What's new

Solved Wireguard Server, no access to intranet from WAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zer0bitz

Regular Contributor
Hello!

I have setup Wireguard Server on my Asus RT-AX56U and enabled intranet access on its config. I can connect to the server from LAN and WAN on my Android phone, but I am only able to access other devices when im on LAN connection. Everytime I leave house and connect to the server and try to access devices on LAN it just doesnt work.

Any solutions for this?

Screenshot 2023-05-23 at 19-13-37 ASUS Wireless Router RT-AX56U - VPN Client.png
Screenshot 2023-05-23 at 19-17-40 ASUS Wireless Router RT-AX56U - VPN Client.png
 
Hello!

I have setup Wireguard Server on my Asus RT-AX56U and enabled intranet access on its config. I can connect to the server from LAN and WAN on my Android phone, but I am only able to access other devices when im on LAN connection. Everytime I leave house and connect to the server and try to access devices on LAN it just doesnt work.

Any solutions for this?
Have you tried modifying allowed IPs on clients' settting?
Here is one of my clients' configuration.
1684933572513.png
 
Have you tried modifying allowed IPs on clients' settting?
Here is one of my clients' configuration.
View attachment 50335
Do you mean that I need my phones IP in the client section? Any other solution since my phones IP changes everytime I enable mobile data.
 
Last edited:
Do you mean that I need my phones IP in the client section? Any other solution since my phones IP changes everytime I enable mobile data.
I don't know much about how Wireguard manage IP addresses, but I think the key point is adding Wireguard host net address to IPs allowed to your smartphone client. In my picture, I'm giving access to my client to the subnet 192.168.1.0/24, which is the IP address of the subnet to which my Wireguard Server belongs.

I'm afraid I can't help you much more.

Regards.

Edit: The picture with the data config for my client has been taken accessing to this same client config, as you can see in the following picture:

1685626112125.png
 
Last edited:
Do you mean that I need my phones IP in the client section? Any other solution since my phones IP changes everytime I enable mobile data.
AllowedIPs should contain destination ips that is reached over the tunnel only. So if your server ip is 10.6.0.1 and your client is 10.6.0.2 then you set up the peer:
AllowedIPs (server): 10.6.0.2/32
AllowedIPs (client): 0.0.0.0/0

The AllowedIPs (server) should always be the client local ip (not public ip) unless you set up a site-2-site and connecting networks together. Don't put any lan ip / ip range here as it may cause a conflict in the router.

AllowedIPs (client) could be 0.0.0.0/0 to send all data over the tunnel, but there is still a risk of conflict if the phone ip is ever in the same range as your lan. You could append your lan and wg ip range to make it higher probability that the phone will use wireguard for these lan ip, such as: 0.0.0.0/0, 10.6.0.0/24, 192.168.50.1/24. But routes are ranked by specificity so there is still no guarantee. If there are any specific ip you want to be sure goes over wg, then add this as well, I.e 0.0.0.0/0, 10.6.0.0/24, 192.168.50.1/24, 192.168.50.32
Then you could be certain that this ip will be sent over Wireguard and not try to reach via i.e wifi.

If you dont want internet data going through you could skip 0.0.0.0/0 and only add your wg ip range and lan ip range.

You could also generate 2 configs, one with internet and one without and import both to same phone and use the appropriate one for different situations.
 
I don't know much about how Wireguard manage IP addresses, but I think the key point is adding Wireguard host net address to IPs allowed to your smartphone client. In my picture, I'm giving access to my client to the subnet 192.168.1.0/24, which is the IP address of the subnet to which my Wireguard Server belongs.

I'm afraid I can't help you much more.

Regards.

Edit: The picture with the data config for my client has been taken accessing to this same client config, as you can see in the following picture:

View attachment 50557
I tried to copy your settings, but when I use mobile data and Wireguard I still have no access to my NAS. When I change to Wifi and enable Wireguard I can access my local devices again. Anything else I can try?

Screenshot 2023-06-01 at 23-59-02 ASUS Wireless Router RT-AX56U - VPN Client.png



AllowedIPs should contain destination ips that is reached over the tunnel only. So if your server ip is 10.6.0.1 and your client is 10.6.0.2 then you set up the peer:
AllowedIPs (server): 10.6.0.2/32
AllowedIPs (client): 0.0.0.0/0

The AllowedIPs (server) should always be the client local ip (not public ip) unless you set up a site-2-site and connecting networks together. Don't put any lan ip / ip range here as it may cause a conflict in the router.

