[SOLVED]Wireguard Advanced Setup for KDE connect

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
posthocrobot
DD-WRT Novice


Joined: 19 May 2020
Posts: 7

PostPosted: Fri Aug 05, 2022 0:08    Post subject: [SOLVED]Wireguard Advanced Setup for KDE connect Reply with quote
The basics:
Hardware: Netgear R7000
Current DD-WRT Version: r49599 std (07/30/22)

What I am trying to do:
Concurrent WireGuard client and server with client connected to WG provider and server allowing remote access from roaming client(s), e.g. phone and laptop. All of that works, though. (see below)

The problem:
With the help of this wonderful forum as well as the guides provided by egc, all of that works well: Client connected and can access LAN from phone. However, when I add a second peer to the server tunnel (oet2), access to the LAN breaks, specifically, KDE connect? I can access other devices such as Nextcloud instance and PiHole, though.

The setup:
See attached image. In addition to that, I will also say the only way I have been able to get this setup to work thus far (even without second peer) is through the scripts available at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 this blog post. Let me know if any other configuration settings are required.

What I have tried:
- Different firmware versions/factory reset
- Fiddling around with the PBR on the tunnels (without the scripts)
- I setup the second peer the exact same way, just with a different IP address (10.4.0.7)

To be candid, networking is easily my weakness with respect to computers. I don't think I fully understand the implementation of PBR in DD-WRT but I am having difficulty finding updated resources. Feel free to point me in the correct direction! Thank you in advance for the help and to any/all contributions to this community!


Last edited by posthocrobot on Thu Aug 11, 2022 3:09; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Aug 05, 2022 13:05    Post subject: Reply with quote
I will transfer your thread to the Advanced networking forum as it can be of interest to us all Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Aug 05, 2022 13:23    Post subject: Reply with quote
You mention a second peer but it looks like you have setup a second tunnel?

It actually looks like you have setup one tunnel as *client* to Mullvad and another tunnel as *server* to which your phone can connect from outside.

You blacked out the listen port, make sure every tunnel has its own listen port.

You can run a client and a server on the same router but not like you are doing.
When you connect from outside/the WAN to your Server the traffic is routed back out via the Client instead of via the WAN and the firewall will not allow this (also because you are using the kill switch which is blocking WAN)

First test the tunnels individually so just disable one and check if the other is working, if so than see the Client setup guide under Policy Based routing/Source Based routing page 12 if you only have selected LAN clients you wish to use the VPN.
Policy Based routing will also take care of the kill switch, if used with PBR then the entries in the PBR are protected but the WAN is left open.

If you want to have all LAN clients use the VPN then read further on page 14: "Routed selected sources via the WAN"
Here is described to only have the Servers port using the WAN, as it looks like you are using Tunnel 2 as server then use:
sport $(nvram get oet2_port)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Aug 05, 2022 13:51    Post subject: Reply with quote
Another error I spotted, you have to *Enable* Allowed IP's via tunnel (that should be the default and the guide clearly shows that you should enable it)
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Aug 05, 2022 17:16    Post subject: Reply with quote
Supplemental,
You mention KDE connect, I do not think that will run via a (routed) VPN from what I saw it needs to be on the same subnet but I could be mistaken.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
posthocrobot
DD-WRT Novice


Joined: 19 May 2020
Posts: 7

PostPosted: Mon Aug 08, 2022 4:19    Post subject: Reply with quote
egc wrote:
I will transfer your thread to the Advanced networking forum as it can be of interest to us all Smile

Thank you! I initially thought it had been deleted because I failed to adhere to a guideline. Embarassed

egc wrote:
You mention a second peer but it looks like you have setup a second tunnel?

It actually looks like you have setup one tunnel as *client* to Mullvad and another tunnel as *server* to which your phone can connect from outside.

You blacked out the listen port, make sure every tunnel has its own listen port.

You can run a client and a server on the same router but not like you are doing.
When you connect from outside/the WAN to your Server the traffic is routed back out via the Client instead of via the WAN and the firewall will not allow this (also because you are using the kill switch which is blocking WAN)

First test the tunnels individually so just disable one and check if the other is working, if so than see the Client setup guide under Policy Based routing/Source Based routing page 12 if you only have selected LAN clients you wish to use the VPN.
Policy Based routing will also take care of the kill switch, if used with PBR then the entries in the PBR are protected but the WAN is left open.

