Posted: Thu Dec 23, 2021 5:52 Post subject: [SOLVED]Remote clients via wireguard vpn to the internet
I am trying to set up wireguard server on dd-wrt so remote clients use the vpn to access the internet. I followed 'DDWRT Wireguard server setup guide v41.pdf', set up the server and windows client running in AWS. The client connects but the internet traffic is not routed via VPN. In fact, there is no internet access from the client once the vpn client connects.
DD-WRT is behind ISP's router and I have forwarded port 51810 from ISP router to DD-WRT. DD-WRT's wan port is connected to ISP's router's LAN port.
Here is how the flow of traffic should be:
Windows VM (AWS) --> ISP router --> DD-WRT --> ISP router - Internet and back to the client in reverse.
DD- WRT's formware is Firmware: DD-WRT v3.0-r47822 std (12/09/21).
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Dec 23, 2021 9:15 Post subject:
If my first hunch is not correct than please post the whole setup page of the server including the Connection status (refreshed after a few minutes of uptime and after you made a connection from the client)
Also with the whole content of the Allowed IP's
First some remarks which are probably not the cause:
Your MTU is 1440 which gives the best throughput for IPv4 only. Sometimes along the way IPv6 can be involved (perhaps windows/VMS) and when in doubt 1420 is the safer bet, you should set that on both sides
The Listen port on the windows client is 51820 but the endpoint port is 51810 normally not a problem, the client advertises its listen port to the server and the server will use that.
I noticed that some providers have a bad implementation and it only works when using the same Listen port and endpoint port (the endpoint port of course is leading)
It should not be a problem here but for testing make the Listen port the same as the endpoint port (51810)
In the Windows client the Keepalive setting is missing, add in the Windows settings:
Code:
PersistentKeepalive = 20
The Allowed IP's on the server side have a lot of entries but the only entry usually necessary is 10.4.0.7/32. This is because the Windows client by default NAT's all it traffic.
So I would suggest to remove everything but 10.4.0.7/32
Now on to the problems which could be the culprit
On the Server you have set a DNS server via the tunnel, that means that the whole server is using that DNS server and that the route is through the tunnel (but if there is no one listening you will not have DNS at all) and to make matters worse the Windows client has that DNS server and routes it via the tunnel back so I think you have a DNS problem.
So remove the DNS server
I followed your advice and it does work now. With mtu and same port on both sides, it is a lot faster now. The dns via tunnel was set up to see if it makes it working. Before that I did not have it and allowed IPs was only 10.4.0.7/32 but it did not work. Not sure what happened but now with same settings as before like different ports on both sides and default mtu, it works but a bit slow. Anyways, thanks so much for your help.