Route traffic from Wireguard VPN clients through cloud VPN server

[ragnaroknroll]

I am running a Wireguard VPN server on my home Asus RT-AX86U router on the Merlin firmware. I need to permanently stay connected to this home VPN server from work to ensure my files remain synced between my work PC and my home server.

At the same time, my home router needs to stay connected to a cloud TorGuard Wireguard VPN server as a client, to provide anonymous browsing capability to VPN clients connected to the server hosted on the router.

I initially thought this would be impossible, assuming VPN clients would not be able to reach my home router at its static IP address, since all traffic would be routed via the cloud TorGuard VPN server. Nevertheless, I was able to accomplish this for many years until firmware version 3004.388.8_4. VPN clients could somehow manage to connect to my home router at its static IP address. I was also able to route traffic from these clients through the TorGuard VPN server by just adding a VPN Director rule that routed all traffic from the IP address range assigned to VPN clients connecting to the router, through the TorGuard WGC1 interface.

Starting with firmware version 3004.388_9 though, this has ceased to work. Now when I even just connect to the TorGuard VPN server from my router (irrespective of whether the VPN Director rule is enabled or disabled), VPN clients connected to my home router are no longer able to access the internet. Would any one have any ideas what has changed, and if I can still achieve what I want to by tweaking a few settings?

 

[ZebMcKayhan]

I am running a Wireguard VPN server on my home Asus RT-AX86U router on the Merlin firmware. I need to permanently stay connected to this home VPN server from work to ensure my files remain synced between my work PC and my home server.

At the same time, my home router needs to stay connected to a cloud TorGuard Wireguard VPN server as a client, to provide anonymous browsing capability to VPN clients connected to the server hosted on the router.

I initially thought this would be impossible, assuming VPN clients would not be able to reach my home router at its static IP address, since all traffic would be routed via the cloud TorGuard VPN server. Nevertheless, I was able to accomplish this for many years until firmware version 3004.388.8_4. VPN clients could somehow manage to connect to my home router at its static IP address. I was also able to route traffic from these clients through the TorGuard VPN server by just adding a VPN Director rule that routed all traffic from the IP address range assigned to VPN clients connecting to the router, through the TorGuard WGC1 interface.

Starting with firmware version 3004.388_9 though, this has ceased to work. Now when I even just connect to the TorGuard VPN server from my router (irrespective of whether the VPN Director rule is enabled or disabled), VPN clients connected to my home router are no longer able to access the internet. Would any one have any ideas what has changed, and if I can still achieve what I want to by tweaking a few settings?

I'm not aware of anything changed in fw that would cause this.

Have you checked so the vpn client is still working? It's not clear if you use the client for anything but server clients.

It sounds like your server to lan access is still working.

Are you running any custom scripts?

What ip address are you using for your server and your lan? How did you setup vpndirector?

Did you tweak AllowedIPs in your server peer or not? If yes, to what?

 

[ragnaroknroll]

Thanks a lot for your response. Yes, all traffic from devices connected directly to the home router is successfully routed via the TorGuard VPN service via a similar VPN Director rule.

I have a couple of custom scripts:

/jffs/scripts # cat merlin-ovpn-port-forward.sh
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
# ------------------------------ BEGIN OPTIONS ------------------------------- #

# interface source-ip/net proto extern-port intern-ip intern-port [comments...]
PORT_FORWARDS="
wgc1 0.0.0.0/0 tcp <port> <local ip address> <port>
wgc1 0.0.0.0/0 udp <port> <local ip address> <port>
"
# ------------------------------- END OPTIONS -------------------------------- #

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

ipt() { iptables ${@/-[IA]/-D} 2>/dev/null; iptables $@; }

OIFS="$IFS"; IFS=$'\n'

for pf in $PORT_FORWARDS; do
    # skip comments and blank lines
    echo $pf | grep -Eq '^[[:space:]]*(#|$)' && continue

