VPN Director ok, device no connect.

[68OnePlus]

I apologize, but I don't understand why, despite being connected to the Swiss NordVPN server, I have no internet connection on my devices.
I would like to point out that my router filters advertising through Pihole (raspberry), I need help.
Thanks.

 

[ZebMcKayhan]

I apologize, but I don't understand why, despite being connected to the Swiss NordVPN server, I have no internet connection on my devices.
I would like to point out that my router filters advertising through Pihole (raspberry), I need help.
Thanks.

Do you know if it's a connection issue or dns issue? I.e could you ping an ip on your client (like 1.1.1.1) or domain (like google.com)?
Are you using any dns setting in Wireguard?
How is your vpn director rule(s)? Single ips or entire network?
Is your pihole over vpn?

 

[68OnePlus]

Thanks for all.

-C:\Windows\System32>ping google.com

Ping google.com [216.58.204.238] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping Stats for 216.58.204.238:
Packets: Transmitted = 4, Received = 0,
Lost = 4 (100% loss)

-No DNS settings
-The rules are for individual IP
-PIhole was installed on Raspberry without VPN, I must say that on stock asus firmware and therefore VPN Fusion I never had problems.

I apologize for my English as a translator.

INTERFACE:
Private Key
xxxxxxxxxxGVEwAIve+huHKfKsTIOEoXxxxxxxxx=
MTU (Optional)
Address
10.6.0.2/32
DNS Server (Optional)

PEER
Server Public Key
SqAWBSVdnUJ859Bz2Nyt82rlSebMwPgvwQxIb1DzyF8=
Preshared Key (Optional)
Allowed IPs
0.0.0.0/0
Endpoint Addressort
ch404.nordvpn.com:51820
Persistent Keepalive
25

interface: wgc1
public key: sKKRdJAJLRgPd4hQj9mg/lJZc1GOJC/dEGd2lCvBEQY=
private key: (hidden)
listening port: 50446

peer: SqAWBSVdnUJ859Bz2Nyt82rlSebMwPgvwQxIb1DzyF8=
endpoint: 185.7.34.224:51820
allowed ips: 0.0.0.0/0
latest handshake: 29 seconds ago. (sec:29)
transfer: 12.07 KiB received, 730.88 KiB sent
persistent keepalive: every 25 seconds

 

[ZebMcKayhan]

Thanks for all.

-C:\Windows\System32>ping google.com

Ping google.com [216.58.204.238] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping Stats for 216.58.204.238:
Packets: Transmitted = 4, Received = 0,
Lost = 4 (100% loss)

-No DNS settings
-The rules are for individual IP
-PIhole was installed on Raspberry without VPN, I must say that on stock asus firmware and therefore VPN Fusion I never had problems.

I apologize for my English as a translator.

INTERFACE:
Private Key
xxxxxxxxxxGVEwAIve+huHKfKsTIOEoXxxxxxxxx=
MTU (Optional)
Address
10.6.0.2/32
DNS Server (Optional)

PEER
Server Public Key
SqAWBSVdnUJ859Bz2Nyt82rlSebMwPgvwQxIb1DzyF8=
Preshared Key (Optional)
Allowed IPs
0.0.0.0/0
Endpoint Addressort
ch404.nordvpn.com:51820
Persistent Keepalive
25

interface: wgc1
public key: sKKRdJAJLRgPd4hQj9mg/lJZc1GOJC/dEGd2lCvBEQY=
private key: (hidden)
listening port: 50446

peer: SqAWBSVdnUJ859Bz2Nyt82rlSebMwPgvwQxIb1DzyF8=
endpoint: 185.7.34.224:51820
allowed ips: 0.0.0.0/0
latest handshake: 29 seconds ago. (sec:29)
transfer: 12.07 KiB received, 730.88 KiB sent
persistent keepalive: every 25 seconds

Ok. Well, your tunnel seems to be working. Handshake timer resets now and then and you got some data both tx and rx so it's connected.

Did you enable NAT? that is usually required on these type of vpns, here are my settings:

If "Enable NAT" is set to No, you will probably get exactly what you see now, tunnel working but no clients can connect.

 

[68OnePlus]

Thanks, NAT is enabled.

 

[ZebMcKayhan]

Thanks, NAT is enabled.

Hmm, ok.

Any other vpn setup? Recent changes to kill-switch makes it active even if the vpn is disabled so if you have any left-over old config, make sure you disable the kill-switch under everything.

