RT-AX56U as a VPN client to another brand server

deembi4

New Around Here
Can’t figure out the right way to connect two routers (LANs) by wgm (Wireguard Manager). Will be glad to any help.
What I got:
  1. First side (server) is Keenetic Giga Router with LAN 192.168.111.0/24. There is DNS server here with IP equal to 192.168.111.12.
  2. On the other side (client) a got ASUS RT-AX56U router with 192.168.232.0/24 LAN.
The purpose is to combine these 2 networks by wireguard VPN split tunnel. If tunnel is UP then client-side devices must use DNS-server. If DOWN – forget about it.

What is already solved:
  1. Wireguard server is UP (10.8.0.1/24) and working good.
  2. Android clients are ok with VPN-server and DNS-server.
What kind of peer (server, device) I have to create and how to connect it to server-side in a right way?
 

ZebMcKayhan

Very Senior Member
Can’t figure out the right way to connect two routers (LANs) by wgm (Wireguard Manager). Will be glad to any help.
What I got:
  1. First side (server) is Keenetic Giga Router with LAN 192.168.111.0/24. There is DNS server here with IP equal to 192.168.111.12.
  2. On the other side (client) a got ASUS RT-AX56U router with 192.168.232.0/24 LAN.
The purpose is to combine these 2 networks by wireguard VPN split tunnel. If tunnel is UP then client-side devices must use DNS-server. If DOWN – forget about it.

What is already solved:
  1. Wireguard server is UP (10.8.0.1/24) and working good.
  2. Android clients are ok with VPN-server and DNS-server.
What kind of peer (server, device) I have to create and how to connect it to server-side in a right way?
I dont get the full picture. Do you need lan-2-lan access both ways or is it enough one way?

Ok you want to shift dns on the clients but do you also need/want to shift internet data?

Soo, the server peer is up, but did you add allowed ip to your other lan so you get the routes? You used wg-quick or something else? Or was the server peer only to try?
 
Last edited:

deembi4

New Around Here
1. Yap, I wanna both way full access.
2. At the first step I want clients to have their own gateway to get internet (through Keenetic Giga - 192.168.111.1 from the server side and through ASUS RT-AX56U - 192.168.232.1 from the client side)
3. It was easy enough to setup server side on Keenetic router cause it has an appropriate component with convenient GUI – Wireguard VPN. There is an official guide for configuring VPN between 2 Keenetic routers - https://help.keenetic.com/hc/en-us/articles/360012075879. So, server side is ready to go, but my second router is ASUS RT-AX56U has no out of the box solution. The only way I found is to install this add-on for Merlin - Wireguard Manager (https://postimg.cc/N26VVdc6).

Now I need to figure out how to set it up to work properly.
 

ZebMcKayhan

Very Senior Member
Now I need to figure out how to set it up to work properly.
Here is a general guide, but it may not give you the full answer:
https://github.com/ZebMcKayhan/WireguardManager#table-of-content

WireguardManager is centralized around 2 import types, a Client and a Server.

The problem is that if you import the config as a client you will typically not have port opened, nor any inbound access as it is assumed to be a link to an internet supplier so only Related, Established packeges are allowed back. but you get to control DNS and which clients on your network that will use this connection.

The other problem if you import the config as a server, you will retain possibility to connect to server both ways and you will get your routes setup to access the other LAN but you will not get possibility to control internet data / policy routing, DNS redirect a.s.o. A server peer (according to wgm) does not attempt to send internet data out to it's clients (this is supposed to go the other way).

however, a possible solution is to set everything up as a site-2-site, meaning import as a server, according to:
https://github.com/ZebMcKayhan/WireguardManager#site-2-site
you already have the config file created so you only need to import it (end of section).

this way you connect the 2 networks to each other and should have full lan-2-lan access. but still internet and DNS is typically still handled on each site respectively. so attempt this scheme:
https://github.com/ZebMcKayhan/WireguardManager#route-site-2-site-internet-access
To shift internet/DNS access according to your wishes.

so it will take a little scripting to get it to work, but hopefully easy enough if you follow my examples.

Note: There will not be any firewall on your asus router between the site-2-site VPN and your LAN. make sure your Keenetic Giga is setup in such way to act as a firewall between WAN and site-2-site peer.
 

deembi4

New Around Here
Here is a general guide, but it may not give you the full answer:
https://github.com/ZebMcKayhan/WireguardManager#table-of-content

WireguardManager is centralized around 2 import types, a Client and a Server.

The problem is that if you import the config as a client you will typically not have port opened, nor any inbound access as it is assumed to be a link to an internet supplier so only Related, Established packeges are allowed back. but you get to control DNS and which clients on your network that will use this connection.

