Solved Please help access my network resources from outside (VPN Cascading and IP Masquarading)

[Aiadi]

I’m trying to set up remote access to my home network using WireGuard VPN on my RT-BE88U, and I’d appreciate any help.

When the router is running only the WireGuard VPN server, everything works fine — I can connect remotely from multiple clients (Android, Windows laptop, etc.) without issues.

The problem starts when I also enable the router’s VPN Client (I’m using Windscribe). As soon as the VPN Client is active, all my remote clients connected through the WireGuard server lose internet access and can’t reach anything on my home network.

Up to AsusMerlin firmware version 3006.102.3, I was able to make this work using a simple VPN Director rule, but I haven’t been able to achieve the same behavior on newer versions. I’m not an expert, but I believe this setup falls under what’s commonly called VPN cascading — and it seems I’m no longer able to configure it successfully.

I know that using something like Tailscale can help me acheive my goal but I would rather be able to set this up using my own VPN tunnel.

I’ve asked about this in a few other threads but haven’t received a reply, so I’m posting a new thread to confirm whether what I’m trying to do is still possible on current firmware versions (I am currently on 3006.102.6_beta2). Any guidance or configuration tips would be greatly appreciated.

 

[ZebMcKayhan]

The problem starts when I also enable the router’s VPN Client (I’m using Windscribe). As soon as the VPN Client is active, all my remote clients connected through the WireGuard server lose internet access and can’t reach anything on my home network.

Please share a picture of your VPNDirector rules when you have the vpn client running and things are not working.

This should be possible, im running a similar setup without issues, altough im still on 388 fw for now.

 

[Aiadi]

Please share a picture of your VPNDirector rules when you have the vpn client running and things are not working.

This should be possible, im running a similar setup without issues, altough im still on 388 fw for now.

This setup used to work perfectly until the last couple of firmware updates. Each update was installed clean with full factory resets, but I’m still seeing the same issue: I can no longer reach my home network from outside.

The VPN tunnel itself works flawlessly as long as the router’s VPN client is disabled, or if I’m already connected to my home network locally. Once the VPN client on the router is enabled, external access fails consistently.

 

[CaptainSTX]

This setup used to work perfectly until the last couple of firmware updates. Each update was installed clean with full factory resets, but I’m still seeing the same issue: I can no longer reach my home network from outside.

The VPN tunnel itself works flawlessly as long as the router’s VPN client is disabled, or if I’m already connected to my home network locally. Once the VPN client on the router is enabled, external access fails consistently.

View attachment 69085

View attachment 69086

See what happens if you set the LAN IP for your router to use the WAN.

 

[elorimer]

I'm assuming 10.6.0.xx is a remote lan that connects as a Wireguard client to the Wireguard server on this router, and that 192.168.1.xx is the lan for this router. I don't think I quite get what the setup is. The first rule says any local IP (including the router) trying to reach a nonroutable network of 10.6.0.xx goes over the WAN. So the router has no local path back to your remote client, so everything fails. The second rule says, any local IP trying to reach anything goes over the tunnel to your remote client, but that's blocked by the first rule.

I would have thought you would have two WG clients, the first to your remote lan, the seecond to Windscribe. Then the rule for WG1 would be anything going to 10.6.0.xx goes over your tunnel to the remote lan. WG2 would be anything going to anything goes to the WIndscribe tunnel.

I don't do cascading; I have split tunneling on both sides of a site to site with each side having a client reaching the server on the other.

 

[Aiadi]

I'm assuming 10.6.0.xx is a remote lan that connects as a Wireguard client to the Wireguard server on this router, and that 192.168.1.xx is the lan for this router. I don't think I quite get what the setup is. The first rule says any local IP (including the router) trying to reach a nonroutable network of 10.6.0.xx goes over the WAN. So the router has no local path back to your remote client, so everything fails. The second rule says, any local IP trying to reach anything goes over the tunnel to your remote client, but that's blocked by the first rule.

