HELP Please breakhead to get to work Wireguard

[fanasus]

Hello everyone,

- I have a “somewhat advanced” knowledge of the router, I understand English basically, and need a translator to help me understand most of the time.

- for some time now, I have been trying to make “Wireguard” work, either on NAS or directly from Macos, I have never been able to make it work! when I activate the “Wireguard client” configuration, it cuts me off from the Internet.

- now I discover that “Wireguard” is directly supported by “asuswrt merlin”!! oh what a miracle!! I thought, this is going to be simple..

but sorry, I don’t know why, but apparently despite the “Wireguard” connection telling me to be connected. by doing a “DNS leak” test, well there are leaks (so if I understand correctly, everything is not going well, while “Wireguard” is supposed to be connected).
- I admit that I spent a lot of time trying to activate this “Wireguard”, to read, to inquire! and now I’m really tired!! unblocking.

Here are some details about different settings I have:
- The Internet is in “bridge” “dhcp disabled” mode on the provider’s router (left on its original IP: 192.168.1.1).
- my asus router is the only home over IP router (192.168.1.200), with manual IP reservation for all my devices
- I registered a DDNS as well (because my IP is not fixed)

- in “local network”
“DHCP server” “configuration dns and server wins”, the fields are empty
“dns director” “enable dns director” is enabled and “global redirection” is on “router”
“user defined dns 1 2 3” are empty

- in “network extended” “internet connection” “configuration dns wan”, I chose the DNS service “quad9”



it seemed easy to understand:
- in “VPN” “VPN server” “wireguard vpn”, the server must be started and used to generate clients.

1) in its “general” tab I leave by default: “acces reseau local” yes; “tunnel ipv4” on (10.6.0.1/32); “port” (51820)
in its “advanced settings” tab: “allow DNS” yes; “pre-shared key” yes; “persitent key alive (25)


- so I generate a default client, and export the client config, and apply “all parameters” to save the changes.

2) then I go to “client VPN” “vpn-wireguard client”, then “import config” to load my client “1”, then I make “apply” to save the changes
concerning the “VPN Director rules related to this client” tab, you must specify a rule!
- I would like this customer “1” to be the one used to filter everything that has to go through the router from home
- and then create other clients for example a portable “PC” or other

Questions: I am confused about:
-“vpn director” replaces “vpn fusion”? who said that this avoided installing the “wireguard” software on a “PC” for example, which everything was managed directly from the router!?
- should a “port” be opened? on the Asus while the “wireguard” is integrated into it!?

Well, I hope you can help me, to finally make this “wireguard” work, it’s been months, that I’m struggling to understand why “wireguard” doesn’t want to work!!

thank you in advance (translated text Fr->En)

 

[ZebMcKayhan]

Hello everyone,

- I have a “somewhat advanced” knowledge of the router, I understand English basically, and need a translator to help me understand most of the time.

- for some time now, I have been trying to make “Wireguard” work, either on NAS or directly from Macos, I have never been able to make it work! when I activate the “Wireguard client” configuration, it cuts me off from the Internet.

- now I discover that “Wireguard” is directly supported by “asuswrt merlin”!! oh what a miracle!! I thought, this is going to be simple..

but sorry, I don’t know why, but apparently despite the “Wireguard” connection telling me to be connected. by doing a “DNS leak” test, well there are leaks (so if I understand correctly, everything is not going well, while “Wireguard” is supposed to be connected).
- I admit that I spent a lot of time trying to activate this “Wireguard”, to read, to inquire! and now I’m really tired!! unblocking.

Here are some details about different settings I have:
- The Internet is in “bridge” “dhcp disabled” mode on the provider’s router (left on its original IP: 192.168.1.1).
- my asus router is the only home over IP router (192.168.1.200), with manual IP reservation for all my devices
- I registered a DDNS as well (because my IP is not fixed)

- in “local network”
“DHCP server” “configuration dns and server wins”, the fields are empty
“dns director” “enable dns director” is enabled and “global redirection” is on “router”
“user defined dns 1 2 3” are empty

- in “network extended” “internet connection” “configuration dns wan”, I chose the DNS service “quad9”



it seemed easy to understand:
- in “VPN” “VPN server” “wireguard vpn”, the server must be started and used to generate clients.

