Solved Wireguard Server, no access to intranet from WAN

[ZebMcKayhan]

Yeah typical Windows. Always something to fix. Hehe.


Yes I have Putty on my computer. What should I try to do there?

Log in and execute at the prompt:

iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

This rule will make all packets from wireguard server network to appear to come from router so it will be on the same network. Don't worry, it won't persist, so if something goes wrong, a reboot will wipe it.

Then try again.

 

[zer0bitz]

Log in and execute at the prompt:

iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

This rule will make all packets from wireguard server network to appear to come from router so it will be on the same network. Don't worry, it won't persist, so if something goes wrong, a reboot will wipe it.

Then try again.

Holy smokes. That definitely worked! How can I make this to happen on every boot? I have recently had many random reboots on my router.

Edit: Just double checked and yes I can connect to all of my clients over mobile data using wireguard. Finally!

 

[ZebMcKayhan]

How can I make this to happen on every boot?

Make it apply when your wg server starts:

nano /jffs/scripts/wgserver-start

Populate with:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

And remove the rule when server stops:

nano /jffs/scripts/wgserver-stop

Populate with:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

Make them executable:

chmod +x /jffs/scripts/wgserver-start
chmod +x /jffs/scripts/wgserver-stop

I hope this is enough for it to be persistant in firewall, but if you experience issues after ie wan reset then something may be needed in nat-start.

 

[zer0bitz]

Make it apply when your wg server starts:

nano /jffs/scripts/wgserver-start

Populate with:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

And remove the rule when server stops:

nano /jffs/scripts/wgserver-stop

Populate with:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

Make them executable:

chmod +x /jffs/scripts/wgserver-start
chmod +x /jffs/scripts/wgserver-stop

I hope this is enough for it to be persistant in firewall, but if you experience issues after ie wan reset then something may be needed in firewall-start.

Thank you! Just to be sure, do I put these in Putty in this order to make it work?

 

[ZebMcKayhan]

Thank you! Just to be sure, do I put these in Putty in this order to make it work?

Yes.

You could look at your rule in the firewall:

iptables -nvL POSTROUTING -t nat

It should be the top one (right now atleast). Then try to stop the server and check that the rule is gone. Then start your server again and check so its there. If this work you could try to reboot and if your server starts at boot, so shall this rule be applied.

If you ever find problems connecting to nas again, you should still be able to ssh from your phone and see if your rule is gone (and add it manually if you wish). Sometimes the firmware flushes the firewall and rebuild it, but I don't know if wireguard server are stopped and started again but if so, it should be ok. If not, we need to put this in nat-start instead.

 

[zer0bitz]

Yes.

You could look at your rule in the firewall:

iptables -nvL POSTROUTING-t nat

It should be the top one (right now atleast). Then try to stop the server and check that the rule is gone. Then start your server again and check so its there. If this work you could try to reboot and if your server starts at boot, so shall this rule be applied.

If you ever find problems connecting to nas again, you should still be able to ssh from your phone and see if your rule is gone (and add it manually if you wish). Sometimes the firmware flushes the firewall and rebuild it, but I don't know if wireguard server are stopped and started again but if so, it should be ok. If not, we need to put this in nat-start instead.

I feel like copy pasting didnt work.

As I input this command: "nano /jffs/scripts/wgserver-start" in Putty it will open a new window.

I copypasted this:
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

into the window below, hit enter and press X to exit.

Repeated this for the wgserver-stop rule with its own command.

How can I input that code into the GNU nano 5.7 window and make it save correctly? Im a real n00b when it comes to this stuff.

Also when inputting this command: "chmod +x /jffs/scripts/wgserver-start" to Putty the outcome is this:

And using this command: "iptables -nvL POSTROUTING-t nat" outcome is this:

 

[ZebMcKayhan]

into the window below, hit enter and press X to exit.

Cntrl+x should ask you if you want to save the file (save modified buffer), press Y
Then asks the filename, which should already be correct, press enter. Now it should be saved and where it should be.

 

[zer0bitz]

Cntrl+x should ask you if you want to save the file (save modified buffer), press Y
Then asks the filename, which should already be correct, press enter. Now it should be saved and where it should be.

Thank you for your quick replies throughout the day. You have been a tremendous help. I will continue tomorrow and report back to this thread. No worries if my router restarts over night since now I know the fix for wireguard server to correctly to work.

 

[Jeffrey Young]

I am glad that @ZebMcKayhan got you a solution via a nat-start script. I was going to chime in earlier today to advise that your issue was windows firewall. I was busy with family and could not get a moment to sit down. It is standard for windows firewall to block any inbound address outside of the subnet that it is connected to.

@ZebMcKayhan solution, I think, is more useful in the long run as you would have to add rules to every windows machine otherwise.

 

[zer0bitz]

Cntrl+x should ask you if you want to save the file (save modified buffer), press Y
Then asks the filename, which should already be correct, press enter. Now it should be saved and where it should be.

