Wireguard Using wireguard to tunnel to another geolocation

cdjockey

Occasional Visitor
Hello,

I am thinking of using wireguard as it appears to have a lot of benefits vs other methods, namely speed.

I would like for all of the data from one device on my network (client via AC86U) to go via a tunnel to another location (AC86U acting as a server) in a different country and pop out in that location. Thus the device would have a geo-ip in that country. I don't want to use a VPN as their IP's are already blocked.

Most of what I have read seems to be people using wireguard to connect to VPN providers, but I assume it would be suitable/capable for what I am looking at?

I also assume I would need to setup DDNS on the server router so the initial connection can be made, i.e. the wireguard client knows where to connect to.

I have been reading up on the Wireguard session manager and I think I can follow the main instructions (MartineauUK guide), but is there anything special I should know for what I am considering?

If anyone knows of a guide that does what I am looking at it would be much appreciated for a link, I'm not sure I know of the correct technical terms for what I am trying to achieve.

Many Thanks
 

Tech9

Part of the Furniture
but is there anything special I should know for what I am considering?

RT-AC86U quirks and reliability issues:


I assume it would be suitable/capable for what I am looking at?

Yes.

I also assume I would need to setup DDNS on the server router

Yes, but built-in Asus service has some issues reported from time to time.
 

chongnt

Very Senior Member
Hello,

I am thinking of using wireguard as it appears to have a lot of benefits vs other methods, namely speed.

I would like for all of the data from one device on my network (client via AC86U) to go via a tunnel to another location (AC86U acting as a server) in a different country and pop out in that location. Thus the device would have a geo-ip in that country. I don't want to use a VPN as their IP's are already blocked.

Most of what I have read seems to be people using wireguard to connect to VPN providers, but I assume it would be suitable/capable for what I am looking at?

I also assume I would need to setup DDNS on the server router so the initial connection can be made, i.e. the wireguard client knows where to connect to.

I have been reading up on the Wireguard session manager and I think I can follow the main instructions (MartineauUK guide), but is there anything special I should know for what I am considering?

If anyone knows of a guide that does what I am looking at it would be much appreciated for a link, I'm not sure I know of the correct technical terms for what I am trying to achieve.

Many Thanks
Perhaps can look into site to site guide from Zeb.

 

cdjockey

Occasional Visitor
RT-AC86U quirks and reliability issues:




Yes.



Yes, but built-in Asus service has some issues reported from time to time.
Thanks for the like I was not aware of the NVRAM issue. I am aware of the thermal design issues and have tried to help those along myself with this 3D printed 120mm fan holder, which works ok:
1 - All.jpg

it has a removable filter:
2 - filter removed.jpg

It uses the aerial as the locator and hangs off them so its reversible/removable:
3 - top view.jpg


Re: DDNS - useful to know about the asus possibly having issues. I had used Duck DNS in a previous project, maybe I will use them again over asus.

Thank you
 

cdjockey

Occasional Visitor

ZebMcKayhan

Very Senior Member
I had missed the site to site bit, i will have a detailed read of that and fingers crossed get this working
Site-2-site may not be ideal if you are only after routing internet traffic, altough possible but rather bulky. Site-2-site only set up lan-2-lan traffic, internet traffic is still on each respective site. I have examples on how to shift internet traffic on my github tutorial but all is handled via scripting so not ideal.

If you setup a server peer on the device you wish the internet traffic should pop out of, and create a device on that server. Then import the device config file as an internet client on the site where you wish to connect from. If the client is a router running wgm you could use policy routing to control which devices that are routed via remote peer to internet and which use local internet. I think this setup will benefit the most from wgm and no scripting needed.

Both setting up server and internet clients are described here:
https://github.com/ZebMcKayhan/WireguardManager#table-of-content
 
Last edited:

cdjockey

Occasional Visitor
Site-2-site may not be ideal if you are only after routing internet traffic, altough possible but rather bulky. Site-2-site only set up lan-2-lan traffic, internet traffic is still on each respective site. I have examples on how to shift internet traffic on my github tutorial but all is handled via scripting so not ideal.