1) in its “general” tab I leave by default: “acces reseau local” yes; “tunnel ipv4” on (10.6.0.1/32); “port” (51820)
in its “advanced settings” tab: “allow DNS” yes; “pre-shared key” yes; “persitent key alive (25)


- so I generate a default client, and export the client config, and apply “all parameters” to save the changes.

2) then I go to “client VPN” “vpn-wireguard client”, then “import config” to load my client “1”, then I make “apply” to save the changes
concerning the “VPN Director rules related to this client” tab, you must specify a rule!
- I would like this customer “1” to be the one used to filter everything that has to go through the router from home
- and then create other clients for example a portable “PC” or other

Questions: I am confused about:
-“vpn director” replaces “vpn fusion”? who said that this avoided installing the “wireguard” software on a “PC” for example, which everything was managed directly from the router!?
- should a “port” be opened? on the Asus while the “wireguard” is integrated into it!?

Well, I hope you can help me, to finally make this “wireguard” work, it’s been months, that I’m struggling to understand why “wireguard” doesn’t want to work!!

thank you in advance (translated text Fr->En)

Im sorry, but Im struggling with understanding what you want to do. Are you setting up a server? Or a client? What is on the other end? Sounds like both, hence my confusion... perhaps you could just give us a bit more info about from where, to where you would like your Wireguard tunnel to work.

As you are behind isp router ("bridge"), have you checked so that your isp bridge forwards incoming packets to your asus router? This would be nessisary to get a server working on the Asus router. A client would work either way. Where is your nat taking place and how would any incoming packet find its way to your asus router 192.168.1.200?

 

[fanasus]

hello,
- "Are you setting up a server? Or a client?" I finally want to be able to use wireguard (simply, thanks to asuswrt merlin), for the whole house, or connect from the outside safely if needed sometimes! that’s what I want. that’s all I can tell you (myself being in confusion, to get to use wireguard)
- "your isp bridge forwards incoming packets to your asus router?", no ! since my ASUS router is the router now, so the ISP router is in "bridge" mode without dhcp and nat (as with these settings, I have Internet)

Note: on my router ISP "bridge", I need to set it to "DHCP relay" mode? and indicate on "DHCP Relay Server Addresss" the IP of my ASUS router

 

[ZebMcKayhan]

finally want to be able to use wireguard (simply, thanks to asuswrt merlin), for the whole house, or connect from the outside safely if needed sometimes! that’s what I want. that’s all I can tell you (myself being in confusion, to get to use wireguard)

Ok, so both a client to connect to internet via VPN, (which provider by the way?) And a server to connect to your lan from the outside.
Skip the server to start with, just try to setup your internet client. Assuming your config import turned out ok, how have you setup VPNDirector?

- "your isp bridge forwards incoming packets to your asus router?", no ! since my ASUS router is the router now, so the ISP router is in "bridge" mode without dhcp and nat

So, which device has the private ip 192.168.1.1? Is this the bridge ip? Or your router wan ip? Since this is a private adress there should be nat elsewere between your router and the internet. Or Im missunderstanding something?

 

[fanasus]

So, which device has the private ip 192.168.1.1? Is this the bridge ip? Or your router wan ip? Since this is a private adress there should be nat elsewere between your router and the internet. Or Im missunderstanding something?

routeur provideur with her original IP 192.168.1.1 and the ASUS with 192.168.1.200

[EDIT] on last post: "Note: on my router ISP "bridge", I need to set it to "DHCP relay" mode? and indicate on "DHCP Relay Server Addresss" the IP of my ASUS router". I have made this change, is it correct please !?

