Posted: Fri Mar 24, 2023 18:58 Post subject: Wireguard Server behind isp modem/router
I'm setting up a WireGuard VPN server and a VPN client using DDWRT v3.0-r51530 using two Netgear 6700v3 routers. I plan to deploy the server in the UK, with a family member, and the client in the US. I've followed the WireGuard server set up guide v48 pages 15-18 but in order to make this work can you help as I'm not sure what I have to change to enable peer connection if the server and client are behind a isp modem/router?
When I tried accessing the vpn server using wireguard on iphone it fails to handshake and in the log I see it reports DNS64: mapped 172.16.0.178 to itself (the local ip of the netgear vpn server) _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Mar 24, 2023 22:55 Post subject:
And if you don't have access to your ISP router to set up a port forward there, read up on VPN port forwarding. It's certainly quite a bit more involved, but it's definitely do-able, and it gets mentioned in the forum fairly often by intrepid dd-wrt adventurers who have it working.
The idea is that you have the router maintain a client connection to a commercial VPN server where you have a port reserved for your use such that connections from outside -- from your wireguard server's external clients -- to the VPN-provider server's exit IP are forwarded down this tunnel into your router. You'd then need an iptables rule to DNAT these incoming packets to the router's INPUT chain where they will look to the wireguard system, if things are set up just right, like incoming packets intended for your wireguard server. IIRC, an INPUT rule is also required so that the packets get accepted. It's cleanest to use scripts to set up and tear down the firewall/routing setup, and to run the scripts from wireguard's route-up and route-down slots in the tunnel config.
I believe there's even more to the story, but I'd have to study up to relay it correctly, and this is enough for you to get a sense of the magnitude of the project. Not for the faint of heart, for sure. More for the engineering puzzle solver with enough linux/iptables experience to not be intimidated.
AirVPN offers static port forwarding from wireguard (and OpenVPN) servers. I've also seen in these forums that people have had success using Mullvad's port forwarding. Many VPN providers offer no port forwarding or only offer dynamic port forwarding, where the port is assigned by the provider only once the VPN session is established. This would make things difficult in your application. Static port forwarding is what you'd want. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Posted: Sat Mar 25, 2023 20:10 Post subject: Wg Server & client setup - Need help
Apologies for being such a noob but need guidance/help.
Does it matter what the wg server (netgear router) ip is. It will be behind an isp modem/router with port 51810 forwarded to the wg server (netgear router) ip.
I thought I was getting close with my last post but now feel I'm further away than ever from setting this up. Can you look at my wg server (netgear router) tunnel settings for any issues. _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Last edited by hafren on Thu Mar 30, 2023 21:19; edited 1 time in total
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sat Mar 25, 2023 21:56 Post subject:
Just don't post your wireguard keys. Anything else is fair game, though @egc is your expert on wireguard configs.
I'll just quickly address one simple thing: In the dd-wrt GUI, Status tab, Sys Info subtab, on the upper left is a Router box. At the bottom of it are WAN IPv4 and LAN IP. Your ISP router sees the dd-wrt router as the WAN iPv4 shown. That's the IP you want to forward to in the ISP router. The LAN IP is the router is seen from inside the network managed by dd-wrt. Your computers, for example, will see the router at that address.
Small thing, but the beginning is often the place to start!
Note that the two IPs discussed above do need to be in different subnets. Can't have them be the same IP, for example. If the ISP sees dd-wrt at 192.168.1.1, then set up dd-wrt at 192.168.2.1, for example.
On the run... _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Sun Mar 26, 2023 5:58 Post subject:
I have not much to add to what @Surpriseditworks already said.
Your config looks good.
I can see that this router has an IP WAN address this should be the address the ISP router forwards traffic to and your phone connects to your ISP routers Public IP address as WireGuard endpoint address.
It is possible that your ISP router does not have a Public IP address but is using CGNAT (WAN IP addresses starting with 100.64.0.0 to 100.127.255.255).
You can test your setup if you connect your phone on Wifi to your ISP router (then it is technically outside the WG server), then your endpoint you set on the phone is just the routers WAN address e.g.: 172.16.0.178.