    # parse port forward into separate fields
    for i in 1 2 3 4 5 6; do eval f$i="$(echo $pf | cut -d' ' -f$i)"; done

    # redirect external port on vpn to internal ip+port
    ipt -t nat -I PREROUTING -i $f1 -s $f2 -p $f3 --dport $f4 \
        -j DNAT --to $f5:$f6
done

IFS="$OIFS"

# allow routing from vpn to router internal port
ipt -I INPUT -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

# allow routing from vpn to lan internal ip+port
ipt -I FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

exit 0
} 2>&1 | logger -t $(basename $0 .sh)[$$]

/jffs/scripts # cat post-mount
#!/bin/sh
. /jffs/addons/diversion/mount-entware.div # Added by amtm

swapon /dev/sda2

if [ $1 = "/tmp/mnt/Entware" ]; then
    cp /tmp/mnt/Entware/entware/root/.zshrc /tmp/home/root
fi

My LAN clients have IP addresses in the range 10.11.8.0/24 and VPN clients connecting to my router are allotted IP addresses in the range 10.11.10.0/24.

I have two VPN director rules:
1. Route traffic from 10.11.8.0/24 to WGC1
2. Route traffic from 10.11.10.0/24 to WGC1

Some VPN clients connecting to my router have AllowedIPs = 10.11.8.0/24,10.11.10.0/24 (these are only required to access resources from other devices connected to the router), while others have AllowedIPs = 0.0.0.0/0 (these are required to access local resources as well as route internet traffic through the router's TorGuard VPN connection).

 

[ZebMcKayhan]

Thanks a lot for your response. Yes, all traffic from devices connected directly to the home router is successfully routed via the TorGuard VPN service via a similar VPN Director rule.

I have a couple of custom scripts:

/jffs/scripts # cat merlin-ovpn-port-forward.sh
#!/bin/sh
#set -x # comment/uncomment to disable/enable debug mode
{
# ------------------------------ BEGIN OPTIONS ------------------------------- #

# interface source-ip/net proto extern-port intern-ip intern-port [comments...]
PORT_FORWARDS="
wgc1 0.0.0.0/0 tcp <port> <local ip address> <port>
wgc1 0.0.0.0/0 udp <port> <local ip address> <port>
"
# ------------------------------- END OPTIONS -------------------------------- #

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

ipt() { iptables ${@/-[IA]/-D} 2>/dev/null; iptables $@; }

OIFS="$IFS"; IFS=$'\n'

for pf in $PORT_FORWARDS; do
    # skip comments and blank lines
    echo $pf | grep -Eq '^[[:space:]]*(#|$)' && continue

    # parse port forward into separate fields
    for i in 1 2 3 4 5 6; do eval f$i="$(echo $pf | cut -d' ' -f$i)"; done

    # redirect external port on vpn to internal ip+port
    ipt -t nat -I PREROUTING -i $f1 -s $f2 -p $f3 --dport $f4 \
        -j DNAT --to $f5:$f6
done

IFS="$OIFS"

# allow routing from vpn to router internal port
ipt -I INPUT -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

# allow routing from vpn to lan internal ip+port
ipt -I FORWARD -i tun+ -m conntrack --ctstate DNAT -j ACCEPT

exit 0
} 2>&1 | logger -t $(basename $0 .sh)[$$]

/jffs/scripts # cat post-mount
#!/bin/sh
. /jffs/addons/diversion/mount-entware.div # Added by amtm

swapon /dev/sda2

if [ $1 = "/tmp/mnt/Entware" ]; then
    cp /tmp/mnt/Entware/entware/root/.zshrc /tmp/home/root
fi

My LAN clients have IP addresses in the range 10.11.8.0/24 and VPN clients connecting to my router are allotted IP addresses in the range 10.11.10.0/24.

I have two VPN director rules:
1. Route traffic from 10.11.8.0/24 to WGC1
2. Route traffic from 10.11.10.0/24 to WGC1

Some VPN clients connecting to my router have AllowedIPs = 10.11.8.0/24,10.11.10.0/24 (these are only required to access resources from other devices connected to the router), while others have AllowedIPs = 0.0.0.0/0 (these are required to route all internet traffic through the router's TorGuard VPN connection).

