DD-WRT :: View topic - Wireguard behind gateway not accessible

Wireguard behind gateway not accessible

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

ddwrt.guy
DD-WRT Novice

Joined: 13 Aug 2013
Posts: 24

Posted: Fri Oct 15, 2021 16:35 Post subject: Wireguard behind gateway not accessible

I have wireguard running on a DD-WRT router (WNDR4300 build r47495 9-28-21) that sits behind my gateway router DD-WRT v3.0-r39960M kongac (06/08/19). I am able to connect my Android mobile to wireguard from the LAN but not the WAN. I can't figure out why.

From the WAN, I can see the initial packets arrive at the wireguard router but nothing gets sent back.

Gateway Info
iptables -vnL -t nat

Code:

Chain PREROUTING (policy ACCEPT 579K packets, 64M bytes)
num pkts bytes target prot opt in out source destination
1 34 5984 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 to:10.47.67.10:51820
5 40 1968 DNAT icmp -- * * 0.0.0.0/0 < wan-ip >    to:10.47.67.1
6 4 224 DNAT tcp -- * * 0.0.0.0/0 < wan-ip >    tcp dpt:6371 to:10.47.67.213:27
7 26099 1359K TRIGGER 0 -- * * 0.0.0.0/0 < wan-ip >    TRIGGER type:dnat match:0 relate:0

iptables -vnL INPUT

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 10M 1164M logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 100 17600 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820

iptables -vnL FORWARD

Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 64M 53G logaccept 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

route

Code:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default WAN-IP.1 0.0.0.0 UG 0 0 0 vlan2
10.0.5.0 10.0.5.2 255.255.255.0 UG 0 0 0 tun5
10.0.5.2 * 255.255.255.255 UH 0 0 0 tun5
10.0.9.0 10.0.9.2 255.255.255.0 UG 0 0 0 tun0
10.0.9.2 * 255.255.255.255 UH 0 0 0 tun0
10.47.67.0 * 255.255.255.0 U 0 0 0 br0
10.47.70.0 * 255.255.255.0 U 0 0 0 br2
10.47.71.0 * 255.255.255.0 U 0 0 0 br3
WAN-IP.0 * 255.255.254.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
172.20.20.0 * 255.255.255.0 U 0 0 0 br1
192.168.11.0 10.0.9.2 255.255.255.0 UG 0 0 0 tun0
192.168.15.0 10.47.67.5 255.255.255.0 UG 2 0 0 br0
192.168.16.0 Router--xray 255.255.255.0 UG 2 0 0 br0

Wireguard router
iptables -vnL -t nat

Code:

Chain PREROUTING (policy ACCEPT 98912 packets, 17M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT udp -- * * 0.0.0.0/0 10.47.67.9 udp dpt:51820 to:192.168.6.1:51820
2 20 1040 DNAT tcp -- * * 0.0.0.0/0 10.47.67.10 tcp dpt:22 to:192.168.6.1:22
3 3 204 DNAT icmp -- * * 0.0.0.0/0 10.47.67.10 to:192.168.6.1
4 1 176 TRIGGER all -- * * 0.0.0.0/0 10.47.67.10 TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 15 packets, 952 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 93 packets, 7052 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 93 packets, 7052 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 SNAT all -- * br0 0.0.0.0/0 0.0.0.0/0 to:192.168.6.1
2 0 0 SNAT all -- * vlan2 192.168.6.0/24 0.0.0.0/0 to:10.47.67.10
3 17 1059 SNAT all -- * vlan2 10.4.0.0/24 0.0.0.0/0 to:10.47.67.10
4 0 0 RETURN all -- * oet1 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
5 0 0 MASQUERADE all -- * oet1 10.4.0.0/24 10.4.0.0/24
6 0 0 RETURN all -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
7 0 0 MASQUERADE all -- * br0 192.168.6.0/24 192.168.6.0/24

iptables -vnL INPUT

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
2 113 27376 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820
3 55918 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

iptables -vnL FORWARD

Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 20 1243 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
2 212 51763 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 8 672 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 lan2wan all -- oet1 * 0.0.0.0/0 0.0.0.0/0

route

Code:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router--bosco 0.0.0.0 UG 0 0 0 vlan2
10.4.0.0 * 255.255.255.0 U 0 0 0 oet1
10.4.0.3 * 255.255.255.255 UH 0 0 0 oet1
10.4.0.5 * 255.255.255.255 UH 0 0 0 oet1
10.47.67.0 * 255.255.255.0 U 0 0 0 vlan2
10.47.67.1 router--bosco 255.255.255.255 UGH 0 0 0 vlan2
wan-ip.0 router--bosco 255.255.255.255 UGH 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
192.168.1.0 * 255.255.255.0 U 0 0 0 oet1
192.168.6.0 * 255.255.255.0 U 0 0 0 br0
192.168.11.0 * 255.255.255.0 U 0 0 0 oet1