AllowedIPs (client) could be 0.0.0.0/0 to send all data over the tunnel, but there is still a risk of conflict if the phone ip is ever in the same range as your lan. You could append your lan and wg ip range to make it higher probability that the phone will use wireguard for these lan ip, such as: 0.0.0.0/0, 10.6.0.0/24, 192.168.50.1/24. But routes are ranked by specificity so there is still no guarantee. If there are any specific ip you want to be sure goes over wg, then add this as well, I.e 0.0.0.0/0, 10.6.0.0/24, 192.168.50.1/24, 192.168.50.32
Then you could be certain that this ip will be sent over Wireguard and not try to reach via i.e wifi.

If you dont want internet data going through you could skip 0.0.0.0/0 and only add your wg ip range and lan ip range.

You could also generate 2 configs, one with internet and one without and import both to same phone and use the appropriate one for different situations.
Thank you for explaining. I will try again tomorrow. Too sleepy now, lolz!
 
Last edited:
Could my DHCP settings prevent it from working? Also do I need to have my NAS connected to Wireguard server?

Screenshot 2023-06-02 at 12-26-15 ASUS Wireless Router RT-AX56U - DHCP Server.png
 
I tried to add my NAS IP to Allowed IPs (Client), but still cant connect to it by using mobile data. Is it wrong having that /24 at the end of it? I tried adding it by 192.168.1.5 but when applying new settings it wouldnt work.
any particular reason you are using 0.0.0.0/1 instead of 0.0.0.0/0 as I suggested? 0.0.0.0/1 only contains half the internet....

you may need to add 192.168.1.5/32 but I'm not sure, in both case it would mean only this ip specific. /24 would means the 192.168.1.x network (~netmask 255.255.255.0).

whatever you do you will need to generate a new config and import to your phone after changing this, perhaps obvious but thought Id mention it.

try adding 0.0.0.0/0, 10.6.0.0/24, 192.168.1.0/24, 192.168.1.5/32 instead, then import the new config to your phone.

Could my DHCP settings prevent it from working? Also do I need to have my NAS connected to Wireguard server?
yes and no.... usually a NAS only accepts connections from the same subnet, so the wireguard client wont be able to access the NAS unless it is on the same subnet (192.168.1.x). but there should be a selection for NAT on your server, this should be enabled and thus should make communication appear as it origins from the router itself (192.168.1.1).

another note is that mDNS (network discovery) does not work over VPN, which means you cannot access your NAS via any share name, you will need to access it "blindly" via the local ip 192.168.1.5
 
any particular reason you are using 0.0.0.0/1 instead of 0.0.0.0/0 as I suggested? 0.0.0.0/1 only contains half the internet....

you may need to add 192.168.1.5/32 but I'm not sure, in both case it would mean only this ip specific. /24 would means the 192.168.1.x network (~netmask 255.255.255.0).

whatever you do you will need to generate a new config and import to your phone after changing this, perhaps obvious but thought Id mention it.

try adding 0.0.0.0/0, 10.6.0.0/24, 192.168.1.0/24, 192.168.1.5/32 instead, then import the new config to your phone.


yes and no.... usually a NAS only accepts connections from the same subnet, so the wireguard client wont be able to access the NAS unless it is on the same subnet (192.168.1.x). but there should be a selection for NAT on your server, this should be enabled and thus should make communication appear as it origins from the router itself (192.168.1.1).

another note is that mDNS (network discovery) does not work over VPN, which means you cannot access your NAS via any share name, you will need to access it "blindly" via the local ip 192.168.1.5
For some odd reason when im using 0.0.0.0/0 I cant have access to local devices when im on wifi and using wireguard. When I change it 0.0.0.0/1 local devices are reachable again.

try adding 0.0.0.0/0, 10.6.0.0/24, 192.168.1.0/24, 192.168.1.5/32 instead, then import the new config to your phone.
I will try this later today. Will report if it worked.

another note is that mDNS (network discovery) does not work over VPN, which means you cannot access your NAS via any share name, you will need to access it "blindly" via the local ip 192.168.1.5
This I knew already. All of my devices have static IP on my LAN. On my phone im using CxFile Explorer to connect to these shares by using their IPs.
 
Last edited:
For some odd reason when im using 0.0.0.0/0 I cant have access to local devices when im on wifi and using wireguard. When I change it 0.0.0.0/1 local devices are reachable again.
You probably will whenever your issue is sorted...

But your main issue is probably not the AllowedIPs...

Im using cx File Explorer myself and can access my nas via vpn both at home and away.