Sounds like you got the details right. Just for my understanding:
Lan to wan traffic works
Lan to wgc1 traffic works (if rule active)
Wgserver traffic to lan works
Wgserver traffic to wan does not work
Wgserver traffic to wgc1 does not work (if rule is active)

If my understanding is correct I don't have much ideas unfortunately. A couple of things pop upthough
1. Are you sure internet does not work or could it be a dns issue? Can you ping a known ip from wg server clients?
2. One thing that have changed back and fourth are the killswich. At some point the killswich was still active even if the client was disabled. Check all unused clients and disable the killswich setting.
3. You could check routing rules via ssh when its not working via

ip rule

and routing tables via

ip route show table main
ip route show table wgc1

And see if you can spot anything.

 

[ragnaroknroll]

Almost. Here's the situation:

• LAN to WAN traffic works
• LAN to WGC1 traffic works (when VPN Director rule active)
• WGServer to LAN/WAN traffic works
• WGServer to WGC1 traffic DOES NOT WORK (irrespective of whether VPN Director rule active or not)

Also, oddly enough, when WGC1 is active, WGServer to LAN traffic does not work either. This traffic works when WGC1 is disabled.

I tried pinging www.google.com from a WGServer client. This works when WGC1 is disabled, but doesn't work when WGC1 is active. Pinging other local devices doesn't work when WGC1 is active either.

Killswitch is OFF for sure.

Here are the results of the commands executed on the router:

# ip rule
0:    from all lookup local
90:    from all to 10.11.10.50 lookup main
90:    from all to 10.11.10.51 lookup main
90:    from all to 10.11.10.52 lookup main
90:    from all to 10.11.10.53 lookup main
90:    from all to 10.11.10.54 lookup main
90:    from all to 10.11.10.55 lookup main
90:    from all to 10.11.10.56 lookup main
11210:    from 10.11.10.0/24 lookup wgc1
11211:    from 10.11.8.0/24 lookup wgc1
32766:    from all lookup main
32767:    from all lookup default

# ip route show table main
default via 125.236.192.9 dev ppp0
10.8.0.1 dev wgc1 scope link
10.11.8.0/24 dev br0 proto kernel scope link src 10.11.8.85
10.11.10.50 dev wgs1 scope link
10.11.10.51 dev wgs1 scope link
10.11.10.52 dev wgs1 scope link
10.11.10.53 dev wgs1 scope link
10.11.10.54 dev wgs1 scope link
10.11.10.55 dev wgs1 scope link
10.11.10.56 dev wgs1 scope link
10.13.128.0/24 dev wgc1 proto kernel scope link src 10.13.128.89
125.236.192.9 dev ppp0 proto kernel scope link
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.97.69
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
192.168.102.0/24 dev br2 proto kernel scope link src 192.168.102.1

# ip route show table wgc1
0.0.0.0/1 dev wgc1 scope link
default via 125.236.192.9 dev ppp0
10.11.8.0/24 dev br0 proto kernel scope link src 10.11.8.85
10.11.10.50 dev wgs1 scope link
10.11.10.51 dev wgs1 scope link
10.11.10.52 dev wgs1 scope link
10.11.10.53 dev wgs1 scope link
10.11.10.54 dev wgs1 scope link
10.11.10.55 dev wgs1 scope link
10.11.10.56 dev wgs1 scope link
10.13.128.0/24 dev wgc1 proto kernel scope link src 10.13.128.89
103.231.90.202 via 125.236.192.9 dev ppp0
125.236.192.9 dev ppp0 proto kernel scope link
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev wgc1 scope link
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.97.69
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
192.168.102.0/24 dev br2 proto kernel scope link src 192.168.102.1

Sorry, not sure how to interpret this myself.

