Proton Wireguard Client Question

[ChitlinNoodleSoup]

I have an Asus RT-AX86U running version 388.2.2. I currently use Wireguard server on the router so that I can connect to my home network remotely. That's been working perfectly for months. I recently started using Proton VPN at home for privacy, and I'd like to configure my network such that remote devices connected via the Wireguard server running on my router get routed out the Proton Wireguard client also running on my router. I created the Wireguard client config for Proton VPN and added it to my router. It connects with no issue. I then created a rule in VPN Director to tell devices in the 10.6.0.1/32 subnet (devices connected to Wireguard server) to use Wireguard client 1. Remote traffic still routes through my home network, and I can see everything on my LAN, but my public IP still shows as the WAN IP from my ISP and not from the VPN. I've made sure to disconnect and reconnect to the VPN from my phone, and I've tried turning off / on the Wireguard client in the router.

Is what I'm trying to do even possible, or am I just missing a step somewhere? Thanks.

 

[ZebMcKayhan]

I then created a rule in VPN Director to tell devices in the 10.6.0.1/32 subnet (devices connected to Wireguard server) to use Wireguard client 1.

10.6.0.1/32 is not a subnet, its a single ip (10.6.0.1 in fact, which is only your server peer ip). Use /24 instead to cover the entire 10.6.0.x subnet to also include connected clients ip.

 

[ChitlinNoodleSoup]

10.6.0.1/32 is not a subnet, its a single ip (10.6.0.1 in fact, which is only your server peer ip). Use /24 instead to cover the entire 10.6.0.x subnet to also include connected clients ip.

Wow... I can't believe I overlooked that. It is working now. Thanks.

 

[Panic Button]

Wow... I can't believe I overlooked that. It is working now. Thanks.

I just started playing with the free Proton VPN using the Wireguard config file for my RT-AX88U running v3004_388.8_2. Having the same issue as you. It shows connected but when checking online for IP address, it shows my ISP's assigned address and location. Currently I loaded the ASUS firmware and it works perfectly just by loading the file and no other settings changed. I'd like to switch back to Merlin's firmware but before I do that, can you send me a few screenshots of what changes you made to get it working? I don't have it loaded so can't look at it and I'm a novice when it comes to VPN's.

Thanks, PB

 

[ZebMcKayhan]

I just started playing with the free Proton VPN using the Wireguard config file for my RT-AX88U running v3004_388.8_2. Having the same issue as you. It shows connected but when checking online for IP address, it shows my ISP's assigned address and location. Currently I loaded the ASUS firmware and it works perfectly just by loading the file and no other settings changed. I'd like to switch back to Merlin's firmware but before I do that, can you send me a few screenshots of what changes you made to get it working? I don't have it loaded so can't look at it and I'm a novice when it comes to VPN's.

Thanks, PB

In merlin fw, for wireguard, you need to add rules in VPN Director what parts of your lan should use the VPN and which do not.

For reference, here is my rules:

It is likely that we don't have the same lan address, so you cannot simply copy my rules.

After you imported your wg client and started it, making sure it starts properly. Head into VPN -> VPN Director and click "Add new rule"

Now, if your lan is set to use 192.168.50.x and you wish all lan to use vpn, then your rule should me
Local IP: 192.168.50.0/24
Remote IP: <leave blank>
Interface: WGC1
Description: LAN to vpn
Make sure enabled is checked and hit ok.

This rule is mostly enough, but to be on the safe side you should add another rule:
Local IP: 192.168.50.1
Remote IP: <leave blank>
Interface: WAN
Description: Router to Main
Make sure enabled is checked and hit ok.

Finally press Apply on VPN Director page which should save the rule and restart wireguard. It should then work.

If your LAN is not 192.168.50.x you will need to replace above with your LAN ip.

 

[bennor]

I just started playing with the free Proton VPN using the Wireguard config file for my RT-AX88U running v3004_388.8_2. Having the same issue as you. It shows connected but when checking online for IP address, it shows my ISP's assigned address and location. Currently I loaded the ASUS firmware and it works perfectly just by loading the file and no other settings changed. I'd like to switch back to Merlin's firmware but before I do that, can you send me a few screenshots of what changes you made to get it working? I don't have it loaded so can't look at it and I'm a novice when it comes to VPN's.

As @ZebMcKayhan indicates, you will need to create a a Rule in VPN Director for the client or LAN. In my case it would only work if I used a specific LAN client IP address versus trying to use the whole LAN IP address range; 192.168.2.0/24 in my use case.

In my use case trying to use the entire IP address range (192.168.2.0/24) causes LAN clients being unable to resolve addresses. Likely due to using Pi-Hole and possibly DNS Director. Eventually at some point will take a run at fixing that issue, but for now simply using the client IP address in the rule works.

 

[Panic Button]

In merlin fw, for wireguard, you need to add rules in VPN Director what parts of your lan should use the VPN and which do not.

For reference, here is my rules:
View attachment 61318

It is likely that we don't have the same lan address, so you cannot simply copy my rules.

After you imported your wg client and started it, making sure it starts properly. Head into VPN -> VPN Director and click "Add new rule"

Now, if your lan is set to use 192.168.50.x and you wish all lan to use vpn, then your rule should me
Local IP: 192.168.50.0/24
Remote IP: <leave blank>
Interface: WGC1
Description: LAN to vpn
Make sure enabled is checked and hit ok.

This rule is mostly enough, but to be on the safe side you should add another rule:
Local IP: 192.168.50.1
Remote IP: <leave blank>
Interface: WAN
Description: Router to Main
Make sure enabled is checked and hit ok.

