WireGuard Client & WireGuard Server/InstantGuard at the same time?

[privacyguy123]

Is such setup possible on these routers? Through the GUI it seems not ... is there perhaps some fancy kind of hack or script?

 

[ZebMcKayhan]

Is such setup possible on these routers? Through the GUI it seems not ... is there perhaps some fancy kind of hack or script?

Im running Wireguard server and Wireguard client on my router at the same time. It works perfectly! You just need to add the proper rules in VPNDirector.
Not sure why you want to add InstantGuard to the mix?

Why would you say it doesnt look possible in the gui?

 

[privacyguy123]

Im running Wireguard server and Wireguard client on my router at the same time. It works perfectly! You just need to add the proper rules in VPNDirector.
Not sure why you want to add InstantGuard to the mix?

Why would you say it doesnt look possible in the gui?

Maybe you could talk me through it? I already have Wireguard client with VPNDirector rules ... could you screenshot your settings? When I tried to tunnel into my router with supplied QR code my phone on 4G wasn't able to connect to anything.

I was about to try one connection OVPN one connection WireGuard because I keep getting some weird error about multiple up scripts when I try OVPN.

 

[privacyguy123]

Doh ... it was the port forwarding. I can tunnel through the router now but getting Public IP. Isn't it possible to tunnel in and also share the VPN clients IP thats connected from within the router?

 

[ZebMcKayhan]

Maybe you could talk me through it? I already have Wireguard client with VPNDirector rules ... could you screenshot your settings? When I tried to tunnel into my router with supplied QR code my phone on 4G wasn't able to connect to anything.

I was about to try one connection OVPN one connection WireGuard because I keep getting some weird error about multiple up scripts when I try OVPN.

Open setting VPN(1), VPN Server(2), Other (2)and select Wireguard(3).
If you dont have any tunnel ip preference let the default 10.6.0.1/32 be (it will be simpletst) (4).
Create a client by pushing (5).
In the window that appears, give the client an approprate name and hit apply.
Click on the client to get a qrcode or config file to import to the wireguard client.
Start the server by sliding the wireguard switch.

When convenient add the vpndirector rule local ip = blank, remote ip =10.6.0.0/24, iface=WAN. This is for lan clients using vpn to connect to internet to be able to communicate with your server clients.

 

[privacyguy123]

When convenient add the vpndirector rule local ip = blank, remote ip =10.6.0.0/24, iface=WAN. This is for lan clients using vpn to connect to internet to be able to communicate with your server clients.

I was missing this which seems important. I still am unable to tunnel through the router and share it's VPN IP however.

 

[ZebMcKayhan]

Doh ... it was the port forwarding. I can tunnel through the router now but getting Public IP. Isn't it possible to tunnel in and also share the VPN clients IP thats connected from within the router?

I cant help you with OVPN. With wireguard its just to add Wireguard server client ip to vpndirector, such as local ip 10.6.0.0/24 for all server clients, or 10.6.0.2/32 for just the first client. Then set to use Iface wgc1 or whichever you use.

 

[privacyguy123]

Here is what I have. Phone on 4G can't connect from outside:

There is no handshake on Android Wireguard client.

 

[ZebMcKayhan]

Here is what I have. Phone on 4G can't connect from outside:

View attachment 53384

There is no handshake on Android Wireguard client.

You should probably not leave local ip blank on your second rule. If your intention is for all your lan to use vpn then put in your lan subnet i.e 192.168.50.0/24 or whatever lan ip you use

 

[privacyguy123]

I've got a little further adding this workaround hack to AllowedIPS in the VPN SERVER config page "0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4"

My phone tunnelling in through VPN tunnel can't see Tidal Connect devices that the main Laptop can though with exactly the same settings ... what would be stopping it from discovering the Tidal connect receiver?

 

[ZebMcKayhan]

I've got a little further adding this workaround hack to AllowedIPS in the VPN SERVER config page "0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4"

My phone tunnelling in through VPN tunnel can't see Tidal Connect devices that the main Laptop can though with exactly the same settings ... what would be stopping it from discovering the Tidal connect receiver?

Why dont you slow down and tell us what your issue really is. Do you know whats happening when you mess with AllowedIPs? This is part of Wireguard internal and external routing. There are typically no reasons to replace the default value. More risk of breaking something.

So, what is working for you and what is not?

 

[privacyguy123]

Im able to tunnel into the router and share it's VPN connection now with a combination of stuff you've suggested. Localhost access seems broken - unable to connect to Adguard Home panel or Tidal Connect devices for example.

 

[ZebMcKayhan]

Localhost access seems broken - unable to connect to Adguard Home panel or Tidal Connect devices for example.

This is a problem on your Adguard device, or Tidal Connect device. Check their firewalls to allow incoming connections from 10.6.0.0/24 subnet.

 

[privacyguy123]

This is a problem on your Adguard device, or Tidal Connect device. Check their firewalls to allow incoming connections from 10.6.0.0/24 subnet.

Tidal connect device doesn't have a firewall.

Adguard is installed on the router itself, indicating a problem with accessing localhost despite the option "access intranet" being ticked ...

 

[ZebMcKayhan]

Tidal connect device doesn't have a firewall.

Then something else on the device is preventing access frrom other subnets.

There are workarounds for this but they affect performance, router work-loads and makes future debug more difficult so depleat other options first.

Adguard is installed on the router itself, indicating a problem with accessing localhost despite the option "access intranet" being ticked ...

Dont make the mistake of blaming Wireguard implementation for your addon-issues. Wireguard pushes DNS as Router WG ip and updates dnsmasq to listen to this, how should it know you are running add-ons? Are Adguard-home listening on this ip/iface?? You could change dns directive to your router lan ip in the server client wg config if it would make any difference.

 

[privacyguy123]

Then something else on the device is preventing access frrom other subnets.

There are workarounds for this but they affect performance, router work-loads and makes future debug more difficult so depleat other options first.


Dont make the mistake of blaming Wireguard implementation for your addon-issues. Wireguard pushes DNS as Router WG ip and updates dnsmasq to listen to this, how should it know you are running add-ons? Are Adguard-home listening on this ip/iface?? You could change dns directive to your router lan ip in the server client wg config if it would make any difference.

If you could let me know the workaround, I don't really care about any of that.

It seems after some testing I cannot access any of the remote access stuff on my home network from OUTSIDE the network while WireGuard tunneled in, which doesn't make sense. That is exactly the only reason I would ever want to tunnel in from WAN ... Setting DNS explicitly to router address doesn't fix it.

 

[ZebMcKayhan]

If you could let me know the workaround, I don't really care about any of that.

You would need to ssh into your router:
https://www.snbforums.com/threads/wireguard-server-no-access-to-intranet-from-wan.85146/post-845614
Follow the continuation of the thread to make it stick.

 

[privacyguy123]

You would need to ssh into your router:
https://www.snbforums.com/threads/wireguard-server-no-access-to-intranet-from-wan.85146/post-845614
Follow the continuation of the thread to make it stick.

A one liner fix eh ... sadly it doensn't work on my end. There is certainly something in the Firewall blocking something. Is multicast allowed by default on this setup? I think that's how the devices talk to eachother.

 

[ZebMcKayhan]

There is certainly something in the Firewall blocking something. Is multicast allowed by default on this setup? I think that's how the devices talk to eachother

Nope, multicast doesnt work across different subnets. No fix for that, that I know of.

 

[privacyguy123]

Nope, multicast doesnt work across different subnets. No fix for that, that I know of.

Yikes, my ignorance has me on a wild goose chase. Thanks for sticking with me on this one ... I am a toddler when it comes to this networking stuff.