Ok, so both a client to connect to internet via VPN, (which provider by the way?) And a server to connect to your lan from the outside.

your answer is correct (ah ok, I had not grasped this subtlety! I thought it was necessary to activate both)

Skip the server to start with, just try to setup your internet client. Assuming your config import turned out ok, how have you setup VPNDirector?

my 1st wireguard client is created, enabled in vpndirector, and I have added a "new rule" (without knowing if I did well), with as "iface", the option "WAN" without any other information

sorry for the response time, I continue to persevere, to control what I do, and to answer you correctly to your questions, thank you

* NB: why in the firewall "skynet" in "Top 10 Blocked Devices (Outbound)" the Ip of my compu is indicated, i don't understand why !?

 

[ZebMcKayhan]

my 1st wireguard client is created, enabled in vpndirector, and I have added a "new rule" (without knowing if I did well), with as "iface", the option "WAN" without any other information

You normally dont need to put any rules for iface: wan. Delete that rule and instead make a rule for some pc on your lan. Use its ip as "local ip", leave remote ip blank and set to use iface: wgc1. Now this computer will access internet through VPN. Correct?
For single ip you should ideally set this to reserved ip under dhcp so it doesnt change.

[EDIT] on last post: "Note: on my router ISP "bridge", I need to set it to "DHCP relay" mode? and indicate on "DHCP Relay Server Addresss" the IP of my ASUS router". I made this change, is it correct please

I actually dont know, I have never used this setup.

 

[tnpapa]

I have been running a WG server for over a year so maybe I can help, but I am having trouble understanding what you want so excuse me if my thoughts are not what you are looking for.

The WG server in the router is to connect to WG clients on devices not in your home, but on the open internet. You can put the WG app on your phones and import the settings from the WG server on the router and then you will connect back to your home router and home network when using your phones or laptops when on other networks (cell, free wifi etc).

You can not use the WG server built into the router to connect to a commercial VPN service. You would use the WG Client settings instead in the router and enter the information the VPN provider supplies you.

So to sum up, WG server on router is for your mobile devices when not home, WG client on router is to connect your entire network to a VPN. Please note that you will take a speed hit either way when using WG. Its much faster then IPsec or OpenVPN but the CPU in the router can not do full speed processing.

 

[tnpapa]

Forgot to add that your providers modem/router must be in TRUE bridge mode. Double NAT will cause you nothing but headaches. The WG clients need to see the true IP address of the WAN port on the Asus. If the IP shown for the WAN port on the Asus settings page is not what you get when you Google "what is my IP Address" then the client has no way to connect. If it does not, then you will need to port forward on your modem to the Asus. You will need to forward port 51820 from the internet to the Asus.

 

[fanasus]

You normally dont need to put any rules for iface: wan. Delete that rule and instead make a rule for some pc on your lan. Use its ip as "local ip", leave remote ip blank and set to use iface: wgc1. Now this computer will access internet through VPN. Correct?

in "Iface", if I put a rule with the wireguard "1" client, and in IP my computer for example, when I run an internet search, it does not succeed! and when I delete it it is ok!

For single ip you should ideally set this to reserved ip under dhcp so it doesnt change.

in my original post, I specified it: "with manual IP reservation for all my devices"

 

[ZebMcKayhan]

in "Iface", if I put a rule with the wireguard "1" client, and in IP my computer for example, when I run an internet search, it does not succeed! and when I delete it it is ok!

You mean when the rule is there you loose internet? And when you remove the rule internet works but not via VPN?
If that is the case, your Wireguard peer is not working.
What if you take the same Wireguard config file that you imported on the router and import on Wireguard app on your Windows PC? Will it also loose internet connection? Android/iphone app works for this testing as well.

Which is your VPN supplier? I have heard that some suppliers kills off some configs if they are not in use for only a couple of days. Perhaps you need to generate a new config from your supplier?