 

[ZebMcKayhan]

I tried pinging www.google.com from a WGServer client. This works when WGC1 is disabled, but doesn't work when WGC1 is active. Pinging other local devices doesn't work when WGC1 is active either.

Did you try to ping using the ip instead of www.google.com? Like

ping 142.250.74.132

Also, oddly enough, when WGC1 is active, WGServer to LAN traffic does not work either. This traffic works when WGC1 is disabled.

Odd indeed. Everything you say point to issues when wgs1 clients start to use wgc1 route table. But I can't find any difference that would explain your issue.

The only odd thing perhaps is that your wgs1 server clients are 10.11.10.50 and up and not 10.11.10.2 and up. I assume your server peer is 10.11.10.1. Did you set it like this? I don't see any issues with it but it's the only thing that I see as a little out of the ordinary.

 

[ragnaroknroll]

Thanks again for your assistance troubleshooting this. Just tried pinging 142.250.74.132 from a WGServer client and that doesn't work with WGC1 active either. It works fine when WGC1 is disabled.

I have the following set under "Tunnel IPv4 and / or IPv6 Address" for my WireGuard server: 10.11.10.1/32, assuming that's what you're asking.

Other potentially relevant WG Server settings are:
Access Intranet: checked
Allow DNS: checked
Enable NAT - IPv6: checked

For my WGC1 connection, I have:
Enable NAT: Yes
Inbound Firewall: Block
Killswitch : No

 

[ZebMcKayhan]

Thanks again for your assistance troubleshooting this. Just tried pinging 142.250.74.132 from a WGServer client and that doesn't work with WGC1 active either. It works fine when WGC1 is disabled.

While I cannot see any route issue, it could be a good idea to test it. When WGC1 is active and internet connection is not working on wgs1 clients, try to run on the router ssh:

ip route get 142.250.74.132 from 10.11.10.52 iif wgs1

the result should point to your wg-client peer (wgc1)

and the other way around:

ip route get 10.11.10.52 from 142.250.74.132 iif wgc1

the result should point to your wg-server peer (wgs1)

you could redo above when wgc1 is turned off, i.e.

ip route get 142.250.74.132 from 10.11.10.52 iif wgs1

should point to your WAN (ppp0?)

ip route get 10.11.10.52 from 142.250.74.132 iif ppp0

should point to your wg-server (wgs1)

you could play with the commands to test from wg server to your lan as well. If all turn out as expected it's not a routing issue.

 

[GSpock]

I am running a Wireguard VPN server on my home Asus RT-AX86U router on the Merlin firmware. I need to permanently stay connected to this home VPN server from work to ensure my files remain synced between my work PC and my home server.

At the same time, my home router needs to stay connected to a cloud TorGuard Wireguard VPN server as a client, to provide anonymous browsing capability to VPN clients connected to the server hosted on the router.

I initially thought this would be impossible, assuming VPN clients would not be able to reach my home router at its static IP address, since all traffic would be routed via the cloud TorGuard VPN server. Nevertheless, I was able to accomplish this for many years until firmware version 3004.388.8_4. VPN clients could somehow manage to connect to my home router at its static IP address. I was also able to route traffic from these clients through the TorGuard VPN server by just adding a VPN Director rule that routed all traffic from the IP address range assigned to VPN clients connecting to the router, through the TorGuard WGC1 interface.

Starting with firmware version 3004.388_9 though, this has ceased to work. Now when I even just connect to the TorGuard VPN server from my router (irrespective of whether the VPN Director rule is enabled or disabled), VPN clients connected to my home router are no longer able to access the internet. Would any one have any ideas what has changed, and if I can still achieve what I want to by tweaking a few settings?

Hi,
I am running AX86U with 3004.388_9 with WGS to TorGuard enabled, as well as router WGS server activated.
Just have made a test with my smartphone connected to the AX86U VPN WGS while having redirected WGS clients to the WGS of ToG (via VPN Director rule) and the smartphone correctly gets the IP address of ToG.
I can access internet and local LAN ressources. So all is OK here.
GS