Wireguard Wireguard passthru

juanantonio

Occasional Visitor
Good morning everyone.
I'm trying to redirect my Wireguard server to a Wireguard client configured with my VPN provider profile.
I have followed the excelent guides of @ZebMcKayhan and @Martineau, and everything seem to be OK.
I connect to my own server located in an Asus RT-AX86U from the Android app on my mobile phone.
The app seems to connect, but when I try to open some webpage in chrome I always receive the message 'dns_probe_finished_nxdomain' from the browser and nothing else happen.
I've tried changing dns server in both client (wg11) and server (wg21) profiles, but with no luck.
Could you help me, please?
Thanks in advance.
 

Martineau

Part of the Furniture
Good morning everyone.
I'm trying to redirect my Wireguard server to a Wireguard client configured with my VPN provider profile.
I have followed the excelent guides of @ZebMcKayhan and @Martineau, and everything seem to be OK.
I connect to my own server located in an Asus RT-AX86U from the Android app on my mobile phone.
The app seems to connect, but when I try to open some webpage in chrome I always receive the message 'dns_probe_finished_nxdomain' from the browser and nothing else happen.
I've tried changing dns server in both client (wg11) and server (wg21) profiles, but with no luck.
Could you help me, please?
Thanks in advance.
Are you using stable wg_manager version v4.16? or the Beta e.g. v4.17bC?
 

juanantonio

Occasional Visitor
I'm using version v4.17bD, because I updated it in an attempt to solve this issue.
 

Martineau

Part of the Furniture
I'm using version v4.17bD, because I updated it in an attempt to solve this issue.
I think I introduced the error in the Beta :oops:
I suggest you update to ensure the following command shows v4.17.8

Code:
grep -iE "^version" /jffs/addons/wireguard/wg_c*

/jffs/addons/wireguard/wg_client:VERSION="v4.17.8"
 

juanantonio

Occasional Visitor
Here is the output of the grep command:

Code:
[email protected]:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguard/wg_c*
/jffs/addons/wireguard/wg_client:VERSION="v4.17.7"
[email protected]:/tmp/home/root#
 

juanantonio

Occasional Visitor
Should I update Wireguard manager from amtm? I've tried the menu option '1' with no results:

Code:
+======================================================================+
|  Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
|                                                                      |
|                      Version v4.17bD by Martineau                    |
|                                                                      |
+======================================================================+
        WireGuard® ACTIVE Peer Status: Clients 0, Servers 0



1  = Update WireGuard® modules                                          7  = QRcode display for a Peer {device} e.g. iPhone
2  = Remove WireGuard®/(wg_manager)                                     8  = Peer management [ "help" | "list" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Road-Warrior device Peer for server Peer {device [server]} e.g. create myPhone wg21
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] {src} ] }]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard® configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                12 = vpndirector Clone VPN Director rules [ "clone" [ "wan" | "ovpn"n [ changeto_wg1n ]] | "delete" | "list" ]
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View [ Peer[.conf] (default 'WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 1

        [✔] WireGuard® Kernel module/User Space Tools included in Firmware RT-AX86U (v386.4_0) (1.0.20210124)

                WireGuard® exists in firmware      - use 'vx' command to override with 3rd-Party/Entware (if available)
                User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)


        [✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)


        No WireGuard® VPN Peers ACTIVE for Termination request


        Initialising WireGuard® Kernel module '/lib/modules/4.1.52/kernel/net/wireguard/wireguard.ko'
        wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.



        WireGuard® ACTIVE Peer Status: Clients 0, Servers 0

Edit: After selecting option '1' from the wireguard menú on amtm, I'm still getting version 4.17.7:

Code:
[email protected]:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguard/wg_c*
/jffs/addons/wireguard/wg_client:VERSION="v4.17.7"
 
Last edited:

Martineau

Part of the Furniture
Should I update Wireguard manager from amtm? I've tried the menu option '1' with no results:

Code:
+======================================================================+
|  Welcome to the WireGuard® Manager/Installer script (Asuswrt-Merlin) |
|                                                                      |
|                      Version v4.17bD by Martineau                    |
|                                                                      |
+======================================================================+
        WireGuard® ACTIVE Peer Status: Clients 0, Servers 0



