WireGuard connected but not routing traffic

[meruserasus]

Hi,

I'm having issues where WireGuard connects (takes 15 seconds to get status / connects), but it does not route traffic through it. And if I turn off OpenVPN, then it says "connected" but there is no internet at all.

Just to clarify, I m using two clients, OpenVPN and WireGuard (testing), and no internet when I turn off OpenVPN

Allowed IPs are set to 0.0.0.0/0,::/0 for WireGuard client setting,
ENABLE NAT: Yes
Inbound firewall: Block
Killswitch: Yes (if I turn it off, then internet works but not through VPN)

Using identical rules as OpenVPN and that one works fine.

RT-AX86U Pro
Firmware:3006.102.5


VPN Director settings:

Do I need not to use KillSwitch on Wireguard perhaps?

The only errors are from OpenVPN, every few seconds

Oct 12 09:23:00 ovpn-client2[10334]: AEAD Decrypt error: bad packet ID (may be a replay): [ #6833625 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

 

[ZebMcKayhan]

Hi,

I'm having issues where WireGuard connects (takes 15 seconds to get status / connects), but it does not route traffic through it. And if I turn off OpenVPN, then it says "connected" but there is no internet at all.

Just to clarify, I m using two clients, OpenVPN and WireGuard (testing), and no internet when I turn off OpenVPN

Allowed IPs are set to 0.0.0.0/0,::/0 for WireGuard client setting,
ENABLE NAT: Yes
Inbound firewall: Block
Killswitch: Yes (if I turn it off, then internet works but not through VPN)

Using identical rules as OpenVPN and that one works fine.

RT-AX86U Pro
Firmware:3006.102.5


VPN Director settings:

View attachment 68289

View attachment 68291

Do I need not to use KillSwitch on Wireguard perhaps?

The only errors are from OpenVPN, every few seconds

Oct 12 09:23:00 ovpn-client2[10334]: AEAD Decrypt error: bad packet ID (may be a replay): [ #6833625 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

For Wireguard you need to put in rules in vpndirector for which Local IP (lan ip) that should use the Wireguard interface.
You could put in a single ip, like LocalIP=192.168.50.120 or you could put your entire lan there like LocalIP=192.168.50.0/24.
Assuming you are using subnet 192.168.50.x for your lan.
Keep RemoteIP blank unless you want to control which internet ip that you should contact using Wireguard interface.

Adjust to your needs.

 

[meruserasus]

For Wireguard you need to put in rules in vpndirector for which Local IP (lan ip) that should use the Wireguard interface.
You could put in a single ip, like LocalIP=192.168.50.120 or you could put your entire lan there like LocalIP=192.168.50.0/24.
Assuming you are using subnet 192.168.50.x for your lan.
Keep RemoteIP blank unless you want to control which internet ip that you should contact using Wireguard interface.

Adjust to your needs.

Yes, I've put an entire Lan through it, still no internet, same rules work with open vpn

 

[ZebMcKayhan]

Yes, I've put an entire Lan through it, still no internet, same rules work

Could you post a picture of your vpn-director rule as it is when it is not working?

 

[meruserasus]

Could you post a picture of your vpn-director rule as it is when it is not working?

It's the one shown above as screenshot, the same rule works with openvpn

 

[ZebMcKayhan]

It's the one shown above as screenshot, the same rule works with openvpn

Based on the information you provided I cannot help you, sorry.

There is nothing to be found in the pictures you rprovided which means the problem must be elsewere.

 

[AsusRouterUser]

I am having this EXACT same issue but on the RT-AX56U, I can't for the life of me figure out why nothing will go out the wireguard connection. I have tried this in both way mentioned here...

For Wireguard you need to put in rules in vpndirector for which Local IP (lan ip) that should use the Wireguard interface.
You could put in a single ip, like LocalIP=192.168.50.120 or you could put your entire lan there like LocalIP=192.168.50.0/24.
Assuming you are using subnet 192.168.50.x for your lan.
Keep RemoteIP blank unless you want to control which internet ip that you should contact using Wireguard interface.

But no matter what I do it acts like there is no internet when routed to go out the wireguard connection.

 

[meruserasus]

Oh wow, at least someone else is having this issue

 

[Viktor Jaep]

Oh wow, at least someone else is having this issue

It might really help if you posted a screenshot of your entire VPN Director page. And a screenshot of your entire WG client slot... just blank out the private key/server key, but include everything else please.

 

[AsusRouterUser]

I figured it out, for me it was an issue on the server side with Iptables MASQUERADE rule.

 

[meruserasus]

I figured it out, for me it was an issue on the server side with Iptables MASQUERADE rule.

