tun from LAN via router with usb-c to rj45 inet from mobil

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
400mhz
DD-WRT Novice


Joined: 01 Feb 2023
Posts: 18

PostPosted: Thu Apr 27, 2023 14:05    Post subject: tun from LAN via router with usb-c to rj45 inet from mobil Reply with quote
Hello Experts,

I need to ask for your help again.

Setup location A:
Netgear R6400 & DD-WRT v3.0-r52217 std (04/02/23) behind a bridged modem is running the Wireguard server. WAN IP 31.18.xx.xx, IP6 is disabled.

Setup location B:
Netgear R6400 & DD-WRT v3.0-r52217 std (04/02/23) uses tethering from Android mobil conected via usb-c to rj45 to Router WAN Port, which is running the Wireguard client in gateway mode. WAN IP 192.168.100.140, IP6 is disabled.

The wg tun is fine. Connections from mobil using wg app and from Router at location B works. DDWRT Wireguard (server) setup guide from @egc was used to make this happen, thx for that and so far so good.

Now i'll try to describe the main problem.

My laptop (win pro 11 x64) is connected to the location B router (wg client) via LAN Port and gets IP4 (192.168.0.123) using dhcp, client IP6 protocol is disabled. I've internet and browser request is showing the WAN IP from the router on location A (my wg server, 31.18.xx.xx).

When I start the cisco anyconnect mobil client app on my laptop to connnect with a company network the connection establishs without any problem, but the IP4 shown up on the company VPN server is the IP of my cell phone (118.90.xx.xx) and not the IP of my wg server.
On my WireGuard Server the Status is still something like this:

endpoint: 118.90.xx.xx:port
latest handshake: 1 minute, 29 seconds ago
transfer: 3.75 MiB received, 4.36 MiB sent

But no bytes are transfered anymore throw the tunnel, because it's obviously no longer used. How can i fix that?

Please let me know which information I need to provide for helping me to solve that problem. The goal is to connect to the company VPN from my location A IP if that is even possible.

thanks in advance.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Apr 27, 2023 14:17    Post subject: Reply with quote
For starters show a screenshot of the WireGuard setup page from server and client.

Did you enable the kill switch on the client side?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
400mhz
DD-WRT Novice


Joined: 01 Feb 2023
Posts: 18

PostPosted: Thu Apr 27, 2023 15:00    Post subject: Reply with quote
egc wrote:
For starters show a screenshot of the WireGuard setup page from server and client.


server screens attached, client screens will follow.

egc wrote:
Did you enable the kill switch on the client side?


no. kill switch is disabled everythere for now, but it's certainly needed after cisco vpn goes throw wg tun.
400mhz
DD-WRT Novice


Joined: 01 Feb 2023
Posts: 18

PostPosted: Thu Apr 27, 2023 15:03    Post subject: client screens Reply with quote
wg client config
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Apr 27, 2023 15:12    Post subject: Reply with quote
Allowed IP's are wrong on the client side.
Should be:0.0.0.0/1, 128.0.0.0/1

Look carefully, your 128 part is wrong.

Enable Kill switch on the client side.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
400mhz
DD-WRT Novice


Joined: 01 Feb 2023
Posts: 18

PostPosted: Thu Apr 27, 2023 15:47    Post subject: Reply with quote
ok, ty. 👍

I changed allowed IP's on the client router to 0.0.0.0/1, 128.0.0.0/1 and enabled kill switch on client side as well. save, apply, reboot.

plugged my cell phone in tethering mode on the client router WAN port. router comes up again and wg tunnel connection worked.
Next I connected my laptop to the client router on LAN1 and checked 'whats my IP', response in browser was the endpoint IP from my wg server (outgoing laptop IP).
Then I started cisco anyconnect mobile client again on my laptop. I could login to the company network, but few seconds after cisco connection was establisht, the internet connection on laptop closed. certainly because of kill switch enabled i guess.

just for me to understanding. I'm trying to route a sowtware IPsec VPN through the wg tunnel. is that even possible with wireguard?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Apr 27, 2023 15:52    Post subject: Reply with quote
Running a tunnel in a tunnel is a hit or miss.

Problem is often MTU related.

I would use 1420 as MTU for the WG tunnel on both sides.

For the Cisco tunnel 1280 to try.
But I do not know if the cisco tunnel even supports this.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
400mhz
DD-WRT Novice


Joined: 01 Feb 2023
Posts: 18

PostPosted: Thu Apr 27, 2023 16:24    Post subject: Reply with quote
egc wrote:
Running a tunnel in a tunnel is a hit or miss.

Problem is often MTU related.

I would use 1420 as MTU for the WG tunnel on both sides.

For the Cisco tunnel 1280 to try.
But I do not know if the cisco tunnel even supports this.


Man, u're amazing, u're my hero Exclamation


I've set MTU to 1420 on both sides and it works. 🥳

Of course the connection is f**n slow but that's because of mobil data tethering i guess. Thank you a lot egc! You made my day again. 👍👍👍👍👍


This topic is solved, but I'm sure I'll have questions again. As next I need to make everything more secure. Can you suggest a wg tun hardening tutorial or hardening of DD-WRT generally? what things are to do except setup pre shared keys and iptables against brute force (still not much plan of it, but willing to learn). 😉
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum