Troubles config wireguard for network devices on rt-be88 using merlin 3006.102

[Krism]

I'm trying to setup vpn for all network attached devices but without the need to configure it on the devices itselves.

The wireguard server is up&running and working because I have a VPN client for my mobile phones and they just work fine using local config on the mobile phone.
For the other devices I setup a new client in the same server using a different ip as the mobile client.

I created a wireguard client (see screenshot) . I linked 1 device to test all, but the device is unable to connect to the wifi or internet.
What is wrong in my config.

 

[ColinTaylor]

The wireguard server is up&running and working because I have a VPN client for my mobile phones and they just work fine using local config on the mobile phone.
For the other devices I setup a new client in the same server using a different ip as the mobile client.

So you're running both a server and a client on the same router and trying to connect one to the other?

 

[Krism]

So you're running both a server and a client on the same router and trying to connect one to the other?

this is how fusion works

 

[ColinTaylor]

this is how fusion works

OK, I've never used fusion. So what is the point of having the router's client connect to itself?

 

[Krism]

this way I don't need to install any wireguard client on any device. Using VPN director I can tunnel every client to the specific vpn client on the router.
At least that's what I think I'm doing

 

[ColinTaylor]

this way I don't need to install any wireguard client on any device. Using VPN director I can tunnel every client to the specific vpn client on the router.
At least that's what I think I'm doing

So... a LAN client's traffic goes to the router... it goes out the fusion client... comes back in to the router through the WireGuard server... then VPN Director sends the traffic out to the internet via a different VPN client instance.

I think my brain has exploded.

Why not just use VPN Director without this fusion-to-WireGuard loopback?

 

[Krism]

VPN director makes it routing the wireguard client, I think

 

[ColinTaylor]

VPN director makes it routing the wireguard client, I think

Sorry, I don't understand this sentence. Can you rephrase it please.

It's likely that I simply don't understand how fusion is meant to work.

EDIT: Can you clarify something that I may have misunderstood? When you said "a wireguard server is up & running" I assumed you meant that you had turned on the WireGuard server on the VPN - VPN Server page. Is that what you meant? Or did you mean that you had turned on the VPN - WireGuard Client instance and was able to connect to it from your phone?

 

[Krism]

It thought that the VPN director is some sort of Man in the Middle and redirects the client to the configured client VPN (in my case wireguard client #1).

Wireguard VPN server is running and a configured VPN tunnel which I use for smartphone (gsms on the screenshot) (which have the wireguard client installed) is working .

 

[ColinTaylor]

My understanding is (but I could be wrong) that Merlin's firmware doesn't support VPN Fusion. VPN Director in effect has replaced that function.

So you would use the WireGuard server only for remote connections from the internet. VPN Director is used to direct specific devices to other VPN servers on the internet (e.g. NordVPN, PIA, etc.). These internet VPN servers would be defined in the VPN Client settings (OpenVPN, PPTP/L2TP or WireGuard).

 

[ZebMcKayhan]

I'm trying to setup vpn for all network attached devices but without the need to configure it on the devices itselves.

The wireguard server is up&running and working because I have a VPN client for my mobile phones and they just work fine using local config on the mobile phone.
For the other devices I setup a new client in the same server using a different ip as the mobile client.

I created a wireguard client (see screenshot) . I linked 1 device to test all, but the device is unable to connect to the wifi or internet.
What is wrong in my config.

Please don't blank out private ip addresses you use internally, they are of no use to anyone else. But it's really difficult to understand your setup when we can't see them.

For Wireguard you should foremost blank/remove the keys. If you want you could also remove Endpoint address and Dns if you want to mask what provider you are using.

Under the VPN->Status tab there should be a section for your started vpn. Could you post that, with blanked out keys? I'm interested in Rx/tx bytes count and latest handshake to see if the tunnel is working or not.

 

[Krism]

the peer: gsms is working fine

 

[ZebMcKayhan]

the peer: gsms is working fine

Thanks!

Wow, you are really connecting back to yourself as @ColinTaylor speculated. I thought surely this must be some misunderstanding, but appearantly not.

Where have you got the information that this was a good idea? (Or any idea?)

Regardless, this won't work. Your peers are indeed working but you create a routing conflict by doing this way. Neither would it add any value for you. If you describe what you want to achieve we may be able to point you to a different way to achieve what you want?

Normally you use a server to connect to your network when away from home. It could be to access local resources, like a NAS or Webcam, alarm systems and such. Or it could just be to access the web from your home ip (for whatever reasons, I have used it to stream geo blocked content when Im abroad)

A client is typically used to connect to another location. Either another lan site wg server, like your friends lan, or relatives or to connect to internet via a paid service (reasons could be streaming from different country ip circumvent blockades, or just hiding your ip for whatever reason).
Commonly clients are used to shift internet access which is why vpndirector is there to let you control which local ip to use it and/or which remote ip it should be used for.

 

[Krism]

Maybe this is a hidden feature .

So what do I need todo to make devices use a vpn connection without installing any vpn client?

 

[ColinTaylor]

So what do I need todo to make devices use a vpn connection without installing any vpn client?

You create all your VPN client connections (e.g. NordVPN, PIA, Surfshark, work office, etc.) on the VPN Client pages. Then you use the VPN Director page to add rules for which devices go through which VPN client.

 

[Krism]

You create all your VPN client connections (e.g. NordVPN, PIA, Surfshark, work office, etc.) on the VPN Client pages. Then you use the VPN Director page to add rules for which devices go through which VPN client.

Now I am confused.
That’s what I was doing but with WireGuard. Point my WireGuard client to my WireGuard server both running in my router

 

[ZebMcKayhan]

Maybe this is a hidden feature .

While vpn Fusion may dodge the routing conflict and make it work, the only achievement would be loss of bandwidth and increased latency, both wich are decremental for your internet experience. You wouldn't change your internet ip or location or increase connectability so nothing gained.

So what do I need todo to make devices use a vpn connection without installing any vpn client?

You still have not told us your purpose to use a VPN. If you want to obscure your public ip you will need to obtain a vpn config from a supplier of your choice (usually subscription) and follow @ColinTaylor advice.

If you just want to play around with it, if I remember correctly, CactusVPN was one provider that allowed you to sign up for a trial without credit card (maybe that have changed). I have never used it so I can't really say anything about it. Maybe it's OK, maybe it sucks (speed, stability, other things?) but it may provide you with something to play with and get some experience before choosing your actual provider that best fit your needs.

 

[Krism]

The main reason is to add an extra layer of security to my surfing and also try to close some ports which are open now to my nas

 

[ZebMcKayhan]

The main reason is to add an extra layer of security to my surfing

It won't add any security, but that's a different story. I believe for this use case you would want to change your public ip. That is, you will need to obtain a vpn config file from a supplier.

try to close some ports which are open now to my nas

You already got this with your server. When not at home, use your vpn to connect home to access your NAS. Close all other open ports. This is the recommended way for security.

If you wish, when you have your internet client up and running, you could setup vpndirector to route your incoming server connection out your internet vpn client. This way, whenever you are not at home and whish to surf the internet via your internet vpn, you just vpn to your home, both NAS access and internet vpn in one go. Ofcource you get added latency by doing this, but depending on your internet supplier you may only have 1 client and this way you can use it wherever you are.