Solved Wireguard Server not allowing access to Intranet even though selected

[skeal]

I have set up a Wireguard server on my AX88U. I selected the "Access Intranet" switch to on. I do not have intranet access, however. No router webui, nothing at all. Is there a temporary fix that can be used until Asus straightens this issue out? Like IP Tables or something, this is way above my paygrade. I have access to ssh and can follw instructions pretty well. Can anyone help, please?

 

[octopus]

I have set up a Wireguard server on my AX88U. I selected the "Access Intranet" switch to on. I do not have intranet access, however. No router webui, nothing at all. Is there a temporary fix that can be used until Asus straightens this issue out? Like IP Tables or something, this is way above my paygrade. I have access to ssh and can follw instructions pretty well. Can anyone help, please?

Try to setup VPN director rule, modify to fit you needs. (I hope I understand you right)

​

LAN-wireguard

192.168.50.0/24

10.6.0.0/28

WAN

 

[RMerlin]

I have set up a Wireguard server on my AX88U. I selected the "Access Intranet" switch to on. I do not have intranet access, however. No router webui, nothing at all. Is there a temporary fix that can be used until Asus straightens this issue out?

I tested it a week or two ago, and it was working fine for me. Check your client firewalls.

 

[skeal]

I tested it a week or two ago, and it was working fine for me. Check your client firewalls.

The firewall on my Galaxy S21 5G ultra? That's the device I'm using.

 

[RMerlin]

The firewall on my Galaxy S21 5G ultra? That's the device I'm using.

No, the firewall on the device you are trying to reach. Most devices will reject connections coming from a different subnet unless you reconfigure their firewall to allow them.

 

[skeal]

No, the firewall on the device you are trying to reach. Most devices will reject connections coming from a different subnet unless you reconfigure their firewall to allow them.

Sorry, but how is that done on the AX88U? I'm not familiar with the process. Why doesn't OVPN require this process? I'm connecting my Cell phone to my Wireguard Server on my AX88U.

I looked at the inbound firewall rules section of the router webui and can't figure it out. It asks for LAN IP and port range. I'm unsure what to put in there. My cell connects to my server with a 10.6.0.0/32 address. I don't know the port number though.

 

[RMerlin]

Why doesn't OVPN require this process?

It also does. Quite frequently there are people asking here, and the issue is the firewall on their NAS/Server/etc... that need to be configured to allow the remote client's IP range.

I looked at the inbound firewall rules section of the router webui

Not the firewall of your router:

the firewall on the device you are trying to reach.

 

[skeal]

It also does. Quite frequently there are people asking here, and the issue is the firewall on their NAS/Server/etc... that need to be configured to allow the remote client's IP range.


Not the firewall of your router:

Okay, the device I'm trying to reach is the AX88U webui (the router with the Wireguard server on it) from my cell phone (with the Wireguard client app installed on it and configured and working). The purpose is to access the AX88U webui while not at home. I keep getting the mobile Chrome error: ERR_CONNECTION_REFUSED, in spite of the fact I'm connected to the server, and can surf to other sites while protected by the VPN. What devices firewall do I need to manipulate in this two device scenario? Again do I configure the AX88U's firewall? If so how? Sorry, I am confused by your answer.

 

[skeal]

I got it to work finally. I enabled the inbound firewall rules on my AX88U Wireguard server, and created a rule using the IP of the client given by the server, and the port it uses to connect. I also selected UDP protocol, (Wireguard's default). I now have working access.

 

[skeal]

Not the firewall of your router:

I was confused by this comment. As that's exactly what fixed it. Sorry if I confused you.

 

[octopus]

I got it to work finally. I enabled the inbound firewall rules on my AX88U Wireguard server, and created a rule using the IP of the client given by the server, and the port it uses to connect. I also selected UDP protocol, (Wireguard's default). I now have working access.

Wasn't that i showed you in post 2?

 

[skeal]

Wasn't that i showed you in post 2?

No, it wasn't a VPN Director rule that solved it. It was an IPV4 inbound firewall rule. It called for the IP the server gives the client. Not a LAN IP like 192.168.50.1 rather, in the range of 10.xx.xx.xx. It also needs to specify a port, and the protocol, (TCP/UDP). So no, VPN Director didn't fix it.

 

[jksmurf]

No, it wasn't a VPN Director rule that solved it. It was an IPV4 inbound firewall rule. It called for the IP the server gives the client. Not a LAN IP like 192.168.50.1 rather, in the range of 10.xx.xx.xx. It also needs to specify a port, and the protocol, (TCP/UDP). So no, VPN Director didn't fix it.

I might have a similar issue as described here.

Do you have a screenshot of that rule please, that I can try? (rub out anything sensitive first).
The ASUS FAQ directions for setting up simple WG connectiuons do nto really talk about firewalls on the server, that I can make out.

 

[elgreco29]

Yes, a screenshot would be great. Thanks in advance.

 

[skeal]

Here is screen shot of my firewall page.





In the above image: When you configured your VPN Server you setup the IP range for connected clients. Grab the IP of the connected client, (usually the first IP in the range, you can locate the range used in the VPN server settings). Find out from the Server configuration what port the client will be connecting on and what protocol, TCP or UDP. The IP to insert her is the IP that the VPN server gives to the connecting client, it is not the IP your router's network assigns the device you want to allow through. So you have the requirements to fill out the firewall Inbound Firewall Rules, IP, Port and Protocol.

 

[elgreco29]

Here is what i found on the wireguard vpn-server page:
Tunnel IPv4/6: 10.6.0.1/32
Listen-Port: 51820

What should i write as a firewall rule?

 

[skeal]

Enable the firewall rules portion of the page. Put 10.6.0.1 in the IP field, then enter your port in the port field and select UDP. Hit apply and you're done.

 

[kamanwu]

Enable the firewall rules portion of the page. Put 10.6.0.1 in the IP field, then enter your port in the port field and select UDP. Hit apply and you're done.

I just did this. BUT still cannot access LAN.

 

[skeal]

The 10.6.0.1 is my setup by default and someone else's. You need to go to the VPN status page and look to see what your IP would be if you joined your own network. If not there, open wireguard and look at your configuration. I used the default setup but some put there own address pool into this configuration page. I'm not at my computer right now so I can't look but if you poke around d you'll find it. My address pool is 10.6.0.1/? Which is a huge IP pool. Some people set this to match their routers IP pool. This would be a mistake unless properly configured.

 

[kamanwu]

For some reason, exactly same configure,
when I setup on my mac book pro, it works (access LAN without any issue)
but when I setup on my win11 laptop, it does not work. (can visit google.com, but cannot visit my LAN)