Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Thu Mar 30, 2023 6:39 Post subject:
About the keys that is right there are no private keys involved, you exchanges the public keys.
I read that the client router has 192.168.5.1 and no wireless, but how can you test with your phone connected to that router as it has no wireless?
If wireless is enabled on this router and you have internet on your phone connected to that router but when enabling WireGuard on that phone you get a destination unreachable than something is blocking WireGuard.
Is the primary router to which the client router connects a normal SoHo router or is it a corporate system which blocks VPN?
I read that the client router has 192.168.5.1 and no wireless, but how can you test with your phone connected to that router as it has no wireless?
I switched wireless on to do the test but just wanted to explain that the client router was setup with basically default settings so I also find it strange that it would block incoming.
egc wrote:
Is the primary router to which the client router connects a normal SoHo router or is it a corporate system which blocks VPN?
Yes a normal SoHo router, actually another R6700v3 with ddwrt - I like to keep things simple , and it has been working fine when I use a commercial vpn provider, vpnunlimited.
egc wrote:
Can the ISP block WireGuard?
I don't know but I don't think so as I have been using wireguard to vpn provider, vpnunlimited
I did change MTU to 1420 on both server & client but same results. WGServer is working fine, send & receive, but zero 0B received on WGclient
egc wrote:
If wireless is enabled on this router and you have internet on your phone connected to that router but when enabling WireGuard on that phone you get a destination unreachable than something is blocking WireGuard.
I asked about keys as wg on iphone requires local private key entry and as a novice I was concerned I might not setup correctly.
Anyway if my setup screen shots are good then it looks like the wgclinet router isn't working so I'm going reset to defaults and set it up again. I am travelling to UK this weekend so plan to install the server and hope I can resolve the client before but if not I'll work at it when I return _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
You mention VPN unlimited, the client must no be on VPN unlimited otherwise you are running a tunnel in a tunnel which could be problematic
Understand wgclient router is completely separate and VPN unlimited experience was to help rule out other potential traffic blockage with isp or main router. Thanks for all the help. _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
@egc I finally have the client & server communicating. I'm not sure reset to default then rebuild the client wireguard settings was the issue but suspect some remnant of the iphone trial as the wgserver client config file was populated and wrong.
Moving forward, I have still not succeeded in getting wan out from the wgserver via the client i.e Google doesn't open on the client and ping 8.8.8.8 is destination unreachable.? WGserver has "Allow clients WAN access" checked but I'm thinking there is a dns issue preventing the client access. _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sat Apr 01, 2023 6:28 Post subject:
Glad that part is solved
From the client side you can do from the the WG client routers command line:
traceroute 8.8.8.8
This will show the route the packets take it should go into the WG tunnel to your WG server and from there on to the internet you can see where it is stuck
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sat Apr 01, 2023 13:48 Post subject:
Does the Client still have "NAT via Tunnel" enabled on the WG tunnel?
If not you have to add on the server side a rule to MASQUERADE the clients subnet out on the WAN:
iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -o $(get_wanface) -j MASQUERADE
The GUI setting on the WG server "Allow Clients WAN Access" only NAT's the WG subnet (10.4.0.0/24) out on the WAN.
Does the Client still have "NAT via Tunnel" enabled on the WG tunnel?
No I've changed it now
egc wrote:
If not you have to add on the server side a rule to MASQUERADE the clients subnet out on the WAN:iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -o $(get_wanface) -j MASQUERADE
Does the wgserver need "NAT via Tunnel"?
egc wrote:
Furthermore if you do not have NAT enabled be sure to have the 192.168.5.0/24 subnet in the Allowed IP's on the server to allow the clients subnet.
Yes I have this subnet in allowed ip's
New tracert
Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms vpnclient [192.168.5.1]
2 64 ms 64 ms 64 ms 10.4.0.1
3 192.168.1.1 reports: Destination host unreachable.
Trace complete.
192.168.1.1 is wgserver router ip _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35
@egc Resurrecting this thread. I was unable to get client and server communicating in time to deploy the server in the UK last April. I have now managed to successfully get client and server communicating. Browsing 'my IP address' on the client now reports the server wan ip. I'd like to finalize the set up of the WG client and WG server so I have a few questions which I hope you can answer:
On the client - should I now turn off NAT via tunnel?
On the server should I change the NTP server time zone to UK when I install?
I read of ipv6 leak concerns in the wg server set up guide v49. How how can I mitigate?
egc wrote:
For the server please show output of (via the command line e.g telnet/putty):
wg
wg showconf oet1
ip route show
iptables -vnL FORWARD | grep oet
iptables -vnL INPUT
iptables -vnL -t nat
iptables -vnL -t raw
grep -E -i 'oet|wireguard' /var/log/messages
Do you still want to see the server tenet output?
Thanks for your continuing help. _________________ Netgear R6700v3 - DD-WRT v3.0-r53001 VPN wireguard setup v35