VPN Tunnel from Server to Client ASUS Merlin

[mehravishay]

Hi

I have a GT-AXE11000 (Merlin) running a WireGuard server. I have a separate WireGuard client running on the same router and via DNS Director, I have 4 devices that are routed via the client locally. I also have a Pihole running and I am able to filter out my lan as well as server traffic via this.

I would also want to tunnel my WireGuard server traffic through my WireGuard client i.e. when I am outside my network, I am able connect to my home network, filter out my traffic and also get behind a VPN.

Phone > WG Server > GT-AXE11000 (Merlin) > WG Client > WEB

I have tried to play around with the VPN Director but haven't been succesful in routing the traffic via the client. Everything else including the WireGuard server, Pihole all works flawlessly expect the WireGuard client.

Any help would be appreciated.

 

[ZebMcKayhan]

Hi

I have a GT-AXE11000 (Merlin) running a WireGuard server. I have a separate WireGuard client running on the same router and via DNS Director, I have 4 devices that are routed via the client locally. I also have a Pihole running and I am able to filter out my lan as well as server traffic via this.

I would also want to tunnel my WireGuard server traffic through my WireGuard client i.e. when I am outside my network, I am able connect to my home network, filter out my traffic and also get behind a VPN.

Phone > WG Server > GT-AXE11000 (Merlin) > WG Client > WEB

I have tried to play around with the VPN Director but haven't been succesful in routing the traffic via the client. Everything else including the WireGuard server, Pihole all works flawlessly expect the WireGuard client.

Any help would be appreciated.

You just need to add your wg server client ips to vpndirector, like
Local ip: 10.6.0.0/24
Remote ip: leave blank
Iface: wgc1

But there is a snag and you might need another rule to make your lan clients using wgc1 to be able to reach the server clients, such as:
Local ip: leave blank
Remote ip: 10.6.0.0/24
Iface: WAN

Now, the last rule is not to send these packets to WAN but to prevent them from using policy route table and use main table which is more complete and up to date.

 

[mehravishay]

This worked like a charm, thank you so much!

The only issue now is the traffic is not passing via Pihole, do you know what could be the reason?

 

[ZebMcKayhan]

This worked like a charm, thank you so much!

The only issue now is the traffic is not passing via Pihole, do you know what could be the reason?

Probably because no one is telling the client to use the pi for dns.

When you export the config to you mobile, choose to export a file instead of qrcode. Then edit the file with i.e notepad and change the DNS = ... to point to your pi ip.

Alternatively, change dns in the wireguard client app itself. I know Android app has this possibility.

 

[mehravishay]

Probably because no one is telling the client to use the pi for dns.

When you export the config to you mobile, choose to export a file instead of qrcode. Then edit the file with i.e notepad and change the DNS = ... to point to your pi ip.

I did that, the DNS on the config is my Pihole. Before the addition of the above lines it was working fine.

 

[ZebMcKayhan]

I did that, the DNS on the config is my Pihole. Before the addition of the above lines it was working fine.

Aha, the rules redirected wgs1 client dns to wgc1 dns as it is in [Exclusive] mode. Do you need/want to force all wgc1 client to your vpn dns? If you remove your wgc1 dns then it would work, but if you want/need wgc1 redirect then your only option would be to setup custom rules as far as I know.

 

[mehravishay]

Aha, the rules redirected wgs1 client dns to wgc1 dns as it is in [Exclusive] mode. Do you need/want to force all wgc1 client to your vpn dns? If you remove your wgc1 dns then it would work, but if you want/need wgc1 redirect then your only option would be to setup custom rules as far as I know.

If I remove the wgc1 DNS the results are the same.

 

[ZebMcKayhan]

If I remove the wgc1 DNS the results are the same.

Ok... did you restart wgc1 after you made the change? I think it is when you hit apply, just making sure.
then what dns are wg clients using?

Whats your output of ssh command:

iptables -nvL PREROUTING -t nat

Something is obstructing the dns lookup, we just need to find it...

 

[mehravishay]

Ok... did you restart wgc1 after you made the change? I think it is when you hit apply, just making sure.
then what dns are wg clients using?

Whats your output of ssh command:

iptables -nvL PREROUTING -t nat

Something is obstructing the dns lookup, we just need to find it...

Restarting the connection was it! I left it connected and removed the DNS and clicked apply. Once I disconnected, removed and reconnected it worked.

Thanks a lot for your help

 

[Foodfrtht]

You just need to add your wg server client ips to vpndirector, like
Local ip: 10.6.0.0/24
Remote ip: leave blank
Iface: wgc1

But there is a snag and you might need another rule to make your lan clients using wgc1 to be able to reach the server clients, such as:
Local ip: leave blank
Remote ip: 10.6.0.0/24
Iface: WAN

Now, the last rule is not to send these packets to WAN but to prevent them from using policy route table and use main table which is more complete and up to date.

Hi. Just wanted to say this post was a big help. I understand much better how vpn client works.