Posted: Fri Aug 05, 2022 0:08 Post subject: [SOLVED]Wireguard Advanced Setup for KDE connect
The basics:
Hardware: Netgear R7000
Current DD-WRT Version: r49599 std (07/30/22)
What I am trying to do:
Concurrent WireGuard client and server with client connected to WG provider and server allowing remote access from roaming client(s), e.g. phone and laptop. All of that works, though. (see below)
The problem:
With the help of this wonderful forum as well as the guides provided by egc, all of that works well: Client connected and can access LAN from phone. However, when I add a second peer to the server tunnel (oet2), access to the LAN breaks, specifically, KDE connect? I can access other devices such as Nextcloud instance and PiHole, though.
The setup:
See attached image. In addition to that, I will also say the only way I have been able to get this setup to work thus far (even without second peer) is through the scripts available at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 this blog post. Let me know if any other configuration settings are required.
What I have tried:
- Different firmware versions/factory reset
- Fiddling around with the PBR on the tunnels (without the scripts)
- I setup the second peer the exact same way, just with a different IP address (10.4.0.7)
To be candid, networking is easily my weakness with respect to computers. I don't think I fully understand the implementation of PBR in DD-WRT but I am having difficulty finding updated resources. Feel free to point me in the correct direction! Thank you in advance for the help and to any/all contributions to this community!
Last edited by posthocrobot on Thu Aug 11, 2022 3:09; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12836 Location: Netherlands
Posted: Fri Aug 05, 2022 13:23 Post subject:
You mention a second peer but it looks like you have setup a second tunnel?
It actually looks like you have setup one tunnel as *client* to Mullvad and another tunnel as *server* to which your phone can connect from outside.
You blacked out the listen port, make sure every tunnel has its own listen port.
You can run a client and a server on the same router but not like you are doing.
When you connect from outside/the WAN to your Server the traffic is routed back out via the Client instead of via the WAN and the firewall will not allow this (also because you are using the kill switch which is blocking WAN)
First test the tunnels individually so just disable one and check if the other is working, if so than see the Client setup guide under Policy Based routing/Source Based routing page 12 if you only have selected LAN clients you wish to use the VPN.
Policy Based routing will also take care of the kill switch, if used with PBR then the entries in the PBR are protected but the WAN is left open.
I will transfer your thread to the Advanced networking forum as it can be of interest to us all
Thank you! I initially thought it had been deleted because I failed to adhere to a guideline.
egc wrote:
You mention a second peer but it looks like you have setup a second tunnel?
It actually looks like you have setup one tunnel as *client* to Mullvad and another tunnel as *server* to which your phone can connect from outside.
You blacked out the listen port, make sure every tunnel has its own listen port.
You can run a client and a server on the same router but not like you are doing.
When you connect from outside/the WAN to your Server the traffic is routed back out via the Client instead of via the WAN and the firewall will not allow this (also because you are using the kill switch which is blocking WAN)
First test the tunnels individually so just disable one and check if the other is working, if so than see the Client setup guide under Policy Based routing/Source Based routing page 12 if you only have selected LAN clients you wish to use the VPN.
Policy Based routing will also take care of the kill switch, if used with PBR then the entries in the PBR are protected but the WAN is left open.
If you want to have all LAN clients use the VPN then read further on page 14: "Routed selected sources via the WAN"
Here is described to only have the Servers port using the WAN, as it looks like you are using Tunnel 2 as server then use:
sport $(nvram get oet2_port)
Keen eye and you are correct about my configuration: oet1 is a tunnel to Mullvad and oet2 allows remote access to my LAN! I do not have the second peer (on oet2) setup as adding that peer breaks KDE connect (more on that below).
To be honest, some of the finer points of your post are what confuse me (patience is a virtue). The tunnels work well as of right now (I am connected to Mullvad's WG server and can access my LAN remotely to, e.g. sync with my Nextcloud instance or take advantage of my PiHole) although, according to the guide and your post, they maybe shouldn't, and I am having this difficulty with KDE connect. Do you think the issue is with the script I use instead of using PBR as the guides show? I deselected "Route Allowed IPs via Tunnel" because that broke KDE connect!
As of right now, KDE connect works when I am connected to my LAN directly or tunneling in. If I add the second peer to oet2, however, it breaks and I can no longer see my desktop running KDE. Using the command "netcat -z -v <your-phones-ip> 1714-1764", the command hangs on port 1716 while all other ports in that range show a refused connection.
I am going to read the guides more thorougly and see if I can get my tunnels setup without the scripts. Something tells me they are the culprit. I will report back if I have any further questions and I appreciate your guidance in that matter!
Joined: 18 Mar 2014 Posts: 12836 Location: Netherlands
Posted: Mon Aug 08, 2022 9:45 Post subject:
posthocrobot wrote:
I am going to read the guides more thorougly and see if I can get my tunnels setup without the scripts. Something tells me they are the culprit. I will report back if I have any further questions and I appreciate your guidance in that matter!
Okay, egc, thank you for the help! I think the issue last time is that I missed that sport in PBR. So, now, what I have is two working tunnels (look, Ma, no scripts). oet1 is to Mullvad and oet2 allows me to tunnel into my LAN and access the internet through the VPN as well as my LAN devices. If you need configuration settings, I can certainly provide another snap shot.
However, now I am stuck back at square one w/r/t KDE Connect. Researching the topic with keywords such as "KDE Connect subnet" reveals that I am not the only one having issues, and yet, the official KDE Connect documentation seems to state that I should be able to manually add my device with the IP. Is my issue perhaps with Allowed IPs? Or is there a firewall setting I need to modify? Is it something apart from the tunnel settings?
For what it is worth, that documentation recommends the command "netcat -z -v <your-devices-ip> 1714-1764" for troubleshooting purposes. If I run that command from my phone, the connection is successful. If I run that command from my desktop using my phone's DHCP IP (192.168.x.x), it is not. But, if I run it from the desktop with my phone's "tunnel IP" (10.4.x.x), it is!
egc, I appreciate your help through this. I feel as if I have learned quite a bit about networking. I am happy to say that I was able to resolve the issue with a bit of Googline and my new found knowledge.
For those interested, the answer came in the form of this Reddit post. I just followed their instructions and used the "tunnel IP" (10.4.x.x) of my device to add it to the customDevices in KDE. Now everything is as it should be! Why it did not work when manually adding the IP of my computer from my phone, I do not know...