What's new

Wireguard client doesn't work

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

meliodas

Occasional Visitor
Hi, I'm trying to create a new Wireguard client in the router GUI that connects to my remote VPS VPN server. Before doing so, I tested the vpn config file on another machine and it works. I then stop the vpn on the machine and continue to setup the Wireguard client in the router GUI. So far so good.

Now in a terminal, I ssh into my router, and do ifconfig wgc1 and I can see the interface is up and the IP address of the peer. However when I ping the remote peer IP I get no reply. Similarly, on the remote VPS, when I ping the client peer IP I get no response as well. I thought it was straight-forward but clearly not or I'm missing something ?

Please help. Thanks.
 
Hi, I'm trying to create a new Wireguard client in the router GUI that connects to my remote VPS VPN server. Before doing so, I tested the vpn config file on another machine and it works. I then stop the vpn on the machine and continue to setup the Wireguard client in the router GUI. So far so good.

Now in a terminal, I ssh into my router, and do ifconfig wgc1 and I can see the interface is up and the IP address of the peer. However when I ping the remote peer IP I get no reply. Similarly, on the remote VPS, when I ping the client peer IP I get no response as well. I thought it was straight-forward but clearly not or I'm missing something ?

Please help. Thanks.
Merlin fw requires policy rules for Wireguard clients.

Use vpn director to setup rules for which local/lan ips that should use the tunnel and/or wich remote/destination ips the tunnel should be used for.
 
Hi, I'm trying to create a new Wireguard client in the router GUI that connects to my remote VPS VPN server. Before doing so, I tested the vpn config file on another machine and it works. I then stop the vpn on the machine and continue to setup the Wireguard client in the router GUI. So far so good.

Now in a terminal, I ssh into my router, and do ifconfig wgc1 and I can see the interface is up and the IP address of the peer. However when I ping the remote peer IP I get no reply. Similarly, on the remote VPS, when I ping the client peer IP I get no response as well. I thought it was straight-forward but clearly not or I'm missing something ?

Please help. Thanks.
What router, what firmware?
If using a VPN client on the router have you setup a policy rule on the VPN director page for the VPN client?
 
Merlin fw requires policy rules for Wireguard clients.

Use vpn director to setup rules for which local/lan ips that should use the tunnel and/or wich remote/destination ips the tunnel should be used for.
Ah okay. I'll take a look thanks.
 
Ok so reporting back. I manage to get it to work by using VPNDirector. This seems fine for IPv4. Not so much for IPv6 as VPNDirector only accepts IPv4 addresses or CIDR's.

Hopefully in the next release VPNDirector which I believe is an addon by Merlin, gets dual-stack support.
 
Hopefully in the next release VPNDirector which I believe is an addon by Merlin, gets dual-stack support.
Unless things have changed, @RMerlin appears to possibly indicate redirecting IPv6 traffic may be problematic "due to the volatile nature of IPv6 addresses".
 
I agree with you.
While it is not a big thing to have vpn-director accept and use Ipv6, infact, you can put these in yourself via SSH easily... duplicate the route tables for ipv6 - same thing. most of the other stuff is already in place for IPv6 over Wireguard. fyi, Wireguard Manager Addon have full ipv6 support.

problem is what you will put in vpn-director?

If you have a connection like mine, your prefix will change as it is dynamic (most are). on top of that, the router does typically not distribute the device suffix, it only delegates the prefix, then the devices assigns this themselves. so router has no idea what ip devices chooses to use. Adding to this, more devices are now using SLAAC with privacy extension so the IP may be changing from one time to another.

of course you may be one of the few with static prefix and you may choose to use stateful assignment and skip using Android devices as they are not compatible, but you will be one of the few.

one idea would be to use mac-address based routing which is very possible but with todays devices moving to randomizing these we are again finding ourselves out of control (including ipv4). Although this may be the way to go but the FW currently have no good way that I know of to support routing based on mac address, only via firewall-marks.

IPv6 decentralizes your network and leave the router out of control unless you choose to control it and live with the consequences.

due to these problems I have chosen to only enable IPv6 on the router itself but not on my LAN. So I can still use IPv6 to connect from internet to my router via Wireguard. when the connection is made it will give ipv4 access as well.

Wherever vpn-director ends up it not going to be easier to use and it will likely create more confusion and "bad-luck". But I'm hoping to be wrong.
 
IPV6-based policy routing is next to impossible to implement in a usable way, because IPv6 by its design is more ephemeral/random. Unlike IPv4, you don't setup a static IPv6 on a client. Even if it hosts a server within your LAN, its outbound connection will use an ephemeral IPv6 address for security and confidentiality reasons, which will be different from the inbound IPv6 you might have assigned to it.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top