Solved Wireguard Server not allowing access to Intranet even though selected

[ZebMcKayhan]

For some reason, exactly same configure,
when I setup on my mac book pro, it works (access LAN without any issue)
but when I setup on my win11 laptop, it does not work. (can visit google.com, but cannot visit my LAN)

Could you discribe your setup better. Are you running vpn client for internet on the same router or is it just your server running?
Can you access the router itself? Say, the router gui?
What type of resource are you trying to reach in your lan?
What do you mean by mac book pro vs win11, are those clients to your server on some other network?

 

[ZebMcKayhan]

Enable the firewall rules portion of the page. Put 10.6.0.1 in the IP field, then enter your port in the port field and select UDP. Hit apply and you're done.

That rule does not make any sense. Wireguard udp tunnel would be between the client public ip and the router and the port should be opened in the INPUT chain, filter table. Why would you setup this port to access to your LAN??

When the tunnel is setup your wg clients would communicate out of the wireguard interface and be forwarded to lan, or wan or wherever you wish, but surely you need all ports and both udp and tcp to work.

You say that this fixed your connection issue and I cant argue with that, but I don't believe that rule fixed anything. It must have been something else.

 

[kamanwu]

Could you discribe your setup better. Are you running vpn client for internet on the same router or is it just your server running?
Can you access the router itself? Say, the router gui?
What type of resource are you trying to reach in your lan?
What do you mean by mac book pro vs win11, are those clients to your server on some other network?

Yes, I can describe my setup better.

1) both my win11 laptop and mac book pro connect to my LAN router (192.168.0.1). they use the SAME WG client setup.
a) win11 laptop can visit google.com, but cannot visit my router (cannot ping 192.168.0.1)
b) mac book pro can visit google.com, and my router (can ping and open webui)

2) I did try use my 4G phone network. So both my win11 laptop and mac book pro DO NOT connect to my LAN router. they use the SAME WG client setup.
a) win11 laptop can visit google.com, and my router (can ping and open webui)
b) mac book pro is SAME.

I think I am fine now. Since most use case is 2.a and 2.b.

But I waste more than 2 hours on 1.a

Thank you very much.

 

[ZebMcKayhan]

1) both my win11 laptop and mac book pro connect to my LAN router (192.168.0.1). they use the SAME WG client setup.
a) win11 laptop can visit google.com, but cannot visit my router (cannot ping 192.168.0.1)
b) mac book pro can visit google.com, and my router (can ping and open webui)

The only thing that comes to mind is if your local lan at your clients share the same ip range as the lan you are trying. The behaviour could then be dependant on how wg app does this. Perhaps the windows app set up so that 192.168.0.1 is reached locally.

 

[skeal]

I tracked this method down with help from merlin and a few other heavy weights. It was supposed to work like OVPN when it was first released for merlin. This was a workaround. The problem may no longer exist.

 

[Aiadi]

Try to setup VPN director rule, modify to fit you needs. (I hope I understand you right)

I have tried various settings within VPN Director without changing anything on the Firewall and this very simple one appears to be working perfectly.

My router's IP is: 192.168.1.1 (Guest's IP is 192.168.101.1) and the Wireguard's awarded Peers IP is in the range: 10.6.0.2/32. Running quite well with this setup but I just wanted to confirm that I am doing it the right way and that it does not pose any unusual security risk. Thank you again to all for their help.

 

[ZebMcKayhan]

the Wireguard's awarded Peers IP is in the range: 10.6.0.2/32

10.6.0.2/32 is not a range, its a single ip address which is my only comment to change this in your highlighted rule in vpndirector to 10.6.0.0/24 for future compatibility reasons when you add more clients to your server.

Vpndirector is aboute routing and has little to do with security so I cant comment there.

 

[Aiadi]

10.6.0.2/32 is not a range, its a single ip address which is my only comment to change this in your highlighted rule in vpndirector to 10.6.0.0/24 for future compatibility reasons when you add more clients to your server.

Vpndirector is aboute routing and has little to do with security so I cant comment there.

Noted, changed and working well. Much appreciate your pointers.