1  = Update WireGuard® modules                                          7  = QRcode display for a Peer {device} e.g. iPhone
2  = Remove WireGuard®/(wg_manager)                                     8  = Peer management [ "help" | "list" | "new" ] | [ {Peer | category} [ del | show | add [{"auto="[y|n|p]}] ]
                                                                        9  = Create[split] Road-Warrior device Peer for server Peer {device [server]} e.g. create myPhone wg21
3  = List ACTIVE Peers Summary [Peer...] [full]                         10 = IPSet management [ "upd" { ipset [ "fwmark" {fwmark} ] | [ "enable" {"y"|"n"}] | [ "dstsrc"] {src} ] }]
4  = Start   [ [Peer [nopolicy]...] | category ] e.g. start clients     11 = Import WireGuard® configuration { [ "?" | [ "dir" directory ] | [/path/]config_file [ "name="rename_as ] ]}
5  = Stop    [ [Peer... ] | category ] e.g. stop clients                12 = vpndirector Clone VPN Director rules [ "clone" [ "wan" | "ovpn"n [ changeto_wg1n ]] | "delete" | "list" ]
6  = Restart [ [Peer... ] | category ] e.g. restart servers

?  = About Configuration
v  = View [ Peer[.conf] (default 'WireguardVPN.conf')

e  = Exit Script [?]

E:Option ==> 1

        [✔] WireGuard® Kernel module/User Space Tools included in Firmware RT-AX86U (v386.4_0) (1.0.20210124)

                WireGuard® exists in firmware      - use 'vx' command to override with 3rd-Party/Entware (if available)
                User Space tool exists in firmware - use 'vx' command to override with 3rd-Party/Entware (if available)


        [✔] WireGuard® Kernel module/User Space Tools included in Firmware (1.0.20210124)


        No WireGuard® VPN Peers ACTIVE for Termination request


        Initialising WireGuard® Kernel module '/lib/modules/4.1.52/kernel/net/wireguard/wireguard.ko'
        wireguard: WireGuard 1.0.20210124 loaded. See www.wireguard.com for information.
        wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.



        WireGuard® ACTIVE Peer Status: Clients 0, Servers 0

Edit: After selecting option '1' from the wireguard menú on amtm, I'm still getting version 4.17.7:

Code:
[email protected]:/tmp/home/root# grep -iE "^version" /jffs/addons/wireguard/wg_c*
/jffs/addons/wireguard/wg_client:VERSION="v4.17.7"
Code:
e  = Exit Script [?]

E:Option ==> uf dev
 

juanantonio

Occasional Visitor
Updated to version 4.17.8 and now is working with my phone connected to the LAN.
What I wanted is to have it working outside the LAN, in order to connect a laptop from a remote location.
For testing that, I am disconnecting phone from LAN and using mobile data, with no luck. Still getting 'dns_probe_finished_nxdomain'.
Anyway, many thanks for your support. If you consider to give me any more hint, it will be really welcome.
 

Martineau

Part of the Furniture
Updated to version 4.17.8 and now is working with my phone connected to the LAN.
What I wanted is to have it working outside the LAN, in order to connect a laptop from a remote location.
For testing that, I am disconnecting phone from LAN and using mobile data, with no luck. Still getting 'dns_probe_finished_nxdomain'.
Anyway, many thanks for your support. If you consider to give me any more hint, it will be really welcome.

You will have to provide diagnostics and PM me the output.
Code:
e  = Exit Script [?]

E:Option ==> diag

The Private Keys should already be hidden, but the RPDB,Routing rules etc. should show what is missing.

Also you will need to show the configuration for the Road-Warrior 'device' Peer.

Q. Does it work if you manually change the DNS on the Road-Warrior 'device' Peer to say 9.9.9.9 to see if it works?
 

juanantonio

Occasional Visitor
Finally, I figured it out. It was my VPN provider wireguard client IP address where I needed to point my own client, not the router IP.
Having redirected the traffic from my wireguard server to the client means that connection requests also need to be pointed at that client.
Additionally, I needed to open the connection port on my VPN provider. By default, they are all closed.
Many thanks for your support!
 

