it worked on WG but not on OpenVPN.

I tried at my radiologist (was getting an XRay) and it worked for both.

I attach the webgui snapshot and the iphone WG Settings showing the IP addresses, not sure if they are useful but the point is it connects to OpenVPN or WG or both using some Wi-Fi sites and not others and I am not sure why.

Yeah, hard to tell if port number is the issue here. One way I can think of is do packet capture at router end, while initiate the connection from wg apps. This will tell if router receive the handshake initiation or not. Say if home router did not receive the handshake, we can say not the router setting problem because most likely it is dropped by the public wifi.
Good thing is you already can dial home with either OpenVPN or WG from LTE or certain Wifi.

 

[elorimer]

The fact that you can connect from some places and not others suggests to me that the overall configuration is fine, but in the places you cannot, something is preventing the traffic from getting from one end to the other. That could be because the free wifi you are connecting to is blocking VPN traffic, or directing things to a captive portal, or because the wifi router thinks it has sent the traffic to the right place.

The point behind fooling with ports/protocols is to spoof the first. TCP/443 is usually chosen for this purpose because it is hard to distinguish from normal internet traffic, and why it is worthwhile to consider setting up the second OpenVPN server for TCP/443 as a failover. WG can't use TCP (except with udptunnel) and I think 443 might present other problems. So if you can't make a WG connection, best to fall back to OpenVPN.

There doesn't seem in your examples to be evidence of a captive portal.

Have you moved your home network off of 192.168.1.0/24? It is possible the inoperative wifi is on that subnet, or on its way to the internet transits such a subnet. That might explain why it works in some places and not others.

 

[jksmurf]

snip

Have you moved your home network off of 192.168.1.0/24? It is possible the inoperative wifi is on that subnet, or on its way to the internet transits such a subnet. That might explain why it works in some places and not others.

Thanks elorimer pretty much agree with you conclusions (snipped), although prob shouldn’t totally rule out that there might be a magic port number than works, respectively, for each VPN protocol.

As regards moving the home network off 192.168.1.1 yes I’d like to try that but I need to understand what it means in terms of what I need to change (and TBH I’m a bit sad to change as that address has been such a friend when accessing the Webgui since my Router year dot).

Currently I only have IP addresses defined in a few places although I have maybe 40 manually defined addresses which I assume I would ALSO need to change? Also the automatic LAN pool range.

I went through the router Webadmin looking for locations IP addresses are entered to see what would need to be changed, as attached. I don’t use port forwards anymore so these are empty. I don’t have any windows PCs with IP address set on the computer the pic here is just an example. The “Duplicate” comment was an aside; I noticed the router name could be entered in two different places. I don’t use pixelsevr so Diversion doesn’t have a separate IP address that would need to be changed. nor DMZ nor LAN route. I assume I’d have to redo the AIMESH nodes.

Anything I missed or misunderstood regarding changing the IP addressing range? Is there a recommended range for this? I guess as 192.168 is private (I read) that 192.168.7.1 or 192.168.33.1 would still not be recommended? Apologies for all the questions very new ground for me, nervous territory due to impacts I might not know about.

ta

k.