If you have ssh access to the router, could you try executing

ip route get 1.1.1.1 from <client ip> iif br0

And post the output. Replace <client ip> with the ip address of your windows client set to use vpn, I.e

ip route get 1.1.1.1 from 192.168.50.25 iif br0

 

[68OnePlus]

I'm at work, we'll update you tomorrow.
Thanks, kill switch is not enable.

 

[68OnePlus]

Here I am again...

ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip route get 1.1.1.1 from 192.168.1.14 ii
f br0
1.1.1.1 from 192.168.1.14 via 192.168.100.1 dev ppp0
cache iif br0
admin@GT-AXE16000-9A30:/tmp/home/root#

 

[ZebMcKayhan]

1.1.1.1 from 192.168.1.14 via 192.168.100.1 dev ppp0

Thanks! This shows that a packet from 192.168.1.14 to 1.1.1.1 would go out ppp0 (wan) interface and not Wireguard wgc1 interface.

How does your routing rules look like:

ip rule

Also a picture of your vpndirector rules might help.

 

[68OnePlus]

ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

 

[ZebMcKayhan]

ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

For some reason your vpn director rule does not exist in your routing rules. Are you sure wgc1 are active when taking these dumps, doing these tests?

If so, try to delete the rule and create it again. Make sure to remember to click "apply" at the bottom of vpndirector when you are done.

 

[68OnePlus]

Excuse...
ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip rule
0: from all lookup local
11210: from 192.168.1.14 lookup wgc1
32766: from all lookup main
32767: from all lookup default

 

[ZebMcKayhan]

Excuse...
ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip rule
0: from all lookup local
11210: from 192.168.1.14 lookup wgc1
32766: from all lookup main
32767: from all lookup default

So, now you get a different response from

ip route get 1.1.1.1 from 192.168.1.14 iif br0

 

[68OnePlus]

So, now you get a different response from

ip route get 1.1.1.1 from 192.168.1.14 iif br0

ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip route get 1.1.1.1 from 192.168.1.14 ii
f br0
1.1.1.1 from 192.168.1.14 dev wgc1 table wgc1
cache iif br0

 

[ZebMcKayhan]

ASUSWRT-Merlin GT-AXE16000 3004.388.8_2_rog Thu Aug 1 00:58:58 UTC 2024
admin@GT-AXE16000-9A30:/tmp/home/root# ip route get 1.1.1.1 from 192.168.1.14 ii
f br0
1.1.1.1 from 192.168.1.14 dev wgc1 table wgc1
cache iif br0

Ok, so routing works without issues.

Would you mind opening the Wireguard config file you imported on some text editor and check so your wg ip is right?

It feels wierd that it is 10.6.0.2/32 as this is the first ip in this series. It's like Nord set up this endpoint ip: port just for you. Are you paying extra to have your own ip or port forwarding or similar?

If all is correct, unless you have some custom firewall rules it starts to feel like an issue at Nordvpn. Is there any chance you could test this config directly on your windows computer with the official Wireguard app to see if it works there?

 

[68OnePlus]

As I said this setup works with VPN Fusion.
No, I'm not paying for options, however Nord does not release configuration files for wireguard.
I used this guide: https://github.com/sfiorini/NordVPN-Wireguard

 

[ZebMcKayhan]

As I said this setup works with VPN Fusion.
No, I'm not paying for options, however Nord does not release configuration files for wireguard.
I used this guide: https://github.com/sfiorini/NordVPN-Wireguard

Ok.. there are always risks with this, initially but foremost over time. Which is a reason why a recent test might be an idea to rule out that nord changed something.

 

[68OnePlus]

Ok, so routing works without issues.

Would you mind opening the Wireguard config file you imported on some text editor and check so your wg ip is right?

It feels wierd that it is 10.6.0.2/32 as this is the first ip in this series. It's like Nord set up this endpoint ip: port just for you. Are you paying extra to have your own ip or port forwarding or similar?

If all is correct, unless you have some custom firewall rules it starts to feel like an issue at Nordvpn. Is there any chance you could test this config directly on your windows computer with the official Wireguard app to see if it works there?

I will try the official wireguard app soon.

 

[68OnePlus]

Nothing to do, as soon as I activate the tunnel, I disconnect.

 

[68OnePlus]

OK not 10.6.0.2/32 but 10.5.0.2/32
Now I'm connecting with tunnel NordVPN, thanks for all.