OVPN on Asus and Wireguard on Pi4 not working together (Port forwarding issue?)

Wycleff

Regular Contributor
Hi,

I recently setup Mullvad VPN with OVPN on my RT-AX58U.
Before i didn't use a VPN or something like that (German Bubble User) but i setup Wireguard on my Pi4 to connect from everywhere with my Mobile Phone into my Homenetwork.

Now after setting up Mullvad on my RT-AX58U with this Guide:

I can't get Wireguard to work on my Pi4 anymore.
I think it's a forwarding issue but can someone please provide a little help or has an Idea. Also, i applied the Port forwarding (Optional) Part from the Guide for Asus Router but it didn't help.

Whats working now:
If i disable Mullvad VPN on RT-AX58U, i can connect from everywhere into my Pi4 with Wireguard just fine.
If i enable Mullvad VPN on RT-AX58U, i can't connect anymore to my Pi4 with Wireguard.

Thanks Guy's.
 

eibgrad

Part of the Furniture
If the OpenVPN client on the router is routing *all* LAN traffic over that VPN, that will include the RPi. But you can't have the RPi (or any other devices) bound to the VPN *and* remotely accessible over the WAN at the same time due to RPF (reverse-path filtering). A common (but not the only) solution is to use routing policy (i.e, the VPN Director) to create rules that route specifically what you want routed over the VPN, and exclude things like the RPi.
 

Wycleff

Regular Contributor
It's the next disappointment with Asus routers, I think I'll leave everything as is for now and wait for my new setup to arrive here.
Thanks for your help.
 

unsynaps

Senior Member
Trying to do something complex and out of the box and disappointed by a router designed for basic home use? :rolleyes:
 

Wycleff

Regular Contributor
Trying to do something complex and out of the box and disappointed by a router designed for basic home use? :rolleyes:

Too expensive to call it "a router designed for basic home use" in my opinion but that's all he seems to be in the end.
Sidenote: if you are honest, the Asus RT-AX88U can't really do much more than the RT-AX58U but i think it's just a 300 EUR "router designed for basic home use" too. ;)
 
Last edited:

eibgrad

Part of the Furniture
The router is not to blame here. It's working exactly as intended. If you configured the OpenVPN client to route everything on the LAN over the VPN (including the RPi), you can't expect to reach the RPi over the WAN at the same time. Those replies must be directed back over the WAN. But you told it to do otherwise w/ the OpenVPN client!

As I said, one way around it is to NOT bind the RPi to the OpenVPN client, thus making it (and the WireGuard server) reachable over the WAN.

Another option is to bind the public IP(s) from which you'll be accessing the WireGuard server to the WAN using policy rules in the VPN Director. Admittedly, NOT a great solution when you're truly roaming, but often sufficient if you're accessing from places you frequent (workplace, school, favorite wifi cafe, etc.).

Another option, if the OpenVPN client supports port forwarding (and I know Mullvad does), you can remotely access WireGuard over the VPN rather than the WAN. Given the vast majority of OpenVPN providers do NOT support port forwarding, consider yourself lucky Mullvad does!
 

Wycleff

Regular Contributor
The router is not to blame here. It's working exactly as intended. If you configured the OpenVPN client to route everything on the LAN over the VPN (including the RPi), you can't expect to reach the RPi over the WAN at the same time. Those replies must be directed back over the WAN. But you told it to do otherwise w/ the OpenVPN client!

As I said, one way around it is to NOT bind the RPi to the OpenVPN client, thus making it (and the WireGuard server) reachable over the WAN.

Another option is to bind the public IP(s) from which you'll be accessing the WireGuard server to the WAN using policy rules in the VPN Director. Admittedly, NOT a great solution when you're truly roaming, but often sufficient if you're accessing from places you frequent (workplace, school, favorite wifi cafe, etc.).

Another option, if the OpenVPN client supports port forwarding (and I know Mullvad does), you can remotely access WireGuard over the VPN rather than the WAN. Given the vast majority of OpenVPN providers do NOT support port forwarding, consider yourself lucky Mullvad does!

Thanks for your help, i went the Split-Tunneling way and it works for now. My Pi4 runs over normal WAN and the other devices using the VPN Connection.

My Lessons learned:

I had to setup pivpn with wireguard from scratch on my Pi or wireguard refused to work completly. Tested multiple times. Also the command pivpn -d helped a lot.

The solution with port forwarding via mullvad is somehow not working. i payed yearly and received a free port but if i just can't get it to work. Even with the nat-start solution from the Asus-Merlin Mullvad VPN Guide.
 

eibgrad

Part of the Furniture
A word of caution about VPN providers who support port forwarding.

They all differ in how (and how well) they support the feature. They ALL have limitations and restrictions of some kind. So make sure you research EXACTLY how it works and what is required.


In the case of Mullvad, notice you can NOT port forward w/ paid subscriptions, only when paying month to month (for reasons of privacy and security). Also, you can't just pick any external port you want. THEY decide the port for you. But notice the sample DNAT rules they provide assume the same destination port (--dport) will be used both externally *and* internally.


The chances of that working are highly improbable. Those rules should include the internal port of your device too.

Code:
... DNAT --to-destination 192.168.1.100:80

Like a lot of VPN provider instructions, esp. when it comes to router configuration, it leaves a lot to be desired, and can NOT be taken as gospel.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top