Im also using an Android app PingTools which is free and very convenient for debugging. Do pings, iperf tests, dns tests and such. I could reccommend it. It alittle annoying commercials but with Diversion running I never see them.

Are your nas using some VPN client via VPNDirector? If so, that may be a reson for trouble.

Else, see if you could find and enable NAT on your server peer.
 
Im also using an Android app PingTools which is free and very convenient for debugging. Do pings, iperf tests, dns tests and such. I could reccommend it. It alittle annoying commercials but with Diversion running I never see them.
Thank you for recommendation. I also never see ads on my phone anymore since Diversion is blocking all of them.

Are your nas using some VPN client via VPNDirector? If so, that may be a reson for trouble.
Yes my NAS is using a USB -> RJ45 adapter and I have pointed my VPN in VPNDirector to it. Its a different IP though 192.168.1.50.

try adding 0.0.0.0/0, 10.6.0.0/24, 192.168.1.0/24, 192.168.1.5/32 instead, then import the new config to your phone.
I tried to put these settings now, downloaded new config but still no access from Cx File Explorer using mobile data. It just tries to connect until it times out.
 
Last edited:
I tried to put these settings now, downloaded new config but still no access from Cx File Explorer using mobile data. It just tries to connect until it times out.
Could you try pingtools and while outside your network, connected to vpn, try to ping the server peer 10.6.0.1

If that works, try to ping br0, 192.168.1.1

If this works, your vpn connection is OK and you could continue checking other things, like vpn director rules. If not, there may be connectivity issues and you need to check your config, especially your endpoint ip and such.
 
Could you try pingtools and while outside your network, connected to vpn, try to ping the server peer 10.6.0.1

If that works, try to ping br0, 192.168.1.1

If this works, your vpn connection is OK and you could continue checking other things, like vpn director rules. If not, there may be connectivity issues and you need to check your config, especially your endpoint ip and such.
Downloaded pingtools from Google Play and pinging over mobile data using wireguard both IPs I get response.

Edit: Traceroute works over when using 192.168.1.1 and 10.6.0.1.
Edit: iPerf doesnt work.
 
Last edited:
Downloaded pingtools from Google Play and pinging over mobile data using wireguard both IPs I get response.
And if you ping your nas ip I guess you dont?

If not, what if you add a vpndirector rule for
Local IP = any (leave blank, or 0.0.0.0/0)
Remote IP = 10.0.6.0/24
Iface = WAN

The point is obviously not to send them to WAN, but to send them to main routing table where a route to wg peers exists.
 
And if you ping your nas ip I guess you dont?
Yep no answer using mobile data/wifi with Wireguard. 100% packet loss on every try.

If not, what if you add a vpndirector rule for
Local IP = any (leave blank, or 0.0.0.0/0)
Remote IP = 10.0.6.0/24
Iface = WAN

The point is obviously not to send them to WAN, but to send them to main routing table where a route to wg peers exists.
Tried this setting. Still no connection to NAS with mobile data + wireguard.

Screenshot 2023-06-02 at 20-44-32 ASUS Wireless Router RT-AX56U - VPN Director.png
 
Last edited:
Sorry, my mistake, remote ip should ofcource be 10.6.0.0/24, my mistake. It should be your Wireguard server network.
Its cool. Unfortunately trying this setting doesnt work either.

Screenshot 2023-06-02 at 21-16-55 ASUS Wireless Router RT-AX56U - VPN Director.png


Edit: Continued to play around with pingtools and found out that everytime I try to ping any Windows client using mobile data + wireguard it fails every ping try.

Edit2: I found out that I can ping my Nvidia Shield which is 192.168.1.4 over mobile data + wireguard. Also I can browse it in Cx File Explorer. Atleast somekind of progress has happened. Lol!

I wonder why all of my Windows clients prevent connecting.
 
Last edited:
Its cool. Unfortunately trying this setting doesnt work either.

View attachment 50586

Edit: Continued to play around with pingtools and found out that everytime I try to ping any Windows client using mobile data + wireguard it fails every ping try, but when I ping to my Nvidia Shield android device it works.
Yep, your issue is not vpn, but on the client side. Your nas or windows clients does not accept connections from outside your lan ip range. Its a common problem.

Do you have possibility to ssh into your router?
 
Yep, your issue is not vpn, but on the client side. Your nas or windows clients does not accept connections from outside your lan ip range. Its a common problem.
Yeah typical Windows. Always something to fix. Hehe.

Do you have possibility to ssh into your router?
Yes I have Putty on my computer. What should I try to do there?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top