Finally press Apply on VPN Director page which should save the rule and restart wireguard. It should then work.

If your LAN is not 192.168.50.x you will need to replace above with your LAN ip.

Thank you and my LAN IP address is 192.168.1.1. I'm not using the SERVER so guessing I don't need to do anything with that, just the WG client. I'll try and fumble my way through all of this and hopefully it will work. When using the ASUS firmware and VPN was working fine, I found some of my devices on my home network didn't work properly. One of my TV's, a Sony, my ClearCaptions phone for hearing impaired, my DDNS forwarding didn't work, accessing my security cameras didn't work, so I ended up turning off the VPN with the ASUS firmware and flashed Merlin's firmware back. At the moment the VPN is not configured and those devices are working properly again.

Thanks again, PB

 

[Panic Button]

As @ZebMcKayhan indicates, you will need to create a a Rule in VPN Director for the client or LAN. In my case it would only work if I used a specific LAN client IP address versus trying to use the whole LAN IP address range; 192.168.2.0/24 in my use case.

View attachment 61323

In my use case trying to use the entire IP address range (192.168.2.0/24) causes LAN clients being unable to resolve addresses. Likely due to using Pi-Hole and possibly DNS Director. Eventually at some point will take a run at fixing that issue, but for now simply using the client IP address in the rule works.

Thank you. If I understand, when you say client, you mean anything that's assigned an IP address? I have several PC's here, all with static IP's so if I only want the PC's to use the VPN, then add a rule for that IP? I have many devices on my home network which some weren't working properly when I the VPN working with the ASUS firmware. I have flashed Merlin's firmware back but it's not currently configured yet.

Thanks, PB

 

[ZebMcKayhan]

I have several PC's here, all with static IP's so if I only want the PC's to use the VPN, then add a rule for that IP?

This is the best way to do it in my opinion. Don't make the rules I said before, you simply create a rule for each ip you would like to use the VPN. Nothing more, nothing less, it's that simple.
Any such rule could look like this:
Local IP: 192.168.1.201
Remote IP: <leave blank>
Interface: WGC1
Description: PC 1 to VPN

Repeat for the next computer you wish to use vpn.

this way you don't need to worry about the usual issues, like wierd issues due to router itself is on vpn, or dns issues and similar. It should work the best.

 

[bennor]

If I understand, when you say client, you mean anything that's assigned an IP address?

Correct.

I have several PC's here, all with static IP's so if I only want the PC's to use the VPN, then add a rule for that IP?

Correct. You would create a separate Rule for each PC 's IP address you want to use the VPN.

 

[Panic Button]

This is the best way to do it in my opinion. Don't make the rules I said before, you simply create a rule for each ip you would like to use the VPN. Nothing more, nothing less, it's that simple.
Any such rule could look like this:
Local IP: 192.168.1.201
Remote IP: <leave blank>
Interface: WGC1
Description: PC 1 to VPN

Repeat for the next computer you wish to use vpn.

this way you don't need to worry about the usual issues, like wierd issues due to router itself is on vpn, or dns issues and similar. It should work the best.

Thank you, that worked perfectly. The only issue is my DDNS service isn't forwarding when trying to remote in using VNC Server. I'm using an older version of VNC Server which isn't cloud based, so I need the DDNS to work. My other PC that's running here which I haven't made a rule for yet, I can access it remotely using VNC Server no problem. Chrome Remote Desktop works on the one that has the VPN rule. Not being able to use VNC Server isn't a deal breaker since Chrome Remote Desktop works with the VPN.

Thanks, PB

 

[Panic Button]

Correct.

Correct. You would create a separate Rule for each PC 's IP address you want to use the VPN.

Thank you and it does work, see post to ZebMcKayhan

Thanks, PB

 

[ZebMcKayhan]

Thank you, that worked perfectly. The only issue is my DDNS service isn't forwarding when trying to remote in using VNC Server. I'm using an older version of VNC Server which isn't cloud based, so I need the DDNS to work. My other PC that's running here which I haven't made a rule for yet, I can access it remotely using VNC Server no problem. Chrome Remote Desktop works on the one that has the VPN rule. Not being able to use VNC Server isn't a deal breaker since Chrome Remote Desktop works with the VPN.

Thanks, PB

Great! Yea it's understandable. If your PC is using vpn and you start talking to it over wan it will answer over vpn so it's not going to work. This is controlled via routing and the tables are static, I.e routing doesn't change depending on where a packet was recieved, as it's just another unknown ip on the internet.

There are ways around it though but it means a lot of tinkering and cannot be done via the gui: https://www.snbforums.com/threads/h...tions-for-wireguard-clients.91552/post-923646
But if it's not a deal-breaker as you say it's probably not worth the hazzle.

 

[Panic Button]

Great! Yea it's understandable. If your PC is using vpn and you start talking to it over wan it will answer over vpn so it's not going to work. This is controlled via routing and the tables are static, I.e routing doesn't change depending on where a packet was recieved, as it's just another unknown ip on the internet.

There are ways around it though but it means a lot of tinkering and cannot be done via the gui: https://www.snbforums.com/threads/h...tions-for-wireguard-clients.91552/post-923646
But if it's not a deal-breaker as you say it's probably not worth the hazzle.

Thanks again and not sure it's worth my time to try to deal with it since I rarely remote into my home PC's from outside my home network and Chrome Remote Desktop works. I haven't tried WOL remotely yet which is something I do use once in awhile but it's always worked in the past when not using a VPN. I'll have to check to see if that still works.

Thanks, PB