I would have thought you would have two WG clients, the first to your remote lan, the seecond to Windscribe. Then the rule for WG1 would be anything going to 10.6.0.xx goes over your tunnel to the remote lan. WG2 would be anything going to anything goes to the WIndscribe tunnel.

I don't do cascading; I have split tunneling on both sides of a site to site with each side having a client reaching the server on the other.

My local LAN is 192.168.1.0/24. On the router, I have only one WireGuard client (WGC1), which connects to Windscribe. That’s where all traffic from my LAN (192.168.1.0/24) is routed, according to the second rule in VPN Director and that part is working perfectly and not being blocked at all by the first rule.

I don't have a remote LAN per se as this changes depending on my client devices when away from home and the parent networks I am connected to. I have, however client IP addresses assigned by my WG server. The first rule is meant to allow all traffic from my remote peers to pass through normally. As I understand it, the IPv4 addresses assigned to my own WireGuard tunnel by the server are in the 10.6.0.0/24 range (as shown in the screenshot below). So, the first VPN Director rule should allow traffic from my remote peers to go out through the regular WAN, bypassing the Windscribe VPN client—at least that’s how I believe it should work.

 

[Aiadi]

See what happens if you set the LAN IP for your router to use the WAN.

Do you mean like this??

Yes, that obviously works fine as it makes my setup behave exactly as if VPN client is completely disabled. This is not my use case though as I need all of my local traffic going out to pass through VPN client (WGC1) and not through WAN.

Edit: Sorry @CaptainSTX , I understood better what you meant by your suggestion from @ZebMcKayhan post below. Thanks for your advice.

 

[ZebMcKayhan]

This setup used to work perfectly until the last couple of firmware updates. Each update was installed clean with full factory resets, but I’m still seeing the same issue: I can no longer reach my home network from outside.

The VPN tunnel itself works flawlessly as long as the router’s VPN client is disabled, or if I’m already connected to my home network locally. Once the VPN client on the router is enabled, external access fails consistently.

View attachment 69085

Thats not how I would have done the rules, but I cant see why it would muck up your server clients internet connection. That is if routing is setup as in 388 fw.

Could it be dns issue? Could you test to ping an ip, like 142.250.74.110 (google.com for me) from your server clients when internet is not working?

 

[Aiadi]

Thats not how I would have done the rules, but I cant see why it would muck up your server clients internet connection. That is if routing is setup as in 388 fw.

Could it be dns issue? Could you test to ping an ip, like 142.250.74.110 (google.com for me) from your server clients when internet is not working?

Nothing back from ping:

 

[ZebMcKayhan]

Nothing back from ping:
View attachment 69092

Ooh, I completally missed your picture about wg handshake not working. So the tunnel breakes on a lower level. I wonder if something have changed in fw recently. What if you follow @CaptainSTX advice and add a vpn director rule for
Local IP: 192.168.1.1/32
Remote IP: leave blank
Interface Wan.

Leave the other 2 rules as they are.

 

[Aiadi]

Ooh, I completally missed your picture about wg handshake not working. So the tunnel breakes on a lower level. I wonder if something have changed in fw recently. What if you follow @CaptainSTX advice and add a vpn director rule for
Local IP: 192.168.1.1/32
Remote IP: leave blank
Interface Wan.

Leave the other 2 rules as they are.

Wow, you all are awesome — adding that simple rule fixed it! I’m still not sure why it worked on the older firmware without it, but I really appreciate the help. I will keep on testing to see if it continues to properly work.

I have removed my previous first VPN Director's rule and things are still working perfectly fine. Thanks again for your help.

 

[ZebMcKayhan]

adding that simple rule fixed it!

Glad it worked for you!
but thats troublesome indeed. It means that Wireguard is bound to lan ip, which it wasnt before. We will probably see more of these reports.

I have removed my previous first VPN Director's rule and things are still working perfectly fine. Thanks again for your help.

Since some of the later 388 fw this is taken care of "behind the scenes" in the fw. However that rule is not a bad idea, it may save you in the future if fw changes back. I would keep it for securing access to your lan resources from your server clients for future sake.