ZebMcKayhan

Very Senior Member
Finally, I figured it out. It was my VPN provider wireguard client IP address where I needed to point my own client, not the router IP.
Having redirected the traffic from my wireguard server to the client means that connection requests also need to be pointed at that client.
Additionally, I needed to open the connection port on my VPN provider. By default, they are all closed.
Many thanks for your support!
This is wierd stuff! So you are connecting back into your network through your internet wg client and managed to open ports at your vpn supplier to accomplish that? And you are using a private wg tunnel back through your existing tunnel! Wow, well done indeed if you got this working! But surely it would be easier to connect via wan??? Sure there are issues if you have your client in default (auto=Y) mode but just switch to policy (auto=P) mode and add a general rule for your entire lan. But I'm amazed over you accomplishment, well done indeed!
 

juanantonio

Occasional Visitor
First of all, thanks for your reply, @ZebMcKayhan.
The only thing I want is to connect remotely to my Wireguard server which runs on my router, and then redirect this connections to my VPN supplier. This is the reason I am using passthru.
But I've found that activating passthru, then my wg server doesn't listen for connections on the WAN interface, but in the wg11 client which is connected to my VPN provider. I didn't want to make things complicated, but that is what I've found.
If you know an easier way to acomplish that goal, please tell me. As I've said, I only want incoming connections from my wg server to my wg client, which is already connected to my VPN supplier.
Thanks in advance.
 

ZebMcKayhan

Very Senior Member
But I've found that activating passthru, then my wg server doesn't listen for connections on the WAN interface
Passthru only creates a rule for wg clients, and should not affect the Wireguard udp tunnel and if it does, something is really wrong. the question is were the problem really lies. is it really the udp tunnel / passthru rules or is it somewhere else?

from your description it kind of sound like you may have your wg11 in default (auto=Y) mode. This mode does not work when using a server, regardless of any passthru rules, but it would fit your problem as you managed to get the udp tunnel from the router to go over VPN (router is only communicating over VPN naturally in default (auto=Y) mode).

If this is correct, the typical solution to this problem is to switch wg11 over to policy mode, this will leave the router to communicate over WAN and will enable you to keep the udp tunnel for your server via your WAN. If you insist of keeping wg11 in default mode, there is a workaround (untested) in here (end of this section):
https://github.com/ZebMcKayhan/Wire...EADME.md#setup-a-reverse-policy-based-routing
 

juanantonio

Occasional Visitor
Passthru only creates a rule for wg clients, and should not affect the Wireguard udp tunnel and if it does, something is really wrong. the question is were the problem really lies. is it really the udp tunnel / passthru rules or is it somewhere else?

from your description it kind of sound like you may have your wg11 in default (auto=Y) mode. This mode does not work when using a server, regardless of any passthru rules, but it would fit your problem as you managed to get the udp tunnel from the router to go over VPN (router is only communicating over VPN naturally in default (auto=Y) mode).

If this is correct, the typical solution to this problem is to switch wg11 over to policy mode, this will leave the router to communicate over WAN and will enable you to keep the udp tunnel for your server via your WAN. If you insist of keeping wg11 in default mode, there is a workaround (untested) in here (end of this section):
https://github.com/ZebMcKayhan/Wire...EADME.md#setup-a-reverse-policy-based-routing
But I don't wan't at all keep my wg client on auto mode!

The only thing I want, as I said previously, is redirect connections from wg server to wg client using passthru.

What I have understood is that, for achieving this goal, I need to put wg client in policy mode and then add rules.

I wish also have access to my LAN devices remotely through wg server, but I don't know absolutely which rules I need to add to my client (or server) policy. If you know, as I can figure, please tell me.

Thanks.

Edit: It seems that, after having set my wg client to auto='p' and set the rule:

Code:
E:Option ==> peer wg11 rule add vpn 10.50.1.1/24 comment WG Server to WG Client

All works flawlessly.

Many thanks again for your support.
 
Last edited:

juanantonio

Occasional Visitor
Just one final question: Which would be the rule for allowing incoming connections to WG server to access Local Area Network:

I have tried this:

Code:
E:Option ==> peer wg21 rule add wan src=10.50.1.1/24 dst=192.168.1.1/24 comment WG Server to LAN

With no luck.

Obviuosly, 10.50.1.1 is my server's interface IP and 192.168.1.1 is my router's LAN interface IP.
 

