Posted: Thu May 19, 2022 14:24 Post subject: VPN Client + Remote Tunnel
This is not really a DD-WRT specific question and I am certain that this question has been asked many times before, but I am not finding the answer and my search queries only turn up non relevant information.
I have DD WRT installed on my main router and have setup WireGuard to be able to tunnel into my local network remotely. I have a static IP through my ISP. I have a paid subscription to a VPN provider and setup a VPN client on DD WRT using OpenVPN client keys. When I enable the VPN client, obviously my WAN IP appears to have changed which then breaks my ability to tunnel in using WireGuard. Is there a way to have the VPN client running and still tunnel in?
The router is a Netgear R7000 and it is running the newest version of DD-WRT available for it (44715). Admittedly that is an old and unsupported version. Both the OpenVPN client and the WireGuard VPN Server are functioning just fine. It is the nature of a starting a client VPN, when connecting to a paid VPN service (in this case IP Vanish), that your WAN will be spoofed to the server you are connecting to.
So makes my WireGuard connection not possible. Example:
Static WAN IP (Not my real one): 12.345.67.89
After starting my VPN client it becomes (again not a real IP):98.765.43.21.
Therefor my WireGuard connection cannot be made. If I am three hours away from my LAN and I fire up my WireGuard client on my laptop, it is trying to connect to: 12.345.67.89, which is being obscured by my routers connection to IPVanish WAN:98.765.43.21.
I am imagining that using a domain name is the solution, so that rather then trying to connect to an IP address, I would be trying to connect to a domain. IE: www.randomexample.com
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu May 19, 2022 17:05 Post subject:
rlsrlf2013 wrote:
The router is a Netgear R7000 and it is running the newest version of DD-WRT available for it (44715). Admittedly that is an old and unsupported version
This isn't remotely anything near the truth or adjacent to the truth. Its only the truth if you are using the oudated router database to lookup this, and the forums state clearly not to. Its confusing I get it, but no one here has access to the router database or other DD-WRT sites, just literally the forums.
Interesting. I didn't know that there were newer versions for that router. I just downloaded from the main section of the website after searching by router model. Build 44715 is just what comes up and it says that it was from November of 2020.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Thu May 19, 2022 17:16 Post subject:
rlsrlf2013 wrote:
Interesting. I didn't know that there were newer versions for that router. I just downloaded from the main section of the website after searching by router model. Build 44715 is just what comes up and it says that it was from November of 2020.
Whenever you run both a VPN server and client on the same router, this can prove problematic if the router itself is bound to the VPN client. Any attempt to reach the VPN server over the WAN will have its replies routed over the VPN client! And that's a violation of RPF (reverse-path filtering). The router will block it!
There are many solutions, but the most common is to enable PBR on the VPN client, which typically removes the router itself from the VPN client, thus making the router's services (including the VPN server) accessible again over the WAN.
Another solution is to use static routes to bind the public IP of your remote clients to the VPN server, to the WAN. Of course, this assumes those public IPs are predictable (workplace, vacation home, favorite wifi cafe, etc.). For situations of true roaming, it's usually impractical.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu May 19, 2022 20:40 Post subject:
rlsrlf2013 wrote:
Interesting. I didn't know that there were newer versions for that router. I just downloaded from the main section of the website after searching by router model. Build 44715 is just what comes up and it says that it was from November of 2020.
The router database builds are not to be used. Please ignore those builds.
And note that your old build now over two years old, both security issues and does not have the current wireguard code.
You will also need to do a nvram reset and reconfigure from scrach to run the current builds without issues.
Regarding current settings you cannot restore an old backup to current version, you can but it will cause issues.
Running nvram show > /tmp/backup-human-readable.txt via terminal, then grab that file to your desktop via scp of sftp, it will have all your current settings in a human readable format for later consultation.
You can also, take screenshots of your setup pages or print them to pdf which should contain text to be able to copy and paste after the fact.
So I upgraded to 48897 and reconfigured everything. I think eibgrad's response is what I was expecting to hear. Even with DDNS enabled and the endpoint set as a DDNS domain name, the WireGuard VPN will only work when my VPN client is disabled. I was really hoping to avoid a two router setup is all. It kills my connection speeds.
So I upgraded to 48897 and reconfigured everything. I think eibgrad's response is what I was expecting to hear. Even with DDNS enabled and the endpoint set as a DDNS domain name, the WireGuard VPN will only work when my VPN client is disabled. I was really hoping to avoid a two router setup is all. It kills my connection speeds.
eibgrad I did see that you offered a few single router options. I am not very familiar with split tunneling (pbr?) even outside of router based setups. Do you have a link to a set of instructions? I have gone down that path and it has only lead me to failure so far.