Can you shed more details about that? VPN providers side?

 

[meruserasus]

It might really help if you posted a screenshot of your entire VPN Director page. And a screenshot of your entire WG client slot... just blank out the private key/server key, but include everything else please.

Attached. There isn't much more to vpn director's page. "Stopped" status is because I do not use it due to no connection issue, it says connected otherwise.

 

[Viktor Jaep]

Attached. There isn't much more to vpn director's page. "Stopped" status is because I do not use it due to no connection issue, it says connected otherwise.

View attachment 68355View attachment 68356

I would troubleshoot by specifying the IP address of just 1 device and assigning that to your WG connection... like the IP of your test laptop/workstation, instead of specifying the entire 192.168.50.0/24 range. While this might be possible to use, it would seem to me that the actual router's IP of 192.168.50.1 would fall in that range too, which might be a conflict, as it's trying to get out over the WAN to make this connection.

So try 1 workstation first... and if that works by getting out over your WG connection, I would possibly change your strategy on using a different subnet for devices that absolutely need to use the WG vs ones that don't.

 

[meruserasus]

I would troubleshoot by specifying the IP address of just 1 device and assigning that to your WG connection... like the IP of your test laptop/workstation, instead of specifying the entire 192.168.50.0/24 range. While this might be possible to use, it would seem to me that the actual router's IP of 192.168.50.1 would fall in that range too, which might be a conflict, as it's trying to get out over the WAN to make this connection.

So try 1 workstation first... and if that works by getting out over your WG connection, I would possibly change your strategy on using a different subnet for devices that absolutely need to use the WG vs ones that don't.

Issue solved and I highly recommend Asus Merlin investigate this.

I've had old wireguard config for one country and then a new config for another country, running both countries, one of which is "connected" (took 15 seconds) but does not work (i did not knew this) messed up the entire thing.

I have used two servers / countries in case of a downtime for one server, but it seems you cannot use two because if one goes down of if config messes up, the entire thing breaks.

Also, deleting didn't help either, rebooting after deletion is what fixed it. Also, running one openvpn and one wireguard messes up this too, so there should be a "dumb user" mode where you cannot enable both types at the same time as they don't work anyway.

Wrong config "status" for connected

 

[Viktor Jaep]

Issue solved and I highly recommend Asus Merlin investigate this.

I've had old wireguard config for one country and then a new config for another country, running both countries, one of which is "connected" (took 15 seconds) but does not work (i did not knew this) messed up the entire thing.

I have used two servers / countries in case of a downtime for one server, but it seems you cannot use two because if one goes down of if config messes up, the entire thing breaks.

Also, deleting didn't help either, rebooting after deletion is what fixed it. Also, running one openvpn and one wireguard messes up this too, so there should be a "dumb user" mode where you cannot enable both types at the same time as they don't work anyway.

Wrong config "status" for connected

View attachment 68367

I'm running 3 wireguard connections and 1 OVPN connection simultaneously. Nothing is breaking on my end. It's meant to be able to handle multiple connections. But anyways, glad you were able to resolve your issue.

The reason you might be facing trouble is because you're assigning your entire subnet to each one of these connections. Your local traffic gets confused and doesn't know which exit to take, thus making it seem things are breaking.

 

[meruserasus]

It would be interesting if anyone could test with one (first) "broken" config, where it connects but is not working.

 

[Viktor Jaep]

It would be interesting if anyone could test with one (first) "broken" config, where it connects but is not working.

What's broken about it? You don't really even need a config. You can plug all these values in manually to get it working just fine, just like what VPNMON-R3 does.

Again... rephrased... The reason it's probably not working right for you is because you're assigning your entire subnet to each one of these connections. When you have multiple connections going at the same time, your local traffic will get confused and won't know which exit to take, thus making it seem things are breaking.

 

[meruserasus]

But why would it confuse if the intended purpose / function is to route all traffic?

 

[Viktor Jaep]

But why would it confuse if the intended purpose / function is to route all traffic?

You need to be specific as to what exact devices you want to route over which connections, and you need to ensure there are no rules that conflict with each other, else you will run into routing conflict issues like what you're facing.

For smaller networks, just go down the VPN Director list device IP by device IP and specify which connection they need to use.

If you're trying to get a whole swath of IPs, say your DHCP range, you will need to plan that carefully and use a subnet greater than /24, and configure your router, DHCP and devices accordingly. Once that's set then you could use a /25 or /26 in VPN Director. Also, try to use static IPs for devices you don't want their addresses to change so you can keep track of these more easily in your VPN director.