If you setup a server peer on the device you wish the internet traffic should pop out of, and create a device on that server. Then import the device config file as an internet client on the site where you wish to connect from. If the client is a router running wgm you could use policy routing to control which devices that are routed via remote peer to internet and which use local internet. I think this setup will benefit the most from wgm and no scripting needed.

Both setting up server and internet clients are described here:
https://github.com/ZebMcKayhan/WireguardManager#table-of-content
Hi, thanks for your suggestion. Your suggestion sounds like the right route to me. The client would be a router but I would only want one device to connect, so the policy routing sounds like the best method.

I *think* based on what I have read here (managesetup-ipsets-for-policy-based-routing) that I could also route certain things via the local WAN e.g. netflix which would be a good addition to reduce traffic.
 

ZebMcKayhan

Very Senior Member
I *think* based on what I have read here (managesetup-ipsets-for-policy-based-routing) that I could also route certain things via the local WAN e.g. netflix which would be a good addition to reduce traffic.
you could, and it works great, I'm using it to bypass VPN for Netflix via dnsmasq. Altough there are some things to consider:
- ipset rules are typically applied in a general sense. meaning if you have a Netflix ipset that contains destination ips, it would be applied to all source addresses (not only the ones in your policy rules). depending on what you do this might or might not be a problem.
- if you are using dnsmasq (or AGH) to harvest ip addresses and populate the ipset it only works if dnsmasq (or AGH) is actually used. Wireguard uses DNAT (Exclusive) to shift the dns for clients. something to consider maybe.
 

cdjockey

Occasional Visitor
you could, and it works great, I'm using it to bypass VPN for Netflix via dnsmasq. Altough there are some things to consider:
- ipset rules are typically applied in a general sense. meaning if you have a Netflix ipset that contains destination ips, it would be applied to all source addresses (not only the ones in your policy rules). depending on what you do this might or might not be a problem.
- if you are using dnsmasq (or AGH) to harvest ip addresses and populate the ipset it only works if dnsmasq (or AGH) is actually used. Wireguard uses DNAT (Exclusive) to shift the dns for clients. something to consider maybe.

AH ok, so your saying it would pickup (and collect IPs) all netflix requests even from other devices like mobile phones not just the target device. I would probably just want to exclude netlix from this vpn tunnel on this device (TV), by the sounds of it exactly what you are using it for. I will make this the next stage after i get it working first.
 

cdjockey

Occasional Visitor
So I have installed wireguard on the target router (the server) where I want to pop out:

server.JPG


So that looks fine. Although how do I remove the extra 'TV_client', i tried peer TV_client delete, delete TV_client .... and various others but could not get the correct command. I'm only a noob for a lot of the terminal stuff.

I also got a copy of the 'SamTV.conf' file that i assume is for the client:
client config.JPG


I have also installed wireguard on the 'client' end router (another AC86U). I deleted the default peer it created:
Capture.JPG


Now I think I need to import the 'SamTV.conf' file (option 11).

What i'm a little confused about is how to do the policy routing for a single device on this end. The device is static on 192.168.1.90. Could someone confirm the syntax for setting this device only to be routed over the wireguard connection to the server and pop out at the server end? (and everything else exit normally via the local wan)

Many thanks
 

ZebMcKayhan

Very Senior Member
Although how do I remove the extra 'TV_client', i tried peer TV_client delete, delete TV_client .... and various others but could not get the correct command. I'm only a noob for a lot of the terminal stuff.
Try
Code:
E:Option ==> peer TV_client del

Before importing the client you might consider changing dns as the dns stated in the confile would be used by clients over vpn. To use dnsmasq on your server, change to wg server ip: 10.50.1.1
What i'm a little confused about is how to do the policy routing for a single device on this end. The device is static on 192.168.1.90
Assuming your import will end up at wg11:
Code:
E:Option ==> peer wg11 rule add vpn 192.168.1.90 comment My Computer To VPN
And then
Code:
E:Option ==> peer wg11 auto=P
to make it autostart in policy mode.

As your rule only covers 1 ip all others will go to wan as usual and only this ip will be redirected over vpn and redirected dns to whatever you tell it in the config file.

If you already imported the .conf file you could change dns afterwords:
Code:
E:Option ==> peer wg11 dns=10.50.1.1
and it will only affect the one ip you have a rule for.

