Posted: Thu Oct 10, 2024 22:40 Post subject: Allow wireguard through ISP router ddwrt
I've seen this discussed here but nothing I've found solved the issue for me.
If the moderators feels this should be attached to my earlier thread go to it. It didn't seem related to me.
After a false start I found the proper informational documents for wireguard setup. (thanks egc)
I currently have a R9000 with build 58464 and I'm trying to connect android clients to an active wireguard server on that router.
The router I have connected to the internet is a comcast supplied model that is serving out addresses in the 10.0.0.0/24 range. The dd-wrt router is currently using 10.0.0.111.
The ISP router is set to port forward 51810; which is what I'm using for wireguard.
The ddns server on the ddwrt is set up to "use external ip check = true" and returns the IP address assigned by my ISP to mydds.xxx (in the 98.222 .... range) dds supplied by Dynu.
Changing the endpoint from mydds.xxx to 10.0.0.111 does allows a handshake and data transfer but of course that is pointless. Is there a simple setting or firewall command to allow communication between wireguard server and client via mydds.xxx or am I just missing something?
You did not show the whole page so please post the whole WG page but what I see looks OK.
The rest is shown below. It is really just more of the same.
egc wrote:
If dynu show the IP address of the comcast then that should be fine.
Maybe you did not setup port forwarding correctly on the comcast?
Yes dynu shows correct ip address. Comcast router is set to port forward 51810 UDP it all looks correct to me.
egc wrote:
To see if any traffic reaches the DDWRT router try to connect with your phone on cellular a few times and then show output of
iptables -vnL -t nat
iptables -vnL FORWARD
wg show
I don't currently have an active mobile data service. Let me try to come up with some creative workaround :/ The problem is I can't connect to my network to run the commands if I'm at another location.
Peer lenovo has as allowed ips o.a. 192.168.2.0/24
Why??
I was testing if adding an additional allowed ip for that device made any difference and forgot to remove it.
egc wrote:
The iptables rules show that no wg traffic is reaching the router.
Sounds correct. Now when I change endpoints to 10.0.0.111 this no longer allows for a handshake connection. Previously I could get a handshake and data transfer when I did that. So something I changed disabled even that behavior.
egc wrote:
To further test use the comcast wan ip address instead of the dynu address.
I have tried that and it made no difference.
egc wrote:
If that not helps check the port forward at the comcast
I've checked that multiple times. It shows 51810 port forward .
Let many see if I can find out what disabled the ability to get any handshake even when they are on the internal network.
edit: Now if I set an endpoint in wireguard to 10.0.0.111:51810 it disable my connection to the internet through the router.
I removed my clients and recreated them and the connections are working as previously.
I've connected one client through 10.0.0.111 it has a handshake and data is passed.
The second client is trying to connect from the internet (myddns.xxx). It doesn't show a connection on the server side and shows rx:0 and tx:XXXKiB sent on the client side.
Last edited by Nuor on Fri Oct 11, 2024 20:02; edited 1 time in total
Joined: 18 Mar 2014 Posts: 13446 Location: Netherlands
Posted: Fri Oct 11, 2024 19:38 Post subject:
Nuor wrote:
egc wrote:
Peer lenovo has as allowed ips o.a. 192.168.2.0/24
Why??
I was testing if adding an additional allowed ip for that device made any difference and forgot to remove it.
If something does not work doing random (stupid) things does not help.
Adding the routers own subnet really break things.
Where in the manual it is stated you need to fiddle with the Network configuration?
Please stop doing random things.
It is clear that no traffic is coming into the router on port 51810 that is the problem you should focus on.
A simple test if you connect your phone to the comcast router and then use 10.0.0.111 as wg address it should work.
If that works wg is setup correctly.
Then set phone on cellular and use the comcasts wan address.
If that does not work then either
Comcast is blocking wg
Or the wan address is wrong or is a cgnat address
Or the port forward is wrong