WireGuard - Can't Access LAN from "Remote" Client

[doczenith1]

I have a WireGuard server running on my AX88U Pro. My WireGuard clients coming in from the WAN can access my LAN just fine. What it not working is this scenario. I have a local computer connected to a "test" router which is connected to my LAN via it's WAN port. The test router is on 192.168.8.1. The LAN is using 192.168.1.1. When I enable the WireGuard client on the test router my local computer connected the test router is unable to access the 192.168.1.1 subnet (it can access the WAN just fine and can access the 192.168.1.1 subnet when the WireGuard client is stopped). I have "Access Intranet" enabled on the WireGuard server but that seems to only allow incoming WAN clients to access the intranet. Any suggestions?

 

[ZebMcKayhan]

I have a WireGuard server running on my AX88U Pro. My WireGuard clients coming in from the WAN can access my LAN just fine. What it not working is this scenario. I have a local computer connected to a "test" router which is connected to my LAN via it's WAN port. The test router is on 192.168.8.1. The LAN is using 192.168.1.1. When I enable the WireGuard client on the test router my local computer connected the test router is unable to access the 192.168.1.1 subnet (it can access the WAN just fine and can access the 192.168.1.1 subnet when the WireGuard client is stopped). I have "Access Intranet" enabled on the WireGuard server but that seems to only allow incoming WAN clients to access the intranet. Any suggestions?

You never state the test router brand and model.

What you describe makes perfect sense to me. If all data from the test router is Wireguard then all data ends up at the wg endpoint and would not reach any lan on its wan port. You would need policy routing that remote ip 192.168.1.0/24 to use wan and not the wireguard tunnel.

 

[doczenith1]

Test router is GL-iNet GL-X3000 Spitz AX. When the test router is using cellular WAN and connected via WG to the AX88U's WG server the devices plugged into the test router can see the 192.168.1.1 "home" LAN devices. It's only when the test router is using an ethernet connection for it's WAN and is connected to the home LAN. So the data from the test router isn't coming into the AX88U via it's WAN port but rather a LAN port.

Home LAN: 192.168.1.1
Home WG server: 10.6.0.1/32
Test router: 192.168.8.1
Test router WG client: 10.6.0.3

The goal is computer located in the home > test router using WG tunnel > switch > AX88U WG server > home LAN device
Everything connected via ethernet and to be clear, everything is in my house right now.

Another piece of information that may be helpful. With the setup listed above the "computer located in the home" is using the DNS from 192.168.1.1. I know this because ads are blocked and the only ad blocker on the LAN is Diversion on the AX88U. Everything works as expected for internet data, it's the intranet data that I'm having issues with.

Edit:
WG client config:
[Interface]
PrivateKey = redacted
Address = 10.6.0.3/32
DNS = 192.168.1.1
MTU = 1376

[Peer]
PublicKey = redacted
PresharedKey = redacted
AllowedIPs = 0.0.0.0/0
Endpoint = redacted :51820
PersistentKeepalive = 25

In an attempt to get things working I added 192.168.1.1/32 to the allowed IP's with no avail.

 

[ZebMcKayhan]

The goal is computer located in the home > test router using WG tunnel > switch > AX88U WG server > home LAN device

Ok... but why would you make such setup? Are you planning on moving the router around, I.e traveling? Or use for failover?

The only thing Iknow that may prevent this from working is that wg vpn typically don't work from lan to own wan. It was never intended to connect to server peer from within lan itself. I don't know of any fix.

Depending on your setup you may end up with other issues, like routing conflicts.

 

[doczenith1]

The reason was purely to entertain my desire to test WireGuard throughput on local devices and to use a local OpenSpeedTest Server as the testing endpoint. Was thinking there may be a simple solution but seems that's not the case so my desire comes to an end. Thanks for your help!

 

[ZebMcKayhan]

Was thinking there may be a simple solution but seems that's not the case so my desire comes to an end.

If you say so. If you plan on moving the router around there wouldn't be any easy solutions that always work.

If you only want to test this specific setup there are always ways to make that work. I.e you can change the client Endpoint ip to server lan ip (192.168.1.1 :51820)
to circumvent the nat loopback issue.