That definitely worked. Using ctrl + x I was able to save the modified buffer and just hit enter to save it with the correct name. Thank you so much!

I am glad that @ZebMcKayhan got you a solution via a nat-start script. I was going to chime in earlier today to advise that your issue was windows firewall. I was busy with family and could not get a moment to sit down. It is standard for windows firewall to block any inbound address outside of the subnet that it is connected to.

@ZebMcKayhan solution, I think, is more useful in the long run as you would have to add rules to every windows machine otherwise.

That came to my mind too since I was able to connect to my Nvidia Shield with no problems.

 

[zer0bitz]

Soft reboot done and all connections working. Also made a new client config for girlfriend and it worked like a charm! Big thanks to @ZebMcKayhan for all the help. I will change thread to solved now.

 

[ZebMcKayhan]

@ZebMcKayhan solution, I think, is more useful in the long run as you would have to add rules to every windows machine otherwise.

Yea, I initially thought we just test to see if this really is the problem. If it was just an issue with his nas I would reccommend finding a solution on the nas instead. But as there are windows machines involved this might be his best, practical chance.

Changing lan netmask to expand his lan range to I.e /22 and put the wireguard server ip range within this lan range may be another solution. But Im not sure this works for windows clients.

 

[ZebMcKayhan]

And using this command: "iptables -nvL POSTROUTING-t nat" outcome is this:

I missed a space between POSTROUTING and -t (typing on my phone usually causes this), sorry. I corrected my post above for future reference.

 

[zer0bitz]

I missed a space between POSTROUTING and -t (typing on my phone usually causes this), sorry. I corrected my post above for future reference.

I went ahead and tried that command "iptables -nvL POSTROUTING -t nat" and it worked correctly. Outcome is as it should be. Wireguard server on the top of the list. Thank you for correcting it.

 

[cobolsam]

Make it apply when your wg server starts:

nano /jffs/scripts/wgserver-start

Populate with:

#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

And remove the rule when server stops:

nano /jffs/scripts/wgserver-stop

Populate with:

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

Save & exit.

Make them executable:

chmod +x /jffs/scripts/wgserver-start
chmod +x /jffs/scripts/wgserver-stop

I hope this is enough for it to be persistant in firewall, but if you experience issues after ie wan reset then something may be needed in nat-start.

So listen man, you fixed my problem as well. I had to register to thank you for taking time to add to the internet in this way.

 

[ZebMcKayhan]

So listen man, you fixed my problem as well. I had to register to thank you for taking time to add to the internet in this way.

Glad it worked for you, however, this rule is like a last resort as it puts extra cpu strain on the router so it may limit your throughput. It also makes you loose ability to see which wg client is connected and doing what on your lan. Ideally this issue should be solved on the client.

 

[cobolsam]

Glad it worked for you, however, this rule is like a last resort as it puts extra cpu strain on the router so it may limit your throughput. It also makes you loose ability to see which wg client is connected and doing what on your lan. Ideally this issue should be solved on the client.

Hearing that, I will take a look at my client (vanilla ubuntu 22.04 server w\o ufw) and try to figure out what the issue is.

 

[Spud]

I don't know much about how Wireguard manage IP addresses, but I think the key point is adding Wireguard host net address to IPs allowed to your smartphone client. In my picture, I'm giving access to my client to the subnet 192.168.1.0/24, which is the IP address of the subnet to which my Wireguard Server belongs.

I'm afraid I can't help you much more.

Regards.

Edit: The picture with the data config for my client has been taken accessing to this same client config, as you can see in the following picture:

View attachment 50557

I'm using an iPad and found your solution (adding 192.168.1.0/24) gave me access to my local network via WG, which is great. There's one odd exception...

Currently I'm away from home, and the IP of the router/gateway happens to be the same as mine, 192.168.1.1. Connected to home via WG, if I put this IP into my browser I get the local router page, not my home router's gui.

BTW, the same behaviour applies using the Asus OpenVPN and IPSec servers.

iPadOS / iOS seems to exclude the local gateway IP from the tunnel. I don't know how to overcome that.

Meanwhile, zero issue with WG, OpenVPN or IPSec connections from my Samsung phone - the GUI and local network are all accessible.

Has anyone experienced this with Apple devices and found a way around it? Thanks in advance!

 

[Jeffrey Young]

You should stay away from making your home subnet a popular 1.1 or 0.1. No easy way around this. Suggest you change your home subnet to a more obscure 192.168.x.x or use a 10.x.x.x subnet.

 

[Spud]

You should stay away from making your home subnet a popular 1.1 or 0.1. No easy way around this. Suggest you change your home subnet to a more obscure 192.168.x.x or use a 10.x.x.x subnet.

Thanks, if I chose a 10.x.x.x subnet, would it be as easy as pasting it in the LAN IP page? Would my DCHP server and reservations fall into line?