Creating a VPN network using VPS and RT-AX68U

[postoronnim-v]

Please tell me, is it possible to create such a network so that the end device connects to the RT-AX68U router (has a public static IP address) and gains access to the Internet through a VPS server?

 

[ZebMcKayhan]

Please tell me, is it possible to create such a network so that the end device connects to the RT-AX68U router (has a public static IP address) and gains access to the Internet through a VPS server?View attachment 56321

Sure, If you just want internet via the VPS it's quite easy.

I used a VPS (which has a static public ip) to gain access to my lan as I'm behind cgnat. Setup process is explained here: https://github.com/ZebMcKayhan/Wire...ov-file#setup-private-server-via-cloud-server
(Scroll down to "Setup Cloud Server" for the interesting part)

I later migrated to build in Wireguard: https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

In your case you just create a server peer on the vps, create the client config and import into your router.

 

[postoronnim-v]

In your case you just create a server peer on the vps, create the client config and import into your router.

Thank you for your time. Perhaps I don't understand you completely. I used WireGuard VPN installer for Linux servers on my VPS. I configured a VPN client on the router and now I can connect the router’s clients to the Internet of the VPS server. But I need the client to be able to connect to the router through a public IP address, which the router receives from the provider. That is, the server must also be configured on the router. I apologize if I mislead you, but I am far from programming.

 

[ZebMcKayhan]

Thank you for your time. Perhaps I don't understand you completely. I used WireGuard VPN installer for Linux servers on my VPS. I configured a VPN client on the router and now I can connect the router’s clients to the Internet of the VPS server. But I need the client to be able to connect to the router through a public IP address, which the router receives from the provider. That is, the server must also be configured on the router. I apologize if I mislead you, but I am far from programming.

Alright, then you setup a server on your router as well (vpn->vpn server) and if you don't have a static IP you will need a ddns.

Then use vpn director if needed to create rules for router server clients to access internet via client connecting to vps

 

[postoronnim-v]

Thanks again for answering. Now I have these questions:
What address should be specified in the Tunnel IPv4 column? Or leave the default value?

Will there be a conflict with the VPS server address? And then how to correctly connect these networks using the router settings?
My VPS server settings are:

 

[ZebMcKayhan]

What address should be specified in the Tunnel IPv4 column? Or leave the default value?

Default will be fine.

Will there be a conflict with the VPS server address?

No as it doesn't overlap ip.

And then how to correctly connect these networks using the router settings?

You need to click the + sign by the VPN client, just above "No Data in table" to create a client config to your router server. Then you have the option to either download a config file or scan a qr code to transfer to your client device.

 

[postoronnim-v]

I set up a server on the router. I can connect from another device to the router. But how can I now connect to the VPS server through the router server?

 

[ZebMcKayhan]

I set up a server on the router. I can connect from another device to the router. But how can I now connect to the VPS server through the router server?

Create a rule in vpn director, like this:
Local IP: 10.6.0.0/24 (all server clients)
Remote IP: leave blank
IFACE: wgc1 (whatever used for wg-> vps).

 

[postoronnim-v]

Thanks a lot. Thanks to your help, I was able to set up the network.

 

[ZebMcKayhan]

Thanks a lot. Thanks to your help, I was able to set up the network.

Just a curious question, why don't you let your clients connect directly to the vps instead of going through your router if you only need internet through the vps?

 

[postoronnim-v]

Just a curious question, why don't you let your clients connect directly to the vps instead of going through your router if you only need internet through the vps?

I am in a country (Russia) that has recently introduced Internet censorship. Recently, all Internet providers began to block most VPN protocols (L2TP, IPsec, PPTP, OpenVPN, WireGuard) if the connection is established with an IP located outside the country. Everything works inside the country. But I was able to establish a connection to my VPS located outside the country. This connection is stable unless broken. It is also important that the connection is from one IP (otherwise the VPS IP will be blocked). Therefore, I made a decision: establish and maintain a connection with my VPS, and connect devices using normal protocols, connecting to my router.

 

[ZebMcKayhan]

I am in a country (Russia) that has recently introduced Internet censorship. Recently, all Internet providers began to block most VPN protocols (L2TP, IPsec, PPTP, OpenVPN, WireGuard) if the connection is established with an IP located outside the country. Everything works inside the country. But I was able to establish a connection to my VPS located outside the country. This connection is stable unless broken. It is also important that the connection is from one IP (otherwise the VPS IP will be blocked). Therefore, I made a decision: establish and maintain a connection with my VPS, and connect devices using normal protocols, connecting to my router.

Thanks for the explanation and lets hope it keeps working for you!

 

[ZebMcKayhan]

I am in a country (Russia) that has recently introduced Internet censorship. Recently, all Internet providers began to block most VPN protocols (L2TP, IPsec, PPTP, OpenVPN, WireGuard) if the connection is established with an IP located outside the country. Everything works inside the country. But I was able to establish a connection to my VPS located outside the country. This connection is stable unless broken. It is also important that the connection is from one IP (otherwise the VPS IP will be blocked). Therefore, I made a decision: establish and maintain a connection with my VPS, and connect devices using normal protocols, connecting to my router.

Not sure that if it may help you in the future, but it would be possible to have the VPS initiate the connection to your router instead of the other way (some simple scripting required). You could still use the connection for internet. Maybe this would help get around your situation?

 

[postoronnim-v]

It would be interesting to try this. The idea is correct. Since the provider's DPIs are configured to search for outgoing connections from the user within the country. If the connection occurred “from the outside,” then there would definitely be no blocking. And I wouldn't have to send garbage packets for DPI to establish a VPN connection. But it all comes down to the fact that I am not a programmer. Could you help with this?

 

[ZebMcKayhan]

Could you help with this?

Sure, no programming really required but we will need to:
1. Add your router ip : port as endpoint to vps wireguard config.
2. Append ListenPort directive to router config, so it listens to this port.
3. Open the port in router firewall.

But a problem is that once the first change is made your connection will probably break until all changes are made. Nr 1 and 3 are fairly easy but Nr 2 may require some tinkering.

Sure I could help you if you are up to it.

 

[ZebMcKayhan]

For Nr 1

You will need to pick a port number that does not interfere with your router wg server. I don't know if you selected a custom port otherwise it will use port 51820. You may select pretty much any other port, like 51819.

Then ssh into your vps.
Switch to superuser:

sudo -su

You can get info about your current wg status by:

wg show

After Interface: there would be name identifying your connection. in my case it's VPS but likely something different for you.

Edit this config file:

nano /etc/wireguard/VPS.conf

Here there are 2 sections. In the INTERFACE section no changes are needed.
In the PEER section, there should only be one of these. If there are more than one you need to find the one with your router wg ip in AllowedIPs to know you are in the right section.
When you are in the right section, make an extra line and add:

Endpoint = <router public ipv4>:port

Where port is the port number you selected. It could look something like this:

Endpoint = 111.222.333.444:51819

Save the file with ctrl+x then press Y to save to current file.

In order for the changes to take effect you need to restart the peer.
But you may choose to wait also to not loose connection. I'm not 100% sure you will loose connection.

 

[ZebMcKayhan]

For Nr 3

On your router, you will need to allow ssh in the gui (from lan only) and also allow custom script execution.

Then ssh into your router and add a custom firewall rule:

nano /jffs/scripts/firewall-start

Populate the file with:

#!/bin/sh
iptables -I INPUT -p udp --dport 51819 -j ACCEPT

Change the port Nr to the one you selected in 1.

Save with ctrl+x then y.

Make the file executable:

chmod +x /jffs/scripts/firewall-start

The firewall needs to be restarted for this to come into affect, but instead you could just execute at the prompt:

iptables -I INPUT -p udp --dport 51819 -j ACCEPT

To get it added without restarting the firewall.

I need to think about how to do Nr 2 alittle.

 

[postoronnim-v]

I did everything as you wrote. How to check that everything is working? The

wg show

command on VPS produces the following result

 

[ZebMcKayhan]

I did everything as you wrote. How to check that everything is working? The

wg show

command on VPS produces the following result

Looking good!

There is one more thing. You need to tell wgc1 on your router to listen to your port. I'm hoping it would be as simple as:

wg set wgc1 listen-port 51819

If you execute this at the prompt it should just start to work. And if it works we need to make this command autostart.

You should be able to confirm the listen port by

wg show

on your router.

 

[postoronnim-v]

If you execute this at the prompt it should just start to work

I get this error:

If you run VPN - WireGuard Client before this, there is no error