You may end up with a routing conflict on the client (assuming you are using nat on the tunnel) which could be solved by setting allowedIPs to something more specific than /24, like:

0.0.0.0/0, 192.168.1.0/25, 192.168.1.128/25

To make sure lan ips are reaches via the tunnel and not direct.

 

[vlord]

I have a WireGuard server running on my AX88U Pro. My WireGuard clients coming in from the WAN can access my LAN just fine. What it not working is this scenario. I have a local computer connected to a "test" router which is connected to my LAN via it's WAN port. The test router is on 192.168.8.1. The LAN is using 192.168.1.1. When I enable the WireGuard client on the test router my local computer connected the test router is unable to access the 192.168.1.1 subnet (it can access the WAN just fine and can access the 192.168.1.1 subnet when the WireGuard client is stopped). I have "Access Intranet" enabled on the WireGuard server but that seems to only allow incoming WAN clients to access the intranet. Any suggestions?

The issue is with the Gl.inet router and not your Asus router (assuming you have “access intranet” enabled).

On the GL router, change proxy mode from “global proxy” to “auto detect”. That’s what fixed it for me.

 

[doczenith1]

The issue is with the Gl.inet router and not your Asus router (assuming you have “access intranet” enabled).

On the GL router, change proxy mode from “global proxy” to “auto detect”. That’s what fixed it for me.

Thanks for the suggestion, I'll take a look. That said, the issue presents itself even when not using the GL-iNet router. I can connect a computer on the LAN running a WG client to the AX88U (WG server) and still not see any devices on the 192.168.1.X subnet that the AX88U is on.

Edit: I did change the proxy mode to auto detect and while that does allow the computer connected to the GL-iNet router to see the other computer at 192.168.1.3 I found that the traffic does not travel through the WG tunnel which defeats the purpose of my goal. I'm assuming this is work as intended for your purpose but is not for mine. Thanks though.

If you only want to test this specific setup there are always ways to make that work. I.e you can change the client Endpoint ip to server lan ip (192.168.1.1 :51820)
to circumvent the nat loopback issue.

You may end up with a routing conflict on the client (assuming you are using nat on the tunnel) which could be solved by setting allowedIPs to something more specific than /24, like:

0.0.0.0/0, 192.168.1.0/25, 192.168.1.128/25

To make sure lan ips are reaches via the tunnel and not direct.

As this is a one time thing I'll try changing the endpoint to the server LAN IP. Thanks again for you help.

Edit: I changed the endpoint in the config file on the computer on the LAN (no GL-iNet router involved) and was able to connect to the WG server and run a speed test to an Ookla server via the WAN but am still unable to ping the computer running the local speed test server at 192.168.1.3. At this point I think I'm conceding the fight.

 

[ZebMcKayhan]

am still unable to ping the computer running the local speed test server at 192.168.1.3.

Did you check the firewall setting on that computer? When you connect via wg, you will use wg ip which means the computer will se an incoming connection from 10.6.0.x which is not in your lan/subnet mask. Windows will just block all these. Same goes for a lot of iot things, nas et.c.

 

[doczenith1]

I did think about the firewall but didn't know which of the many inbound rules I needed to modify. I did modify the "File and Printer Sharing (SMB-In)" rules a while back to access a drive share when away and connecting home via WG. Is there a particular rule that I should try adding the WG subnet to?

 

[ZebMcKayhan]

I did think about the firewall but didn't know which of the many inbound rules I needed to modify. I did modify the "File and Printer Sharing (SMB-In)" rules a while back to access a drive share when away and connecting home via WG. Is there a particular rule that I should try adding the WG subnet to?

I would add a rule allowing incoming connections from network 10.6.0.0/24 (or netmask 255.255.255.0).

How this is done would depend on os/firewall. For windows, this info may help:

1. Right-click the Windows Start button and select Control Panel.
2. Click Windows Firewall.
3. Click Advanced Settings.
4. Click Inbound Rules, then New Rule.

Source
I've never done this as I have never had the need for access to a windows machines.

 

[doczenith1]

That did it! Added a rule for inbound to port 3000 which the OpenSpeedTest Server uses and added the 10.6.0.0/24 subnet to scope. Thanks so much for your help.