If you want to have all LAN clients use the VPN then read further on page 14: "Routed selected sources via the WAN"
Here is described to only have the Servers port using the WAN, as it looks like you are using Tunnel 2 as server then use:
sport $(nvram get oet2_port)

Keen eye and you are correct about my configuration: oet1 is a tunnel to Mullvad and oet2 allows remote access to my LAN! I do not have the second peer (on oet2) setup as adding that peer breaks KDE connect (more on that below).

To be honest, some of the finer points of your post are what confuse me (patience is a virtue). Wink The tunnels work well as of right now (I am connected to Mullvad's WG server and can access my LAN remotely to, e.g. sync with my Nextcloud instance or take advantage of my PiHole) although, according to the guide and your post, they maybe shouldn't, and I am having this difficulty with KDE connect. Do you think the issue is with the script I use instead of using PBR as the guides show? I deselected "Route Allowed IPs via Tunnel" because that broke KDE connect!

As of right now, KDE connect works when I am connected to my LAN directly or tunneling in. If I add the second peer to oet2, however, it breaks and I can no longer see my desktop running KDE. Using the command "netcat -z -v <your-phones-ip> 1714-1764", the command hangs on port 1716 while all other ports in that range show a refused connection.
posthocrobot
DD-WRT Novice


Joined: 19 May 2020
Posts: 7

PostPosted: Mon Aug 08, 2022 4:21    Post subject: Reply with quote
I am going to read the guides more thorougly and see if I can get my tunnels setup without the scripts. Something tells me they are the culprit. I will report back if I have any further questions and I appreciate your guidance in that matter!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Mon Aug 08, 2022 9:45    Post subject: Reply with quote
posthocrobot wrote:
I am going to read the guides more thorougly and see if I can get my tunnels setup without the scripts. Something tells me they are the culprit. I will report back if I have any further questions and I appreciate your guidance in that matter!


Sounds like a good plan Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
posthocrobot
DD-WRT Novice


Joined: 19 May 2020
Posts: 7

PostPosted: Wed Aug 10, 2022 1:49    Post subject: Reply with quote
Okay, egc, thank you for the help! I think the issue last time is that I missed that sport in PBR. So, now, what I have is two working tunnels (look, Ma, no scripts). oet1 is to Mullvad and oet2 allows me to tunnel into my LAN and access the internet through the VPN as well as my LAN devices. If you need configuration settings, I can certainly provide another snap shot.

However, now I am stuck back at square one w/r/t KDE Connect. Researching the topic with keywords such as "KDE Connect subnet" reveals that I am not the only one having issues, and yet, the official KDE Connect documentation seems to state that I should be able to manually add my device with the IP. Is my issue perhaps with Allowed IPs? Or is there a firewall setting I need to modify? Is it something apart from the tunnel settings?

For what it is worth, that documentation recommends the command "netcat -z -v <your-devices-ip> 1714-1764" for troubleshooting purposes. If I run that command from my phone, the connection is successful. If I run that command from my desktop using my phone's DHCP IP (192.168.x.x), it is not. But, if I run it from the desktop with my phone's "tunnel IP" (10.4.x.x), it is!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Wed Aug 10, 2022 5:49    Post subject: Reply with quote
Testing can only be done from outside e.g.with your phone on cellular.

Like I said it looks like KDE wants you to be on the same subnet so it will struggle with routed vpn.

If it also works with IP addresses you can try to Enable "Allow Clients full LAN access"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
posthocrobot
DD-WRT Novice


Joined: 19 May 2020
Posts: 7

PostPosted: Thu Aug 11, 2022 2:59    Post subject: Reply with quote
egc, I appreciate your help through this. I feel as if I have learned quite a bit about networking. I am happy to say that I was able to resolve the issue with a bit of Googline and my new found knowledge.

For those interested, the answer came in the form of this Reddit post. I just followed their instructions and used the "tunnel IP" (10.4.x.x) of my device to add it to the customDevices in KDE. Now everything is as it should be! Why it did not work when manually adding the IP of my computer from my phone, I do not know...
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum