Keep wireguard always up on phone outside and inside LAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
alscx
DD-WRT Novice


Joined: 15 Aug 2021
Posts: 6

PostPosted: Fri Jun 24, 2022 12:02    Post subject: Keep wireguard always up on phone outside and inside LAN Reply with quote
Hello all,

My current setup:

I have a TP-Link Archer C9 running DD-WRT v3.0-r49113 std (2022.07.06).
As my ISP doesn't allow me to use brigde mode what I did was to create a DMZ to my DD-WRT.
I'm running two Wireguard instances on this router. One as a client to a Mullvad VPN and other as a server to my smartphone and laptop (so that I can both access my LAN from outside and also browse the web using my Mullvad VPN IP).

After following lots of tutorials and reading several threads from this forum and from Reddit I finally got things working (mostly). There's one issue that's been bothering me, though.


What I'm trying to achieve:

Currently each time I leave home I have to either manually run Wireguard or use any helper like Automate or Tasker to do so. But that's not ideal as it exposes my traffic for the time it takes to either manually run Wireguard or for the automation tool to detect the changing on the network interface. If I keep Wireguard always running on my phone it works only when I'm outside my LAN.

So what I want is to be able to keep Wireguard always running on my phone, so that no matter if I'm outside my LAN or not I can use my VPN.

What I've done so far:

After looking for solutions I found that apparently what I need is to correctly implement something called "NAT hairpin" (which, if I understood correctly, would allow my phone's VPN IP to be seen as a LAN IP the same way it would if coming from an external IP).

I found this extremely old thread and used it just as reference, since neither the iptables modules nor one of the rules are working.

There's also this old thread which doesn't help much since it seems to be based on the solution of the previous link... I haven't found recent posts relating to that issue.

I also read in one thread that newer builds seems to have solved the NAT hairpin issue, so that it'd be enough to disable the option "Filter WAN NAT Redirection" (mine was disabled by default) to things to work out of the box. That obviously didn't work for me...

To make things easier and better troubleshoot I completely disabled the Mullvad interface and kept just the interface needed to connect my phone, but it still doesn't work.

Would anyone more experienced point me in the right direction?

Is it possible to achieve what I want? If so, is it really a matter of making NAT hairpin work?

Considering that my router itself is in a DMZ provided by my modem could it be the reason of NAT hairpin not work?

I'd appreciate any help.
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Jun 24, 2022 13:07    Post subject: Reply with quote
Are you able to connect with the LAN Address of the router?

Make a host record in DNS masq with the local LAN Address and the same domain FQDN.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 24, 2022 13:18    Post subject: Reply with quote
+1

From your setup it looks like the NAT hairpinning should take place on your ISP Router and most ISP routers do not support that.

So follow PYB's solution.

In setting up you could have saved yourself a lot of trouble by using the designated DDWRT Manuals, a sticky in this forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

See the Advanced Setup guide page 20 (although it needs some updating, it still should show you the way Smile )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
alscx
DD-WRT Novice


Joined: 15 Aug 2021
Posts: 6

PostPosted: Fri Jun 24, 2022 13:25    Post subject: Reply with quote
Per Yngve Berg wrote:
Are you able to connect with the LAN Address of the router?

Make a host record in DNS masq with the local LAN Address and the same domain FQDN.


Thank you for taking the interest in my issue. When on LAN if I run Wireguard on the phone nothing works... not even a ping to the IP of the router.

As for DNSMasq here is what I have now:

Dnsmasq: Enabled
Cache DNSSEC data: Disabled
No DNS Rebind: Disabled
Query DNS in Strict Order: Enabled
Add Requestor MAC to DNS Query: Disabled
RFC4039 Rapid Commit Support: Disabled

DNSMasq Additional Options
listen-address=127.0.0.1,192.168.1.1,10.4.0.1
alscx
DD-WRT Novice


Joined: 15 Aug 2021
Posts: 6

PostPosted: Fri Jun 24, 2022 13:31    Post subject: Reply with quote
egc wrote:
+1

From your setup it looks like the NAT hairpinning should take place on your ISP Router and most ISP routers do not support that.

So follow PYB's solution.

In setting up you could have saved yourself a lot of trouble by using the designated DDWRT Manuals, a sticky in this forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

See the Advanced Setup guide page 20 (although it needs some updating, it still should show you the way Smile )


Hey, thank you for your valuable input. I imagined that this DMZ between my ISP router and mine might be the problem... As for these tutorials you suggested, I still haven't read them. So before asking any further I'll read them, try to adapt to my specific case and come back if it doesn't work.

Edit: Now I noticed that I've read the Wireguard tutorials. These were the ones I used to install and configure my router, in fact.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 24, 2022 13:35    Post subject: Reply with quote
Sure you can read those but in this case to resolve you current problem follow PYB's solution Smile

Edit: also of interest when running a server and Client on the same router, Client Setup guide page 13 Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Jun 24, 2022 13:57    Post subject: Reply with quote
You didn"t get it.

In the WG Client, set wg.mydomain.com as connection host.

In a public dns server, set wg.mydomain.com to point to the public ip address.

In additional dnsmasq Options, set host-record=wg.mydomsin.com,192.168.1
alscx
DD-WRT Novice


Joined: 15 Aug 2021
Posts: 6

PostPosted: Fri Jun 24, 2022 14:45    Post subject: Reply with quote
Per Yngve Berg wrote:
You didn"t get it.

In the WG Client, set wg.mydomain.com as connection host.

In a public dns server, set wg.mydomain.com to point to the public ip address.

In additional dnsmasq Options, set host-record=wg.mydomsin.com,192.168.1


Hey, you're my hero!! Very Happy

It worked, mostly... In fact the first two steps were already done and working for a while... the third one (the "host-record" option on the DNSMasq configs) apparently did the trick. I was able to run wireguard on my phone and connect from 'inside' my network.

Now I'm having another weird issue... After enabling "Always on" and "Block connections without VPN" on my phone I tested to switch connections from Wifi to LTE and noticed that although link seems to be up and I can see tx and rx data on the wireguard Android panel, there's no traffic. I have to disconnect and connect wireguard again so it works. Searching for answers I found this, which seems to be very similar to what I'm facing. But (lucky me) no solution on the thread... Do you believe it's caused by what OP suggested (different endpoints depending on if the connection comes from inside or outside LAN)? If so, do you have any idea on how I may fix it?

Thanks and sorry for bothering.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jun 24, 2022 16:30    Post subject: Reply with quote
The real solution here is to use NAT loopback (hairpinning), since then you're NOT changing the VPN server IP as you move from home to the outside world. However, this can be problematic because unlike other services when configured for use w/ NAT loopback, the VPN server is changing the routing tables on the client. What typically ends up happening is that the VPN client has multiple routes to the same local network, both via the LAN and VPN. And it's likely the routing priority will default to the VPN *unless* the route to the remote IP network over the VPN has a higher metric. It typically doesn't, and that's why it hangs!

That is the actual mistake, both for OpenVPN and WG. When configuring the local routing table for the remote IP network, that route should always contain a metric (e.g., 500) that gives priority to the *local* route, just in case the local and remote IP networks end up being the same (which is exactly what happens w/ NAT loopback). As a result, everything wrt the local IP network continues to work normally because all that traffic is kept local and NOT routed over the VPN. In effect, the VPN connection is useless, at least as far as accessing the remote network is concerned. But it does allow you to remain connected to the same *public* server IP, whether you're at home or on the road, which is the ultimate objective here.

Adding the metric will also help NON NAT loopback situations, such as when the remote and local IP networks actually are the same. This is obviously a misconfiguration (they need to be different to function as intended), but like the above, at least local traffic remains local, and the VPN client doesn't hang.

In the case of the OpenVPN server, you can include the metric in the push directive for the server's LAN (or any others you decide to push).

Code:
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"


I don't use WG, but I assume you can't push directives, so the WG client itself needs to be configured w/ the remote IP network(s). In that case, that route should be added w/ an appropriate metric as well.

NOTE: If the VPN client is *only* configured to act as the default gateway and is NOT specifically configured w/ the remote IP network of the server, either because it was NOT pushed by the server or configured on the VPN client itself), none of this is a problem, since the VPN client never ends up w/ a local/remote routing conflict. The problem only comes when the remote and local IP networks are the same, and the VPN client ends up w/ explicit multiple routes to it. The use of the metric in that case then resolves the ambiguity.

That's why we do NOT recommend using VPNs that connect locally. It creates a mess. It was never intended to be used in this fashion. But I understand there are circumstances when this type of restriction ends up being inconvenient, such as in the case of the OP. But as I said, the fact it changes the routing tables is what makes it problematic for such purposes. The use of a metric is just a workaround to prevent the worst result, namely, the misrouting of a local IP network.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jun 24, 2022 17:42    Post subject: Reply with quote
P.S. I may end up posting an enhancement request in the bug reporting system asking to have the metric added, minimally in the case of the OpenVPN server, and perhaps WG (client) as well. It's something I had been considering long before even this thread. It would just be better for users who, whether intentionally or not, end up w/ the same IP network on both sides of the tunnel.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 24, 2022 17:52    Post subject: Reply with quote
Problem is we are talking about the WG client on Android, not much we can do about it (besides manually routing)

It is indeed the case that the WG client resolves the endpoint on startup and does not check it while running.
You would expect that a changing of wireless interfaces would trigger a restart but that is not the case until now, although the WG gods are talking about that, so who knows what the future will bring Smile

The DDWRT client has a watchdog especially for this if it loses the connection to the endpoint it restarts and resolves again (we have clients with WG servers with dynamic IP addresses)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jun 24, 2022 18:02    Post subject: Reply with quote
egc wrote:
Problem is we are talking about the WG client on Android, not much we can do about it (besides manually routing)


Agreed. But it remains an issue in the general sense. There's NOT much anyone can do about other platforms. But I wanted to make it clear what the issue is here, so it was also clear what we can and CAN'T do about it.

Perhaps switching to OpenVPN would be a better option for the OP if it means added convenience (granted, less performance).

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 24, 2022 18:08    Post subject: Reply with quote
True and thanks for chiming in as always Smile
Adding metric for OpenVPN is certainly feasible.

But was, for OpenVPN, not one of the problems that the Control Channel was using another route than the data channel if the connections was made (doing too much at the same time, now working on SmartDNS and trying to resolve some issues on Station bridge for Atheros)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
alscx
DD-WRT Novice


Joined: 15 Aug 2021
Posts: 6

PostPosted: Fri Jun 24, 2022 19:45    Post subject: Reply with quote
Hey guys, I really appreciate all of you taking the time to better explain the implications of this issue and also trying to find an applicable solution. At least now I understand better what's going on and what is reasonable to expect as possible future solutions.

Thank you very much.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum