[hafren]

I'm setting up a WireGuard VPN server and a VPN client using DDWRT v3.0-r51530 using two Netgear 6700v3 routers. I plan to deploy the server in the UK, with a family member, and the client in the US. I've followed the WireGuard server set up guide v48 pages 15-18 but in order to make this work can you help as I'm not sure what I have to change to enable peer connection if the server and client are behind a isp modem/router?

When I tried accessing the vpn server using wireguard on iphone it fails to handshake and in the log I see it reports DNS64: mapped 172.16.0.178 to itself (the local ip of the netgear vpn server)

[egc]

You must test from outside so with your phone on cellular.

In order to reach your vpn server you have to port forward on your isp router.

[SurprisedItWorks]

And if you don't have access to your ISP router to set up a port forward there, read up on VPN port forwarding. It's certainly quite a bit more involved, but it's definitely do-able, and it gets mentioned in the forum fairly often by intrepid dd-wrt adventurers who have it working.

The idea is that you have the router maintain a client connection to a commercial VPN server where you have a port reserved for your use such that connections from outside -- from your wireguard server's external clients -- to the VPN-provider server's exit IP are forwarded down this tunnel into your router. You'd then need an iptables rule to DNAT these incoming packets to the router's INPUT chain where they will look to the wireguard system, if things are set up just right, like incoming packets intended for your wireguard server. IIRC, an INPUT rule is also required so that the packets get accepted. It's cleanest to use scripts to set up and tear down the firewall/routing setup, and to run the scripts from wireguard's route-up and route-down slots in the tunnel config.

I believe there's even more to the story, but I'd have to study up to relay it correctly, and this is enough for you to get a sense of the magnitude of the project. Not for the faint of heart, for sure. More for the engineering puzzle solver with enough linux/iptables experience to not be intimidated.

AirVPN offers static port forwarding from wireguard (and OpenVPN) servers. I've also seen in these forums that people have had success using Mullvad's port forwarding. Many VPN providers offer no port forwarding or only offer dynamic port forwarding, where the port is assigned by the provider only once the VPN session is established. This would make things difficult in your application. Static port forwarding is what you'd want.

[hafren]

Apologies for being such a noob but need guidance/help.
Does it matter what the wg server (netgear router) ip is. It will be behind an isp modem/router with port 51810 forwarded to the wg server (netgear router) ip.
I thought I was getting close with my last post but now feel I'm further away than ever from setting this up. Can you look at my wg server (netgear router) tunnel settings for any issues.

[SurprisedItWorks]

Just don't post your wireguard keys. Anything else is fair game, though @egc is your expert on wireguard configs.

I'll just quickly address one simple thing: In the dd-wrt GUI, Status tab, Sys Info subtab, on the upper left is a Router box. At the bottom of it are WAN IPv4 and LAN IP. Your ISP router sees the dd-wrt router as the WAN iPv4 shown. That's the IP you want to forward to in the ISP router. The LAN IP is the router is seen from inside the network managed by dd-wrt. Your computers, for example, will see the router at that address.

Small thing, but the beginning is often the place to start!

Note that the two IPs discussed above do need to be in different subnets. Can't have them be the same IP, for example. If the ISP sees dd-wrt at 192.168.1.1, then set up dd-wrt at 192.168.2.1, for example.

On the run...

[egc]

I have not much to add to what @Surpriseditworks already said.

Your config looks good.

I can see that this router has an IP WAN address this should be the address the ISP router forwards traffic to and your phone connects to your ISP routers Public IP address as WireGuard endpoint address.

It is possible that your ISP router does not have a Public IP address but is using CGNAT (WAN IP addresses starting with 100.64.0.0 to 100.127.255.255).

You can test your setup if you connect your phone on Wifi to your ISP router (then it is technically outside the WG server), then your endpoint you set on the phone is just the routers WAN address e.g.: 172.16.0.178.

If that works you know the WG setup is OK and you should look at the Port Forward and the Public IP address of the ISP router (do not forget to reset the endpoint address on the phone to be that address and to disable Wifi)

[hafren]

Thank you for confirming config was good and have now successfully created vpn from iphone to wgserver with port forward on the isp router. I moved on to create a wg client (using netgear 6700v3) but without success. I'm confident I have the wgserver WAN ip as the peer tunnel endpoint address and have port forwarding working on the server isp router. Could you look at the updated tunnel settings for the server and client for any issues. Thanks.

[egc]

Your Client the R6700v3 does not have a WAN IP do you have normal internet if you disable the WireGuard tunnel?
This router is also behind another router but is it setup the same way as teh Server side router so with its WAN port connected to the LAN of the primary router?

You have NAT disabled which is possible if you set the routers subnet in the allowed IPs of the Server, it looks like you are wanting to do this as I see 192.168.5.0/24 there make sure you use a comma between entries e.g. :10.4.0.6/32, 192.168.5.0/24

But better for testing Enable NAT on the client and if it work disable NAT.

[hafren]

[egc]

The client side does not need a port forward. You can delete that.

The client reaches out to the server and connects that way.

It does not matter what the primary routers have for subnet but the client, the server and the WireGuard subnet must be different.

[hafren]

@egc I went to my friends home to review the server settings and was surprised that the Wireguard status box shows transfer bytes received and sent. However the client shows bytes sent but zero 0B received. The status boxes have correct endpoints listed. Server allowed ip's are set as 10.4.0.6/32, 192.168.5.0/24

Do you have any suggestions what I can do to investigate/resolve?

[egc]

On the client side connect your phone to the R6700v3 router, disable WireGuard on the router and enable WireGuard on the phone.

This way you test the connection from the client router to the WG server.

If this works you know that the connection from the client router is OK and then carefully check the settings on your phone with the settings on the client router.

One thing you can do on client side and on the server side is setting MTU to 1420 instead of 1440.

[hafren]

[egc]

To recap, your phone on cellular can reach and connect to your WG server.
So the WG server is working an reachable via the internet.

On the client side if you connect your phone via wifi with the client (and have the WG on the client router disabled) and you do not have a connection then the problem seems to be the general setup of the router and not related to WG.

If you disable WG on your phone and are connected to the client router do you have internet?

P.S. Do not forget to set the MTU of the WG client and server to 1420 instead of 1440.

[hafren]