Wireguard VPN connected peers can't reach local network devices

[savage75]

Hi folks!
Trying to set Wireguard VPN on ASUS ZenWiFi AX (XT8) so I can access my local network through it (as below)

Peer1 (10.6.0.2) connects successfully to the wireguard server, also it can ping 10.6.0.1 (wgs1) and 192.168.0.2 (LAN) but can’t connect to other devices on (192.168.0.0/24) network.

Peer1 VPN config

Trying to understand routing tables on asus router side:

from the asus router side, I can ping all the networks 10.6.0.0/24 and 192.168.0.0/24 so thats looks fine.

I couldn't find on asuswrt ssh side any server config file under /tmp/etc/wg

the reason for that so I can add NAT enabled on [INTERFACE] section of server config when the tunnel is Up and Down but no luck ?

PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I missed to mention: The local network 192.168.0.0/24 has Unifi Udm Pro with IP 192.168.0.1, has DHCP enabled and because Its behind ISP router with dynamic IP I couldn't fix any VPN solution to it (without using external VPS solution).

Can someone help me out on this, many thanks.

 

[bbunge]

Am a bit confused by your diagram. You show two connections from the "cloud" to your LAN (192.168.0.1 router and .2 what looks like a switch). Why? I have Wireguard server set up and can access all LAN hosts via the Wireguard VPN and Instantguard. I also use the default LAN address of 192.168.50.0/24. If that 192.168.0.2 device is a managed switch I recommend you try an unmanaged switch and let the router hand out DHCP addresses.

 

[savage75]

Am a bit confused by your diagram. You show two connections from the "cloud" to your LAN (192.168.0.1 router and .2 what looks like a switch). Why? I have Wireguard server set up and can access all LAN hosts via the Wireguard VPN and Instantguard. I also use the default LAN address of 192.168.50.0/24. If that 192.168.0.2 device is a managed switch I recommend you try an unmanaged switch and let the router hand out DHCP addresses.

Thnx @bbunge, I updated the thread.
I missed to mention the local network ( the LAN:192.168.0.1 is Unifi Udm Pro router with DHCP enabled) and because the router behind the ISP router with dynamic IP I can't use it for VPN connection.

 

[bbunge]

Thnx @bbunge, I updated the thread.
I missed to mention the local network ( the LAN:192.168.0.1 is Unifi Udm Pro router with DHCP enabled) and because the router behind the ISP router with dynamic IP I can't use it for VPN connection.

And you are running this as a home network? The UDM Pro has a VPN server! Looks like you need to get rid of the ISP router or bridge it and set the DDNS on the UDM Pro and use the Asus as a wireless access point. Otherwise you have spent the big bucks on a mess.....

 

[savage75]

And you are running this as a home network? The UDM Pro has a VPN server! Looks like you need to get rid of the ISP router or bridge it and set the DDNS on the UDM Pro and use the Asus as a wireless access point. Otherwise you have spent the big bucks on a mess.....

Its some kind home office network as the ISP router is shared internet connection so no way ti change the settings or bridge it. On Asus router I have 3G mobile connection so I can manage it as I need.
As Asus router I use their built-in DDNS to deal with dynamic IP and wireguard will be great to access my local network. If I don't get help with this so I can get the Asus back and look for other options.

 

[savage75]

I found the problem and fix it by
1- adding NAT masquerade
#iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

2- then save the changes
#iptables-save

3- restart iptables service
#service restart-firewall

Voilà! working just fine

 

[Coal]

Thanks savage, I was struggling with this for a while.

However the settings aren't saved when the router is rebooted. To fix this do the following:

1. Open router settings >> Administration >> System
2. Set "Enable JFFS custom scripts and configs" to Yes and click Apply
3. SSH or WINSCP into the router and go to /jffs/scripts
4. Create a new file called nat-start
5. Write this code into the file and save
   

   #!/bin/sh
   iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

6. Give the file execute permissions "chmod 755 nat-start"
7. Reboot the router and the masquerade setting persists

 

[savage75]

Thanks savage, I was struggling with this for a while.

However the settings aren't saved when the router is rebooted. To fix this do the following:

1. Open router settings >> Administration >> System
2. Set "Enable JFFS custom scripts and configs" to Yes and click Apply
3. SSH or WINSCP into the router and go to /jffs/scripts
4. Create a new file called nat-start
5. Write this code into the file and save
   

   #!/bin/sh
   iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

6. Give the file execute permissions "chmod 755 nat-start"
7. Reboot the router and the masquerade setting persists

Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?

 

[ColinTaylor]

Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?

Custom scripts are a Merlin feature. As I said in your duplicate thread, I'm not aware of a way of doing this in stock firmware.

 

[savage75]

Custom scripts are a Merlin feature. As I said in your duplicate thread, I'm not aware of a way of doing this in stock firmware.

Ok @ColinTaylor I wonder if Merlin supports free DDNS function as asuswrt official?

 

[ColinTaylor]

Ok @ColinTaylor I wonder if Merlin supports free DDNS function as asuswrt official?

It does but Merlin doesn't make firmware for the XT8. There's a fork for the XT8 which I guess would work the same:

GitHub - gnuton/asuswrt-merlin.ng: Extends the support of Merlin firmware to more ASUS routers

Extends the support of Merlin firmware to more ASUS routers - gnuton/asuswrt-merlin.ng

github.com

 

[Coal]

Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?

Oh, yes I'm running Merlin's firmware because my AX58U doesn't support wireguard. I didn't realise scripts were an exclusive feature.

I came across a PostUp command you can insert into the wireguard config file which runs as soon as a VPN is established. An example used here: https://docs.pi-hole.net/guides/vpn/wireguard/internal/
Trouble is I don't know where the wg.conf file is actually located, but apparently you can replace it with another file using "wg setconf" command. I've not actually tried this myself though.

 

[KHODU]

Greetings everyone.

I own an RT-AX3000 (58U) and did the much-awaited update to version 388.1.

The issue is I can't get Wireguard to work. It's not straightforward and doesn't have the same UI as OpenVPN.
Is there any guide or video to correctly set the Wireguard?

Anyone who knows how kindly help.

Thanks.

 

[L&LD]

Welcome to the forums @KHODU.

Try using Better Search at the top of the page to search for those instructions. More information on your setup and endpoint would also be helpful.

 

[synergyme]

If your on a dynamic ISP you might be better setting up DDNS and use the domain name within the Wireguard config for clients.

 

[guho]

I found the problem and fix it by
1- adding NAT masquerade
#iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE

2- then save the changes
#iptables-save

3- restart iptables service
#service restart-firewall

Voilà! working just fine

Yes, I had the same problem of only being able to connect to the router IP, not other LAN IPs from Wireguard client. But why does this need to be a nat/maquerade rule? One would think it should be possible to access LAN resources without NATing, just bridging the wireguard subnet to the LAN subnet. For now I've adopted your fix and am grateful you posted this.

 

[Obladi]

Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?

It is not working on Merlin. Router is Asus AX86S.