Thank you for confirming config was good and have now successfully created vpn from iphone to wgserver with port forward on the isp router. I moved on to create a wg client (using netgear 6700v3) but without success. I'm confident I have the wgserver WAN ip as the peer tunnel endpoint address and have port forwarding working on the server isp router. Could you look at the updated tunnel settings for the server and client for any issues. Thanks. _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Last edited by hafren on Thu Mar 30, 2023 21:20; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Mar 28, 2023 6:21 Post subject:
Your Client the R6700v3 does not have a WAN IP do you have normal internet if you disable the WireGuard tunnel?
This router is also behind another router but is it setup the same way as teh Server side router so with its WAN port connected to the LAN of the primary router?
You have NAT disabled which is possible if you set the routers subnet in the allowed IPs of the Server, it looks like you are wanting to do this as I see 192.168.5.0/24 there make sure you use a comma between entries e.g. :10.4.0.6/32, 192.168.5.0/24
Your Client the R6700v3 does not have a WAN IP do you have normal internet if you disable the WireGuard tunnel?
Yes its local 172.16.0.233 and port forwarded from main router- I forgot to take the screen print while connected
egc wrote:
This router is also behind another router but is it setup the same way as the Server side router so with its WAN port connected to the LAN of the primary router?
Yes setup the same way and just noted primary router port forward was set to wrong ip. Changed to correct ip but still no handshake
egc wrote:
You have NAT disabled which is possible if you set the routers subnet in the allowed IPs of the Server, it looks like you are wanting to do this as I see 192.168.5.0/24 there make sure you use a comma between entries e.g. :10.4.0.6/32, 192.168.5.0/24
But better for testing Enable NAT on the client and if it work disable NAT.
Thanks I will check and try Enable NAT. I moved server to friends home - could there be conflict if wgserver ip is 192.168.1.1 and friends network assigns wgserver (netgear 6700v3 router) an ip of 192.168.1.191? _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
@egc I went to my friends home to review the server settings and was surprised that the Wireguard status box shows transfer bytes received and sent. However the client shows bytes sent but zero 0B received. The status boxes have correct endpoints listed. Server allowed ip's are set as 10.4.0.6/32, 192.168.5.0/24
Do you have any suggestions what I can do to investigate/resolve? _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed Mar 29, 2023 6:25 Post subject:
On the client side connect your phone to the R6700v3 router, disable WireGuard on the router and enable WireGuard on the phone.
This way you test the connection from the client router to the WG server.
If this works you know that the connection from the client router is OK and then carefully check the settings on your phone with the settings on the client router.
On the client side connect your phone to the R6700v3 router, disable WireGuard on the router and enable WireGuard on the phone.
This way you test the connection from the client router to the WG server.
If this works you know that the connection from the client router is OK
Tried with the phone but fails [NET] peer(peer public key) - Failed to send handshake initiation: write udp4 0.0.0.0:51810->xx.xxx.42.127:51810: sendto: network unreachable
Does this help identify why transfer is zero bytes? _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Last edited by hafren on Thu Mar 30, 2023 21:23; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed Mar 29, 2023 16:57 Post subject:
To recap, your phone on cellular can reach and connect to your WG server.
So the WG server is working an reachable via the internet.
On the client side if you connect your phone via wifi with the client (and have the WG on the client router disabled) and you do not have a connection then the problem seems to be the general setup of the router and not related to WG.
If you disable WG on your phone and are connected to the client router do you have internet?
To recap, your phone on cellular can reach and connect to your WG server.
So the WG server is working an reachable via the internet.
Yes agreed
egc wrote:
If you disable WG on your phone and are connected to the client router do you have internet?
Yes
egc wrote:
P.S. Do not forget to set the MTU of the WG client and server to 1420 instead of 1440.
I've not been able to visit my friends home to access the wgserver yet but will try later today.
egc wrote:
On the client side if you connect your phone via wifi with the client (and have the WG on the client router disabled) and you do not have a connection then the problem seems to be the general setup of the router and not related to WG.
I setup the client, R6700v3, with ddwrt v3.0-r51530 with default settings and just added a local ip address 192.168.5.1 & no wireless. If this is the likeliest problem source then I guess I can revert to default settings and start again. Note client is behind the main router, also ddwrt, then the isp modem.
Just to confirm Server Local Public Key is Client Peer Public Key and Client Local Public Key is Server Peer Public Key. No Private keys? _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Last edited by hafren on Thu Mar 30, 2023 21:21; edited 1 time in total