 

[Aiadi]

Now that I’m able to fully access my home network resources through WireGuard while also having the router’s WG VPN client enabled, I have a couple of related questions.

First, is it possible to access only my LAN devices without routing all of my internet traffic through my home router?

Second, can I configure my remote client devices to use my router’s VPN client IP address (my Windscribe IP) instead of my native public WAN IP? I believe this might fall under IP masquerading.

Ideally, I’d like to access my home LAN devices remotely without having all internet traffic routed through my home router.

Thanks again in advance for any guidance!

 

[Aiadi]

Glad it worked for you!
but thats troublesome indeed. It means that Wireguard is bound to lan ip, which it wasnt before. We will probably see more of these reports.

Very grateful for your insight.

 

[ZebMcKayhan]

First, is it possible to access only my LAN devices without routing all of my internet traffic through my home router?

Sure, but this is something you control in the client app. Just edit the tunnel in your android app and change AllowedIPs to only 192.168.1.0/24 and remove the current 0.0.0.0/0 (all ips). (Edit: you may also need to add 10.6.0.1 to allowedIps if thats the dns you are using. Separate with , like: "192.168.1.0/24, 10.6.0.1")
Infact you could duplicate the tunnel and have one as it is and another with changed AllowedIP so you can choose which you use when connecting based on where you want to surf from today.

Keep dns as router ip if you want to use local domain names otherwise you are forced to use ip for access your lan devices.

Second, can I configure my remote client devices to use my router’s VPN client IP address (my Windscribe IP) instead of my native public WAN IP? I believe this might fall under IP masquerading.

Just use vpndirector to add a rule local ip 10.6.0.0/24 to use interface wgc1. Masquarading is done on all wgc1 output as part of the requirements from the provider.

 

[Aiadi]

Keep dns as router ip if you want to use local domain names otherwise you are forced to use ip for access your lan devices.

You’re such a great fountain of knowledge. Both of your solutions worked right away, and I now have all my remote-access requirements fully covered thanks to your help.

I did have to remove my home router's IP as the DNS to keep internet access working (whilst only allowing 192.168.1.0/24) on the client device, but I suppose that’s expected. Thank you again for all your help.

 

[ZebMcKayhan]

I did have to remove my home router's IP as the DNS to keep internet access working (whilst only allowing 192.168.1.0/24) on the client device, but I suppose that’s expected. Thank you again for all your help.

if you add 10.6.0.1 to the allowedip list as "192.168.1.0/24, 10.6.0.1/32" then you should be able to use dns as 10.6.0.1 and have dns lookup by your router, potentially benefit if you are using domain names (or running Diversion or AGH or whatnot).

 

[CaptainSTX]

Now that I’m able to fully access my home network resources through WireGuard while also having the router’s WG VPN client enabled, I have a couple of related questions.

First, is it possible to access only my LAN devices without routing all of my internet traffic through my home router?

Second, can I configure my remote client devices to use my router’s VPN client IP address (my Windscribe IP) instead of my native public WAN IP? I believe this might fall under IP masquerading.

Ideally, I’d like to access my home LAN devices remotely without having all internet traffic routed through my home router.

Thanks again in advance for any guidance!

All you need to do is to do if you are using the default setup for your WG server is then using VPN Director specify 10.8.0.0/24 use WGC1 then any remote device connecting to your WG server will be routed outbound to WWW using the VPN client.

 

[Aiadi]

if you add 10.6.0.1 to the allowedip list as "192.168.1.0/24, 10.6.0.1/32" then you should be able to use dns as 10.6.0.1 and have dns lookup by your router, potentially benefit if you are using domain names (or running Diversion or AGH or whatnot).

All you need to do is to do if you are using the default setup for your WG server is then using VPN Director specify 10.8.0.0/24 use WGC1 then any remote device connecting to your WG server will be routed outbound to WWW using the VPN client.

Most helpful once again and working perfectly. Thanks a million.