Solved OpenVPN Works via LTE and Wifi but Wireguard only works via LTE on 388.1?

[jksmurf]

Additional files

 

[elorimer]

It isn't really complicated. TL;DR:

1. Lots of routers use 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24. A lot of cable modems use 192.168.100.1. GL-iNet routers use 192.168.8.0/24. Some Asus routers default to use 192.168.50.0/24, and that seems fine. If you have other networks in your mix, you might use 10, 20, 30, etc to be easy to remember. I don't think there is any value in being really obscure. Just avoid 0, 1 and 2.
2. Set the Lan address of the router as .1.
3. Here we get into some personal idiosyncracies. I think every device should pull a DHCP address from the router. I haven't found a device that can't work this way (except pixelserv), so I don't think a static IP address should be set on the device. Instead, for every device I want to be on a constant IP address, I reserve that address in the manual listing, so it always gets that address and DHCP never hands out that address to a different address. In fact, I try to reserve an address for every device with a hostname and icon, and I organize devices by type just for mnemonic purposes. (What is the address of the printer? It has to be something 192.168.50.13x.) Set the DHCP range as from something more than .5 or so to .254, so you leave room for devices that might need to be statically assigned in the device itself. I use .100. But addresses in the manual list aren't limited to the DHCP range. It just means the DHCP server won't randomly give out an address outside the range.
4. If you have a lot of devices, think about YazDHCP to give room for a lot or reservations. If you move from .1 to .50 as your address scheme, you can also export your existing manual assignments, edit the list in bulk, and import it back in.
5. The only time I set a particular address in a laptop itself is when I'm setting up a particular device, like a uboot upload to an Openwrt router, or I've reverted a device, like a router, to factory defaults and need to bring it into the fold.

 

[jksmurf]

Thanks @elorimer, much appreciated, will try and find a suitable (family) time to make the change. Will probably go for 192.168.10.1 etc - pretty simple to search / replace “.1.” to “.10.” in the saved DHCP Manual reservation files.

 

[chongnt]

I try to use iptable to log WG packets at router end. In working scenario, the apps sent packet will be received at router; and packet sent by router will show as received in the apps.

Not sure how helpful will be for your case. Hopefully it gives more visibility of what is going on at the router end. If you are ok with ssh into your router and try it. I only test it in my environment. Here I use port 51820, you may change it accordingly to wg server listening port.
To apply the rule:

iptables -t raw -A PREROUTING -p udp -m udp --dport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x009C && 0>>22&0x3C@8=0x01000000" -j LOG --log-prefix "[Rx WG Handshake Initiation] " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -A OUTPUT -p udp -m udp --sport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0064 && 0>>22&0x3C@8=0x02000000" -j LOG --log-prefix "[Tx WG Handshake Response]   " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -A PREROUTING -p udp -m udp --dport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0028 && 0>>22&0x3C@8=0x04000000" -j LOG --log-prefix "[Rx WG Keepalive]            " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -A OUTPUT -p udp -m udp --sport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0028 && 0>>22&0x3C@8=0x04000000" -j LOG --log-prefix "[Tx WG Keepalive]            " --log-tcp-sequence --log-tcp-options --log-ip-options

To check the log,

 cat -f /tmp/syslog.log | grep WG

To remove the rule:

iptables -t raw -D PREROUTING -p udp -m udp --dport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x009C && 0>>22&0x3C@8=0x01000000" -j LOG --log-prefix "[Rx WG Handshake Initiation] " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -D OUTPUT -p udp -m udp --sport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0064 && 0>>22&0x3C@8=0x02000000" -j LOG --log-prefix "[Tx WG Handshake Response]   " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -D PREROUTING -p udp -m udp --dport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0028 && 0>>22&0x3C@8=0x04000000" -j LOG --log-prefix "[Rx WG Keepalive]            " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -t raw -D OUTPUT -p udp -m udp --sport 51820 -m u32 --u32 "0>>22&0x3C@4>>16=0x0028 && 0>>22&0x3C@8=0x04000000" -j LOG --log-prefix "[Tx WG Keepalive]            " --log-tcp-sequence --log-tcp-options --log-ip-options

Update rule for Keepalive message.
Edit again to use less rules.

 

[jksmurf]

Not sure how helpful will be for your case. Hopefully it gives more visibility of what is going on at the router end. If you are ok with ssh into your router and try it. I only test it in my environment. Here I use port 51820, you may change it accordingly

Thank you once again, chongnt, I have indeed ssh into my router before (to install Diversion) but I will need some time to get my head around all this for sure, very steep learning curve for me.

cheers

k.

 

[jksmurf]

Thanks @elorimer, much appreciated, will try and find a suitable (family) time to make the change. Will probably go for 192.168.10.1 etc - pretty simple to search / replace “.1.” to “.10.” in the saved DHCP Manual reservation files.

Was just reading a number of posts about various 192.168.xxx.yyy ranges and came across your @elorimer post https://www.snbforums.com/threads/conflict-with-vpn-server-settings-message.62452/ regarding a gremlin when using 192.168.10.yyy (due to a reserved set of ranges for PPTN from 192.168.10.2 to 11. Might change to 20 or 50 then as whilst I could change that range, I might forget it when doing any hard resets.