ZebMcKayhan

Very Senior Member
All works flawlessly.
are you sure??? I think you should use the build in passthru function instead of creating manual routing rules, since there are a little more to it. more info here (under the NOTE):
https://github.com/ZebMcKayhan/Wire....md#route-wg-server-to-internet-via-wg-client

Just one final question: Which would be the rule for allowing incoming connections to WG server to access Local Area Network:
It should already be allowed in firewall by wgm, the problem is likely on the device on LAN that refuses incoming connection from ip's not within the same network, or possibly a routing issue.

for routing issues that could be, try flipping it around:
Code:
E:Option ==> peer wg21 rule add wan src=any dst=10.50.1.1/24 comment LAN to WG Server
As the problem is not for wg21 to contact LAN as LAN is part of policy route tables. The problem is for LAN to answer back to wg21 if the rule tells it to use policy table and there are no routes to wg21 from there.

the last thing is that LAN clients may refuse connection themselves from different networks.... some info here: https://github.com/ZebMcKayhan/Wire...E.md#i-cant-access-my-nassamba-share-over-vpn
One could MASQUARADE wg21 to LAN to circumvent this issue, but it's an ugly solution and you wouldnt get any help from wgm here. it would look something like:
Code:
iptables -t nat -I POSTROUTING -s 10.50.1.1/24 -o br0 -j MASQUERADE -m comment --comment "WireGuard 'server'"
 
Last edited:

juanantonio

Occasional Visitor
1.- Well... I am pretty sure it works since I had activated previously the passthru function between server and client. The thing that did the trick was adding manually that rule.

2.- I have tried both directions of the rule, as I have previously watch this link: https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm, but none of them works. (both, only one, only the other).

3.- I have also the same configuration on Open VPN server running on my ASUS router and my LAN devices are completely accesible. I only wanted to know if it is possible to have the same configuration over Wireguard since I have an old RT-N16 in my town home and last week I installed entware on it. Given that I saw Wireguard is available on this old router through entware, I thought that was worth trying to connect this old device to my main router through this protocol.

4.- The iptables command looks like the one I had to use to redirect my Open VPN server to my VPN provider. With Open VPN works, but in this case of Wireguard doesn't seem to be working. Thank you, anyway.
 
Last edited:

ZebMcKayhan

Very Senior Member
but none of them works. (both, only one, only the other).
sorry, just realized the rules were set to peer wg21... didnt even know that was possible. what if you try:
Code:
E:Option ==> peer wg11 rule add wan src=any dst=10.50.1.1/24 comment LAN to WG Server

dont know if that makes any difference or even how wg21 rules would be treated (or disregarded maybee).

4.- The iptables command looks like the one I had to use to redirect my Open VPN server to my VPN provider. With Open VPN works, but in this case of Wireguard doesn't seem to be working. Thank you, anyway.
if you cannot get it to work with the above rule and/or combination with the MASQUARADE rule, then deeper searching is needed to figure out what is going on. try installing tcpdump on your router and use it to track packages as you ping a LAN device from your server and see where the package goes.
 

juanantonio

Occasional Visitor
Well, I tried that last rule you said and now... I can say that it works!

Many thanks for you time and patience.

Have a nice day.


Edit: Just in case others face the same problem. This is how look my rules and passthru:

Code:
E:Option ==> peer wg11 rule

ID  Peer  Interface  Source      Destination   Description
6   wg11  WAN        Any         10.50.1.1/24  LAN to WG Server
2   wg11  VPN        10.50.1/24  Any           WG Server to WG Client

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

E:Option ==> peer wg21 rule

ID  Peer  Interface  Source          Destination     Description
4   wg21  WAN        192.168.1.1/24  10.50.1.1/24    WG Server to LAN
5   wg21  WAN        10.50.1.1/24    192.168.1.1/24  WG Server to LAN

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1

E:Option ==> import

***********Some stuff about server and clients.... **********

Server  Client  Passthru
wg21    wg11    10.50.1.1/24

        WireGuard® ACTIVE Peer Status: Clients 1, Servers 1
 
Last edited:

ZebMcKayhan

Very Senior Member
Edit: Just in case others face the same problem. This is how look my rules and passthru:
in my opinion, wg21 rules (dont really know what wgm is doing about these) could probably be deleted. both of them.

as you have a passthru rule, it would make wg11 rule 2 obsolete (it also looks like its ips are missing the last .1, dont know how the system react to this), as this is already included in the passthru rule.

so, hopefully at the end you should have your passthru rule and a single WAN rule (#6) to take care of routing LAN to Server. Nice and neat!

But as you dont have any rules for LAN ips to use VPN I dont really understand why your routing rule is at all needed... but as long as it works and its needed, just leave it there.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top