The other problem if you import the config as a server, you will retain possibility to connect to server both ways and you will get your routes setup to access the other LAN but you will not get possibility to control internet data / policy routing, DNS redirect a.s.o. A server peer (according to wgm) does not attempt to send internet data out to it's clients (this is supposed to go the other way).

however, a possible solution is to set everything up as a site-2-site, meaning import as a server, according to:
https://github.com/ZebMcKayhan/WireguardManager#site-2-site
you already have the config file created so you only need to import it (end of section).

this way you connect the 2 networks to each other and should have full lan-2-lan access. but still internet and DNS is typically still handled on each site respectively. so attempt this scheme:
https://github.com/ZebMcKayhan/WireguardManager#route-site-2-site-internet-access
To shift internet/DNS access according to your wishes.

so it will take a little scripting to get it to work, but hopefully easy enough if you follow my examples.

Note: There will not be any firewall on your asus router between the site-2-site VPN and your LAN. make sure your Keenetic Giga is setup in such way to act as a firewall between WAN and site-2-site peer.
I followed this guide. Wireguard is working but I missed someting.
1.
Code:
site2site shrt1 ip=10.8.0.2 port={Port} krrt1 lan=192.168.111.0/24 allowips=10.8.0.1/32,192.168.111.0/24 full
As I understood it generates conf and keys files for ASUS and Keenetic sides. Since I'd allready got my Keenetic side working I fixed and then imported just shrt1 as it shown below:

2.
Code:
=== Start of shrt1.conf ===
# shrt1 - 192.168.232.0/24
[Interface]
PrivateKey = {ASUS PrivateKey}
Address = 10.8.0.2/32
ListenPort = {Port}


# WireGuard (%p - ListenPort; %wan - WAN interface; %lan - LAN subnet; %net - IPv4 Tunnel subnet ONLY recognised by Martineau's WireGuard Manager/wg-quick2)
PreUp = iptables -I INPUT -p udp --dport %p -j ACCEPT
PreUp = iptables -I INPUT -i %i -j ACCEPT
PreUp = iptables -t nat -I PREROUTING -p udp --dport %p -j ACCEPT
PreUp = iptables -t nat -I POSTROUTING -s %net/24 -o br0 -j MASQUERADE
# Next PreUp line is an effort to make DNS work. Values like 10.8.0.1 (Keenetic tunnel IP) or 192.168.111.12 (DNS Server IP) doesn't work, so I comment it.
# PreUp = resolvectl dns %i 10.8.0.1; resolvectl domain %i ~domain.local
PostDown = iptables -D INPUT -p udp --dport %p -j ACCEPT
PostDown = iptables -D INPUT -i %i -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -p udp --dport %p -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s %net/24 -o br0 -j MASQUERADE


# Firewall
PreUp = iptables -I INPUT   -i %i -j ACCEPT
PreUp = iptables -I FORWARD -i %i -j ACCEPT
PreUp = iptables -I FORWARD -o %i -j ACCEPT
PreUp = iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


PostDown = iptables -D INPUT   -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# krrt1 LAN
[Peer]
PublicKey = {Keenetic PublicKey}
AllowedIPs = 10.8.0.1/32, 192.168.111.0/24
Endpoint = {Keenetic Public IP}:{Keenetic Port}
#PresharedKey =
PersistentKeepalive = 25
=== End of shrt1.conf ===

3.
Code:
peer import shrt1.conf type=server

4. https://postimg.cc/JDP6dwZ2

5. It works well, I can ping any device including DNS server but Asus side don't use it by default when tunnel is active. BTW if I try to restart wg21 server-peer then something goes wrong and any local device can't get Internet access till full Asus reboot.
 

ZebMcKayhan

Very Senior Member
As I understood it generates conf and keys files for ASUS and Keenetic sides. Since I'd allready got my Keenetic side working I fixed and then imported just shrt1 as it shown below:
Yea, you dont have to execute the site2site command at all since you already have your config you just need to import it as a server.


Soo, where did you get this format? You are using wgm exclusive tags. Did you let wgm create the files then changed them manually and imported again? And deleted the original peer?
Anyhow, there are alot of things here not needed by wgm. Pretty much all of the PreUp and PostDown I believe are redundant. You should be able to remove them. Did wgm put these here?


It works well, I can ping any device including DNS server but Asus side don't use it by default when tunnel is active.
No... you would need to use DNSFilter for that. When DNSFilter are enabled you could add a command to wg21-up.sh i.e
Code:
iptables -t nat -I DNSFILTER -s 192.168.232.0/24 -j DNAT --to-destination 192.168.111.12
Too redirect dns requests from entire lan(192.168.232.0/24) or single ip (192.168.232.145) to dns server of your choice (192.168.111.12) change ips to your needs but dont forget to remove the rule in the wg21-down script (change -I to -D). You could also use the PostUp & PreDown directive if you wish.

BTW if I try to restart wg21 server-peer then something goes wrong and any local device can't get Internet access till full Asus reboot.
Have noo idea why... maybe something got removed that shouldnt be or some rule still there that should have been removed. Check all your directives so everything is cleared up properly. Or just a reboot maybe, to clear off some remnant from tinkering?
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top