 

[eastavin]

Just a comment that your not alone. I have a rt-ax86. There are quite a few places around here with hotspots that are blocking openVPN connections. So when wireguard came along I was thrilled to give it a go.

I find the Asus Wireguard can connect in places where openVPN is being blocked but not all. The strangest unsuccessful example I have stumbled across is our local municipal offices. They offer hotspot service that passes Asus openVPN if you use the default openVPN server settings on your router but not if you modify them with anything other than a different port. On the other hand it is blocking the Asus Wireguard with default settings.

While I was still at the municipality office - for comparison I used the free ProtonVPN Wireguard client and immediately got a connection to a server in the USA.

So the mystery I have now is how is the Asus Wireguard different from the free ProtonVPN Wireguard? Maybe this would yield a clue how to improve my Asus Wireguard?

 

[egc]

Port number?

Like you said hotspot are often actively blocking VPN or only allowing well known ports. If the latter you can try using port 443 for WireGuard/OpenVPN.

 

[jksmurf]

Port number?

Like you said hotspot are often actively blocking VPN or only allowing well known ports. If the latter you can try using port 443 for WireGuard/OpenVPN.

Hi, thanks for your note, was out of town on holiday with poor wifi so didn't really do much checking of snbforums. Per post #8 " I did try changing the Port to 53" but that one didn't help. I guess big Wifi Hotspot IT Managers could be blocking known ports.

I will (per post #26), probably sometime in the next week or so, try changing my IP Ranges away from 192.168.1.XXX to192.168.50.XXX etc.

k.

 

[Jeffrey Young]

I am currently using wireguard as I find it very easy to setup and maintain. That said, I have found while in certain hotels, I can make a wireguard connection, traffic passes, yet the connection is so troublesome that the simplest chores are imposable.

Recently, I read an article that suggested that networks (say a hotel network) that does deep packet inspections on UDP traffic will mess up the wireguard traffic. I wish I had saved the link to the article.

Also as mentioned by @egc mentioned, some ISP equipment block all ports except well known ports. I ran into this issue recently with Cocego here in Ontario when I tried to point to a nextcloud server that was on a port other than 443. Spent an hour trying to troubleshoot until I found out that Cogeco's home routers block all non standard outgoing ports by default.

To that end, I plan on using wireguard for site to site connections, but I am migrating back to an OpenVPN server (using Softether VPN to avoid the two max client restriction of the official OpenVPN server) for my clients that need to connect to my network.

 

[jksmurf]

@elorimer wrote Nevertheless, having the home network be 192.168.1.0/24 is certain to cause a problem sometime for VPN

I thought I better update this issue as I am happy to say "I believe" it is solved.
I can access my Router WebAdmin and the Asus App; but not the internet.
Apologies for the delay, took some time getting into it.

1. First off I never tried 192.168.1.0/24 in the Allowed IPs (Client) settings in the Peers "More Settings for Site to Site Usage" section but taking on board @elorimer comment above I changed my network from 192.168.1.x to 192.168.9.x [with 192.168.9.1 as gateway].
2. That alone did not help with the stock 0.0.0.0/0 in the "Allowed IPs" field originally; no go.
3. I even tried both 0.0.0.0/0, ::/0 and 0.0.0.0/0, ::0/0, which I read somewhere realted to IPv6; no go.
4. I also tried disabling IPv6 completely in my Router's settings; no go.
5. I also tried changing the port to 563 as I read somewhere some ISPs block ports above 1023; no go, back to stock 51820.
6. I then mistakenly tried 192.168.9.0/32; no go (I believe for the reasons in "Network Addressing" picture below).
7. So finally I put in 192.168.9.0/24; and it worked to get to the Router WebAdmin Page, so that was a start. All other items stock I believe.
8. I still had issues getting Internet Access over the WG connection; but ASUS "Export the WG Profile" in the ASUS WebAdmin has a warning for iOS users, see below for how I fixed this.

I am not sure if this is all correct but it worked!
I still do not quite understand why it always worked on LTE but not on the specific Wifi I was having issues with, but as long as it works I am OK.

I attach some screen shots of my settings <added in bold>.

[Interface]
PrivateKey = <SNIPPED>
Address = 10.6.0.4/32
DNS = 10.6.0.1, 1.1.1.1

[Peer]
PublicKey = <SNIPPED>
AllowedIPs = 192.168.9.0/24
Endpoint = <SNIPPED>.asuscomm.com:51820
PersistentKeepalive = 25

For item 8 regarding this message: "For iOS users, you must assign a specific DNS server to WireGuard app before accessing the internet through WireGuard Server"; currently "DNS servers" on the iOS WG App the DNS shows 10.6.0.1 by default.

So to address this I added the Cloudflare DNS Server 1.1.1.1 to the WG Settings on the iOS Client (in the iPhone App), so it looks like this: 10.6.0.1, 1.1.1.1. That seems to work. See screenshot.

[EDIT] I am not sure I really needed this line "DNS = 10.6.0.1, 1.1.1.1". A router setup from scratch had me inputting this all again and it worked fine with just the AllowedIPs = 192.168.9.0/24 line.