Please stop the peer before you make these changes and start it after to not end up with residues on your system. Alt reboot after everything.
 
Last edited:

cdjockey

Occasional Visitor
Try
Code:
E:Option ==> peer TV_client del
Thanks, i thought it might be something small.

Before importing the client you might consider changing dns as the dns stated in the confile would be used by clients over vpn. To use dnsmasq on your server, change to wg server ip: 10.50.1.1
Ok, I *think* i have done this correctly although I'm not sure if the 'Address =' should also be 10.50.1.1.

At the moment my conf file looks like this:
updated conf file.JPG

So as you can see both 'Address' and 'DNS' are now both pointing to 10.50.1.1 - correct?

When I tried to import the file I got this error:
Wireguard_error.JPG
I used the command 'peer import SamTV.conf type=device' but it seems to not like something on the 'Address line'

I also tried changing it to: Address = 10.50.1.2/32 , but this also gave the same error.

Maybe I've misunderstood or made a mistake in the conf file?

Code:
E:Option ==> peer wg11 rule add vpn 192.168.1.90 comment My Computer To VPN
Thank you for this and this warning:
Please stop the peer before you make these changes and start it after to not end up with residues on your system.

Hopefully this thread will help other people with setting up wireguard.
Thank you again
 

ZebMcKayhan

Very Senior Member
So as you can see both 'Address' and 'DNS' are now both pointing to 10.50.1.1 - correct?
Nope, address should not be changed. You wg server have address 10.50.1.1 and for this client it should be 10.50.1.2/32. They cant have the same address. Only change dns, or keep it as it is and change later in wgm.

You should not import a type=device, as this is for importing a device into a server. You should import an internet client:
Code:
E:Option ==> import SamTV.conf
https://github.com/ZebMcKayhan/WireguardManager#import-client
 

cdjockey

Occasional Visitor
Thanks, i have corrected the .conf file so that it is now correct:
nano.JPG


I then used the command as you suggested, but i still get an error:

wireguard samconf error.JPG


I don't see anything wrong compared to example ones online, is there something else i'm missing?

Thank you again for your help.
 

cdjockey

Occasional Visitor
I did the command, but it didn't return anything if it was meant to?:
shell.JPG


I then tried to import again, but with same error. Maybe I should export the file again or something else?
 
Last edited:

cdjockey

Occasional Visitor
the only other thing that could be an issue is that I am using Putty, and i noted it is mentioned at the beginning of the guide, but i don't think it applies unless i am deleting things with backspace
 

ZebMcKayhan

Very Senior Member
the only other thing that could be an issue is that I am using Putty, and i noted it is mentioned at the beginning of the guide, but i don't think it applies unless i am deleting things with backspace
Ive never seen this pefore. Putty and Nano should work fine. The only thing I could think of is the content.

Try to remove all comments and everything else that is hashed out from the file and try the import again. If it still doesnt work try to re-arrange the lines according to:
Code:
[Interface]
Address =
DNS =
PrivateKey =

[Peer]
AllowedIPs =
Endpoint =
PublicKey =
PresharedKey =
PersistentKeepalive =
 
Last edited:

cdjockey

Occasional Visitor
Success it working!

It was a silly mistake, i had not noticed that when I had copied it it had pulled across the line numbers as well, i.e these:
Actual error.JPG

So I deleted them out and imported it again.

Maybe it will help someone in the future looking at a similar issue.

Is there anything I need to do so that the Wireguard will start up and connect as a client if the router is rebooted? will it automatically reconnect?

I will now go away and read the guides on IPSET to route all the netflix to the WAN and avoid the tunnel.

Many Thanks
 
Last edited:

ZebMcKayhan

Very Senior Member
Success it working!
Glad to hear it!


I will now go away and read the guides on IPSET to route all the netflix to the WAN and avoid the tunnel.
The easiest way to setup the ipset is to install x3mrouting from amtm, use option 3 (OpenVPN Event & x3mRouting Script).

Then create your ipset from the shell, ie:
Code:
x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
And it will setup autosave/restore and dnsmasq for you, so the ipset "NETFLIX" is then ready to be plugged into wgm according to my guide.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top