What's new

Prevent a loop caused by connecting to AX86U wireguard server?

  • Thread starter Deleted member 27741
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
D

Deleted member 27741

Guest
Hola amigos. I know it's been a long time since I rapped at ya. I have recently purchased and have been setting up an AX86U. Thanks for Magister, I have tackled the NTP redirect issue. I have another that I think could use some attention.

I have set up a wireguard server on the AX86U. The client has 0.0.0.0/0 with block untunneled traffic checked- the entire reason I use 0.0.0.0/0 actually- to guarantee all traffic is routed through the tunnel. This works great when connecting from another network.

However, when I am connected to the AX86U connecting to the wireguard server makes windows go bonkers in what I assume is a bad routing loop.

Is there a way to alter iptables or something else on the router to detect and avoid this loop?

It seems to me that most people use a local machine when setting up a vpn. In this case, connecting to wireguard while locally on the AX86U causes a loop that not only doesn't work, it makes windows nearly hang. I am guessing a lot of noobs like me get discouraged by this and give up trying to configure wireguard when it is really set up right. Well, I am finding out that windows RRAS service might be the cause of the hang... ah, windows.
 
Last edited by a moderator:
Hola amigos. I know it's been a long time since I rapped at ya. I have recently purchased and have been setting up an AX86U. Thanks for Magister, I have tackled the NTP redirect issue. I have another that I think could use some attention.

I have set up a wireguard server on the AX86U. The client has 0.0.0.0/0 with block untunneled traffic checked- the entire reason I use 0.0.0.0/0 actually- to guarantee all traffic is routed through the tunnel. This works great when connecting from another network.

However, when I am connected to the AX86U connecting to the wireguard server makes windows go bonkers in what I assume is a bad routing loop.

Is there a way to alter iptables or something else on the router to detect and avoid this loop?

It seems to me that most people use a local machine when setting up a vpn. In this case, connecting to wireguard while locally on the AX86U causes a loop that not only doesn't work, it makes windows nearly hang. I am guessing a lot of noobs like me get discouraged by this and give up trying to configure wireguard when it is really set up right. We can do this. We have the technology.

As far as I know you should not be attempting to connect to the VPN server from inside your network, that will cause a loop like you say (and it won't actually encrypt anything out to the internet, only back to your LAN, which is pointless). You need to configure a VPN client on the router for inside to outside connectivity, or run a client your your PC.
 
Your input is appreciated.

I have found that stopping the RRAS service helps a lot with the windows hang/cpu usage and my firewall (malwarebytes windows firewall control) might have something to do with the severity of this issue in my case as well.

Adding 127.0.0.1/32 to the list of allowed ips on the peer helps but not solve the issue- at least in terms of LAN/WAN access. Call me crazy but this kind of loopback detection is the kind of thing a modern vpn should have baked in IMHO. Especially considering this vpn is designed to be used as a service I am shocked wireguard has not had the foresight to eliminate this problem.
 
Last edited by a moderator:
Your input is appreciated.

I have found that stopping the RRAS service helps a lot with the windows hang/cpu usage and my firewall (malwarebytes windows firewall control) might have something to do with the severity of this issue in my case as well.

Adding 127.0.0.1/32 to the list of allowed ips on the peer helps but not solve the issue- at least in terms of LAN/WAN access. Call me crazy but this kind of loopback detection is the kind of thing a modern vpn should have baked in IMHO. Especially considering this vpn is designed to be used as a service I am shocked wireguard has not had the foresight to eliminate this problem.

I guess they assume people wouldn't be connecting from the inside of their network to the outside of their network in order to connect back to the inside of their network. With 0.0.0.0/0 specified you are not excluding your LAN subnet and that's going to create a loop (even if you did exclude it, not sure what it would accomplish other than slowing your LAN speed to a fraction of what it should be).

Maybe if you gave more info on what you're trying to accomplish by doing this someone can give some ideas.

The VPN server in Asus is intended for remote access to your LAN from another site (outside to inside). The VPN client is for accessing remote sites from your LAN (inside to outside).
 
I used to really like this forum and its members were friendly and helpful. In hopes of continuing to enjoy snbforums, I have ignored a certain individual that has consistently fallen short of those ideals in this post of mine and the posts of others.
 
Adding 127.0.0.1/32 to the list of allowed ips on the peer helps but not solve the issue- at least in terms of LAN/WAN access. Call me crazy but this kind of loopback detection is the kind of thing a modern vpn should have baked in IMHO. Especially considering this vpn is designed to be used as a service I am shocked wireguard has not had the foresight to eliminate this problem.
Wireguard doesnt have a problem with this. As long as the endpoint is reached its going to work. What happens with the router when trying to hairpin udp packets are hardly anything whithin Wireguard control.

If you use ddns, try to add a host file entry pointing to router local service (assuming you are using router dnsmasq for dns lookup). If you use static ip, try to add a route.
 
Your input is appreciated.
I used to really like this forum and its members were friendly and helpful. In hopes of continuing to enjoy snbforums, I have ignored a certain individual that has consistently fallen short of those ideals in this post of mine and the posts of others

Guess not so appreciated after all 😄 . Maybe someone needs to lower their ideals when seeking free advice, especially when all they do is ignore the suggestions of others and wait for some impossible exact answer they're looking for.
 
Thanks for your comments guys. I have figured out a workaround or two on my own.
 
Last edited by a moderator:
Thanks for your comments guys. I have figured out a workaround or two on my own.

I remember the days when forum members would post what they've figured out in hopes of helping someone in the future who may have a similar issue, rather than just asking for help and not making contributions.

Though moot in this case since nobody VPNs to their LAN from their LAN.
 
I will be leaving snb forums due to the fact that it has changed into a tech bro pissing contest. If others receive this kind of treatment, I think they should too. Letting forum members act the way certain individuals do consistently has destroyed this site. Sad to see it go, but I won't be a part of this douchebaggery. I would suggest the site admins get these dogs leashed but I'm pretty sure it's too late. The numbers are way down and anyone can see why. Sorry thiggins, this site used to be so good. :(
 
Last edited by a moderator:
I will be leaving snb forums due to the fact that it has changed into a tech bro pissing contest. If others receive this kind of treatment, I think they should too. Letting forum members act the way certain individuals do consistently has destroyed this site. Sad to see it go, but I won't be a part of this douchebaggery. I would suggest the site admins get these dogs leashed but I'm pretty sure it's too late. The numbers are way down and anyone can see why. Sorry thiggins, this site used to be so good. :(

So the person resorting to personal attacks and namecalling for no reason is saying others are ruining this site? Stop stomping your feet for attention and just take your toys and go home then.
 
This was bizarre...

I guess I'm a realist. If plugging a wire between the positive and neutral of an outlet causes a fire and someone asks for a suggestion on how to prevent that, my simple answer is..... don't do that. Or at least, explain why you want to do that and lets find a way to have it not cause a fire. Apparently I'm supposed to say "aww you poor thing, how can I make your life better today?".

I have a sneaking suspicion OP is a second account of someone who has disagreed with me on something else and is just trying to make it seem like there is some sort of problem. They aren't going anywhere, account is still active and will probably go back to posting with their original one. The fact that their profile is locked and private is more evidence of that.

I also take some issue with someone asking for help, ignoring the suggestions, saying they found a way around it, but then not offering the information to help others in the future. That's the whole point of a forum like this, take a penny, leave a penny.

The joys of the internet.
 
Last edited:
Not sure what's the issue here. Connecting to VPN Server from LAN is simply wrong.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top