WireGuard Server on RT-AC86U to access remote LAN devices

[VPN_Newbie]

Hello. After reading lots of posts and information, specially this and this, I have configurated a semi-successful VPN server on my ASUS RT-AC86U router (Merlin 386.2_6).

This is my network scheme:

And this is what I want to achieve:

So, I want to connect from several clients to several devices in the LAN network of the AC86U WireGuard server (but only LAN, not Internet). I have done yet this via OpenVPN on this router and another one, but I want to migrate to WireGuard. In fact, I have success doing that with WireGuard Server running in Windows 10, but I want to do this with the router for stability reasons (in every restart, I must to do random things in Windows WireGuard server to make it work again).

Server config:

# RT-AC86U 'server' Peer #1 (wg21)
[Interface]
PrivateKey = *******
ListenPort = 37802



# Peer 1
[Peer]
PublicKey = *****
AllowedIPs =   192.168.100.0/24, 10.50.1.0/24
PresharedKey = *****
# Peer 1 End

Client 1 config:

[Interface]
PrivateKey = *****
Address = 10.50.1.2/32
MTU = 1300
PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = ****
PresharedKey = ****
AllowedIPs = 192.168.100.0/24, 10.50.1.0/24
Endpoint = ****:37802

This is what I get when listing for peers (peer corresponding with my client 1):

Firewall is deactivated in the GUI of the router.
I don't do anything yet related to routes or NAT or something else, because I don't know what to do (POSTUP and POSTDOWN commands not supported).
Currently, I am able to ping from my Client 1 the LAN IP of the router (192.168.100.253), but not any other device in this LAN network... except a printer (192.168.100.4/24). I don't know why I'm able to ping only this device. And I don't know what I must to do to connect with the others.

Thank you.

 

[Martineau]

Hello. After reading lots of posts and information, specially this and this, I have configurated a semi-successful VPN server on my ASUS RT-AC86U router (Merlin 386.2_6).

This is my network scheme:
View attachment 38095

And this is what I want to achieve:
View attachment 38096

So, I want to connect from several clients to several devices in the LAN network of the AC86U WireGuard server (but only LAN, not Internet). I have done yet this via OpenVPN on this router and another one, but I want to migrate to WireGuard. In fact, I have success doing that with WireGuard Server running in Windows 10, but I want to do this with the router for stability reasons (in every restart, I must to do random things in Windows WireGuard server to make it work again).

Server config:

# RT-AC86U 'server' Peer #1 (wg21)
[Interface]
PrivateKey = *******
ListenPort = 37802



# Peer 1
[Peer]
PublicKey = *****
AllowedIPs =   192.168.100.0/24, 10.50.1.0/24
PresharedKey = *****
# Peer 1 End

Client 1 config:

[Interface]
PrivateKey = *****
Address = 10.50.1.2/32
MTU = 1300
PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

[Peer]
PublicKey = ****
PresharedKey = ****
AllowedIPs = 192.168.100.0/24, 10.50.1.0/24
Endpoint = ****:37802

This is what I get when listing for peers (peer corresponding with my client 1):
View attachment 38098


Firewall is deactivated in the GUI of the router.
I don't do anything yet related to routes or NAT or something else, because I don't know what to do (POSTUP and POSTDOWN commands not supported).
Currently, I am able to ping from my Client 1 the LAN IP of the router (192.168.100.253), but not any other device in this LAN network... except a printer (192.168.100.4/24). I don't know why I'm able to ping only this device. And I don't know what I must to do to connect with the others.

Thank you.

I suggest you move this to the wireguard_manager support thread

Wireguard - Session Manager - Discussion (2nd) thread

This thread http://www.snbforums.com/threads/session-manager.70787/ has now expired. Thanks for the heads-up SNB Forum member @Ubimo

www.snbforums.com

 

[VPN_Newbie]

This problem is not only related to WireGuard Session Manager, because I have tried the "manual" method too (this post) and the results are the same.

 

[Martineau]

This problem is not only related to WireGuard Session Manager, because I have tried the "manual" method too (this post) and the results are the same.

Ahh OK

 

[eibgrad]

I haven't personally played w/ *any* of the WG stuff on Merlin, so what I have to offer is purely speculative based solely on reading your post.

A common problem w/ OpenVPN is personal firewalls on target devices, esp. those running Windows. By default, Windows will NOT allow access from any other private network (like the one on the OpenVPN tunnel (e.g., 10.8.0.0/24)) except the one on which it is presently running (e.g., 192.168.1.0/24). I'm sure you'll find similar behavior on other target platforms as well. The fact that *some* devices on a given /24 network are accessible and not others strongly suggests it is indeed a firewall issue. It's one of the reasons we sometimes suggest that those using OpenVPN server might want to consider add the following NAT rule to the nat-start script so that it appears to all target devices that the client is the router itself (based on its LAN ip) rather than the remote OpenVPN client.

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

This avoids having to reconfigure firewalls individually on each and every target device.

Perhaps WG needs something similar.

iptables -t nat -I POSTROUTING -s 10.50.1.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

 

[VPN_Newbie]

Hello, I have solved this issue, and can connect to devices on LAN.

I created a nat-start script in /jffs/scripts/, with this content:

iptables -t nat -A POSTROUTING -s 10.50.1.0/24 -o br0 -j MASQUERADE

And changed permissions of the file with the command:

chmod 777 nat-start

After that, I reboot the router and magic happens.


I am facing some issues with the download and upload speed. Taking a file from the LAN (NAS) to my remote client (PC) is successful (aprox. 50MB/s, 90-95% of ISP speed), but sending a file to the LAN (NAS) is much slower (17-18 MB/s). I have changed MTU sizes in server and client, and can't find the solution to this...

 

[degrub]

file copy to NAS is generally in that range. Look as the NASPT tests for file copy on this site. May be a buffering issue or the SMB protocol.
try running iperf between the two nodes in both directions. You will likely need to use the multi stream flag to saturate the link .

run the same iperf cmd line while connected directly to the lan that the NAS is on. How do the results, each direction, compare ?

 

[VPN_Newbie]

It's a bit strange...

Running Iperf with this command

iperf3 -c 192.168.100.7 -f M -P 20 -n 500M

(adding -R for both directions test), I have 24.1 MB/s sending to server (more than copying files to the NAS), and 34.2 MB/s sending from server (less than copying from NAS).

Maybe I'm doing something wrong with Iperf, I don't know...