Remote home access, using Wireguard Asus AX86U and GLiNet Beryl AX

[cloudyapple]

Currently using Asus AX86U and running Merlin on my home network; there is no CGNAT with my Internet Service Provider.

When I travel, I use the GLiNet Beryl AX in my hotel. I also need to log in to my office PC while I travel, using Citrix Workspace AnyConnect, to access the office VPN. This works with the Beryl AX.

Questions:
1) Am trying to setup access to my home network while I travel, so that I can access my network drive's movies; i.e. go from Beryl AX to Asus AX86U, using Wireguard. How to go about doing that? Read that there is a need to use the GLi.Net Brume2, but hoping the Asus is just as capable, I assume just need to setup some VPN Server with Merlin? Hoping there is no need to purchase another GLiNet device like Beryl/Brume for my home router.

2) Will such a setup, break the ability to connect to my office PC, while I travel? If yes, how to still log in to my office PC?

 

[ColinTaylor]

Install the appropriate WireGuard client software on the PC/laptop you're using when travelling. Enable the WireGuard server on your AX86U (link) and create a user. Export the user's config file and import it into the client software (or scan the QR code). That's it.

Enable the WireGuard client when you want to access your home network. Disable it when you're finished.

 

[elorimer]

You don't need another GL-iNet device. My Beryl AX works fine reaching both my AX88 and AX86Pro using the GL GUI--you don't need to get into LuCI.

The one constraint is that the GL GUI doesn't handle some OpenVPN routing instructions very well. But you are using wireguard and that works as Colin described it.

 

[cloudyapple]

Thanks! I managed to setup the VPN Server using Merlin, on the home router AX86U. Also managed to download that Wireguard Android app on a tablet, and scan the QR code to establish connection. Now I can see inside the AX86U VPN Director, there seems to be a Wireguard Server running, with the Tablet/client connected.

1) The Wireguard Android app seems pretty basic though, how to confirm/test that it is working, i.e. how to navigate within my home network files, with this Wireguard Android app?

2) There also seems to be other Advanced settings inside the AX86U Wireguard Server setup, does these need to be toggled?

Allow DNS = ON
Enable NAT - IPv6 = ON
Pre-shared Key (Secret) = Off

3) What does the "Renew key" do? Is it to regenerate the QRcode, for more devices to login?

 

[ColinTaylor]

1) Open a browser and try accessing your router's web interface (or some other webserver on your LAN), e.g. http://192.168.50.1

2) Just leave them alone unless you find you need to change them.

3) If someone unauthorised gets access to your config file you can regenerate the server's key so that client will not be able to connect. You can then export the new key/QR code for the allowed user who can then update his client.

 

[cloudyapple]

1) I see the usual Asus router login interface on my tablet by accessing the web interface, and am able to login to it as usual indeed! But how to access the files on my home network, from this router interface?

2) Got it, thanks!

3) Does getting hold of the config file, or that QRcode, already allow someone access? Or they will also require my Asus router username and password?

 

[ColinTaylor]

1) I see the usual Asus router login interface on my tablet by accessing the web interface, and am able to login to it as usual indeed! But how to access the files on my home network, from this router interface?

How you access your files is an entirely different subject and not necessarily related to your VPN connection. Try using whatever method you would normally use when you're at home.

3) Does getting hold of the config file, or that QRcode, already allow someone access? Or they will also require my Asus router username and password?

The client connection to your home network is based on the keys, not username/password. Of course they would still need to know any relevant login details for anything they were trying to access on your LAN.

 

[ZebMcKayhan]

But how to access the files on my home network, from this router interface?

You typically use the same app as when you are connected to your lan and accessing them. I'm using "cx file explorer" for Android which does a good job for my needs.

A note though, if you are trying to access a I.e smb share on a NAS, mDNS don't work over Wireguard since it's a different network. So your share will not pop up automatically, you will need to access it using its ipaddress, or hostname if you configured it.

Another note, if your NAS/share have a firewall you may need to set it up to allow incoming connections from Wireguard network (10.6.0.0/24?)

 

[cloudyapple]

My USB drive at home is connected to my home Asus router A86U, using the Asus's USB 3.0.

Indeed I configured this drive using the Merlin's "Network Place (Samba)" menu, currently the settings are as below, anything amiss?

Device Name = [similar looking name, as the router]
Work Group = WORKGROUP
Samba Protocol Version = SMBv1 + SMBv2
Simpler Share naming = NO
Force as Master Browser = NO
Set as WINS server = NO
Maximum number of concurrent connections = 1

When home, I can access the drive with the Windows Explorer, but I tried this method with both an Android phone's File Explorer, and also with a Windows PC's Windows Explorer using Beryl AX and VPN-ed to this Asus router, both are unable to see this UBS drive.

To allow a VPN client access through the Firewall, am I right it needs to be done through the Merlin's "Firewall" menu? What should the fields below be?

Enable Firewall = NO?
Enable DoS protection = NO?
IPv4 inbound firewall rules = YES?
Source IP = 10.6.0.0/24? <--- should follow the VPN Server setup?
Port Range =?
Protocol = UCP

 

[ZebMcKayhan]

When home, I can access the drive with the Windows Explorer, but I tried this method with both an Android phone's File Explorer

As I said, over Wireguard nothing will announce itself as mDNS does not work. In windows explorer, you should be able to access your router connected smb share by manually typing in the ip address in the Address field on top of the file explorer:

\\192.168.50.1

And press enter.

For the other apps I don't know, but you will manually need to put the ip in, it won't show up in any list.

You should not have to change anything settings on the router.

 

[sfx2000]

Alternate approach...

Tailscale · Best VPN Service for Secure Networks

Securely connect to anything on the internet with Tailscale. Deploy a WireGuard®-based VPN to achieve point-to-point connectivity that enforces least privilege.

tailscale.com

 

[jksmurf]

Alternate approach...

Tailscale · Best VPN Service for Secure Networks

Securely connect to anything on the internet with Tailscale. Deploy a WireGuard®-based VPN to achieve point-to-point connectivity that enforces least privilege.

tailscale.com

Oh, look there's even a Tailscale addon .