ifconfig

Code:

br0 Link encap:Ethernet HWaddr 10:0D:7F:4C:76:CD
inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0
inet6 addr: fe80::120d:7fff:fe4c:76cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1488 (1.4 KiB)

eth0 Link encap:Ethernet HWaddr 10:0D:7F:4C:76:CD
inet6 addr: fe80::120d:7fff:fe4c:76cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3362 errors:0 dropped:0 overruns:0 frame:0
TX packets:287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:302827 (295.7 KiB) TX bytes:45350 (44.2 KiB)
Interrupt:4

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

oet1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.4.0.1 P-t-P:10.4.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP PROMISC MTU:1440 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:102 errors:0 dropped:4 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:15096 (14.7 KiB)

vlan1 Link encap:Ethernet HWaddr 10:0D:7F:4C:76:CD
inet6 addr: fe80::120d:7fff:fe4c:76cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:2136 (2.0 KiB)

vlan2 Link encap:Ethernet HWaddr 10:0D:7F:4C:76:CD
inet addr:10.47.67.10 Bcast:10.47.67.255 Mask:255.255.255.0
inet6 addr: fe80::120d:7fff:fe4c:76cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3362 errors:0 dropped:0 overruns:0 frame:0
TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:242311 (236.6 KiB) TX bytes:41450 (40.4 KiB)

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12889
Location: Netherlands

Posted: Fri Oct 15, 2021 16:50 Post subject:

I am a bit confused, are you trying to setup WG as a WireGuard server so that you can connect from outside?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

kernel-panic69
DD-WRT Guru

Joined: 08 May 2018
Posts: 14222
Location: Texas, USA

Posted: Fri Oct 15, 2021 17:23 Post subject:
I'm confused on what the gateway router model is. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity" Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol) DD-WRT Releases 2023 (RSS Everything) ---------------------- Linux User #377467 counter.li.org / linuxcounter.net

ddwrt.guy
DD-WRT Novice

Joined: 13 Aug 2013
Posts: 24

Posted: Fri Oct 15, 2021 19:23 Post subject:
The wireguard router is a server for me to connect from the internet. The gateway router is a Netgear R8000.

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12889
Location: Netherlands

Posted: Fri Oct 15, 2021 19:34 Post subject:

On the Gateway router (which is running and old and obsolete build with security issues) I see DNAT rule for port 51820 to 10.47.67.10 which I presume is the WAN IP address of your WG router.
I do not see a FORWARD rule but I suppose it is there and the port forwarding on the Gateway router is working.

On the WG router I see a strange DNAT rule about port 58120 are you also port forwarding on that router?

To setup WireGuard as server see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206

It looks like you are defining an endpoint on the server side (to the server itself) that is not in the manual, so delete the endpoint and also delete keep alive.
The server is only listening Smile

Under allowed IP's only the WG IP address of the client will do so probably 10.4.0.5/32
(This because clients usually NAT over the WG interface)

If the Port Forward on the Gateway works, then just following the WG server setup guide should do the trick Smile

Oh and consider upgrading the R8000, about how and where to find downloads and many more helpful tips see the forum guidelines:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

ddwrt.guy
DD-WRT Novice

Joined: 13 Aug 2013
Posts: 24

Posted: Sun Oct 17, 2021 22:12 Post subject:

Thanks for the feedback.

I spent the last few days upgrading the gateway router to r47495 (9-28-21) and ensuring all works. With that behind me, I returned to the problem described above.

I removed the firewall settings on the wireguard router that were not needed but added confusion. I set wireguard keep alive to 0.

I removed my manual port forwards from the gateway router and replaced them with a GUI port forward for udf wan-ip:51820 -> 10.47.67.10:51820 (wireguard router).

Behaviour is the same. I can connect to wg from the LAN but not from the internet. Packets are being seen on the router coming in but no packets are replying.

This is very strange. Since I upgraded the gateway, it now has wg capabilities. I configured the gateway wg and it works perfectly. I think I'll stop trying to debug the wg forward issue.

Thanks for the help and the advice to U/G the gateway.

the-joker
DD-WRT Developer/Maintainer

Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

Posted: Mon Nov 08, 2021 14:35 Post subject:

I would give the latest build a try DD-WRT v3.0-r47618 std (11/05/21)

Quite a few wireguard patches went in courtesy of egc

If that will help or if the remaining issues are configuration side I dont know, I will consider myself a wireguard setup/operation ignorant as I haven't yet tried it.

Just thought it may be worth your consideration.

Be well.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Wireguard behind gateway not accessible

Quick Links

Log in