Posted: Mon Feb 10, 2025 9:08 Post subject: No traffic is routed via Wireguard
Hey community,
I recently setup my Asus RT-AC56U with dd-wrt (v3.0-r59429 std (01/31/25)). The router is configured as 'repeater bridge' and is connected successfully to my main router. Additional to that, I setup (see attached screenshot) a WireGuard tunnel (provider: Surfshark) by using a config file and their provided tutorial. Accordingly to the WireGuard status, it successfully established a connection to Surfshark (status: endpoint: 185.141.119.68:51820 latest handshake: 4 minutes, 8 seconds ago transfer: 92 B received, 320.72 KiB sent). But as you can see, there is no traffic routed via this tunnel. I also followed the setup guide pdf provided in this forum.
When I enter the command 'ip route show', I can see that the default is not the tunnel. So, I manually changed that to the tunnel (oet1) by entering the command 'ip route add default dev oet1'.
0.0.0.0/1 dev oet1 scope link
default dev oet1 scope link
10.14.0.0/24 dev oet1 scope link src 10.14.0.2
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev oet1 scope link
149.154.159.92 dev oet1 scope link
162.252.172.57 dev oet1 scope link
192.168.178.0/24 dev br0 scope link src 192.168.178.2
Result: There is still no traffic routed via the tunnel.
By visiting e.g. https://whatismyipaddress.com/, I noticed that it still exposes my real IP.
I would really appreciate your help for figuring out the problem.
Maybe I give you some background information on my setup. My main router has the IP: 192.168.178.1. The Asus router has the ip: 192.168.178.2 and its gateway/local dns: 192.168.178.1.
Basically, I followed the instructions I found online for setting it up as a repeater (see attachement). Do you think this could cause a problem (the repeater function works perfectly)?
Joined: 18 Mar 2014 Posts: 13647 Location: Netherlands
Posted: Mon Feb 10, 2025 16:39 Post subject:
Quote:
When I enter the command 'ip route show', I can see that the default is not the tunnel. So, I manually changed that to the tunnel (oet1) by entering the command 'ip route add default dev oet1'.
Please do not do that.
The default route is already going via the tunnel.
The "problem" is you are setting this VPN up on a repeater bridge.
All traffic will just bypass this router and thus the VPN on its way to the main router, only traffic which goes through your router will use the VPN, e.g. a guest wifi (unbridged VAP) will use the VPN.
I followed the instructions stated in "DDWRT WireGuard Advanced Setup v26.pdf".
Instructions on page 2:
DHCP server Disabled (=off and NOT set as Forwarder!) (deactivated any when using repeater bridge)
IP outside DHCP range
Gateway and Local DNS pointing to primary router
DNSMasq enabled
Router in Gateway mode
Computer is connected wirelessly to the repeater
Firewall is off
I also added to the firewall the following commands:
iptables -t raw -D PREROUTING -j NOTRACK >/dev/null 2>&1
iptables -t raw -D PREROUTING -j CT --notrack >/dev/null 2>&1
Instructions on page 6 (Client on WAP):
NAT via Tunnel: Enable
Allowed IP's: 0.0.0.0/1,128.0.0.0/1
Route Allowed IP's enabled
Endpoint address: servers address and port
Result: Afer rebooting, the Asus router is working as repeater and the WireGuard tunnel itself is running (handshake took place). But, my real IP is still exposed => For some reason the tunnel is still not used .
I think I setup already a "guest" WIFI (see attached screenshot). The Fritzbox is the primary router the Asus connects to. Please correct me if I am wrong
.
