Allow Remote Access LAN - how does this work?

nnz · November 20, 2022, 2:02am

I am trying to understand how this “Allow Remote Access LAN” work.

Let’s say my LAN is 192.168.0.x. I start a WireGuard server on the router and I connect to it from a client so the client gets an IP of 10.0.0.2.

Does this function mean that if I have a NAS on my LAN 192.168.0.100 I will be able to access it somehow from the VPN client? I guess I will need some extra firewall settings for that? And what about the client side, how my windows client will know the route to 192.168.0.100 from the VPN network?

Thanks!
N

yuxin.zou · November 21, 2022, 1:53am

When “Allow Remote Access LAN” is enabled, it opens the firewall on your server.

You need add 192.168.0.100/32 or 192.168.0.1/24 to AllowedIPs in WireGuard client configuration .

scottgs · November 21, 2022, 5:53pm

I believe that I am working on exactly the same problem. I have a local LAN, 192.168.0.1/24, and a GL-AR300M with Wireguard VPN server configured, and remotely accessing this from the internet using Wireguard Win-10 client on a laptop PC.

The tunnel activates and connects, and works fine to route from the remote laptop PC through the GL-AR300M server, and on out to the internet. However, I cannot access anything on my LAN, with the exception of the GL-AR300M server itself.

I have enabled the “Allow Remote Access LAN” function.

I have added 192.168.0.1/24 to the AllowedIPs in the WireGuard client.

I have tried all kinds of permutations of the server/client IP’s. I’ve spent hours trying things, and nothing seems to work. What am I missing?

Please help!

scottgs · November 21, 2022, 8:22pm

Here’s a rough block diagram. What I want is to remotely access all of the devices on my home LAN, from my remote PC. I’d think this is the very most basic definition of a VPN.

All I can seem to do is tunnel from my laptop client to the VPN server and out to the internet. From my remote laptop, I cannot ping anything on my home LAN other than the GL-AR300M VPN server.

VPN Simplified Block Diagram|690x366

antifascista · November 21, 2022, 8:40pm

You have to insert 192.168.0.0/24 to access your local subnet.

scottgs · November 21, 2022, 9:17pm

Insert it where?

One of the first things I did was put the LAN network “192.168.0.1/24” into the client “Allowed IPs” configuration.
I’ve actually done, and undone, this at least 20 times. Never solves the problem.

Is there somewhere else it needs to go?

Thanks

scottgs · November 21, 2022, 9:22pm

Here’s a screen capture. Please take a look and tell me if it’s still wrong?
I know the address of 192.168.1.X is not the same as 192.168.0.X. I was experimenting with trying a different subnet.

Client config Test7

antifascista · November 21, 2022, 10:49pm

First connect only the wan of your gl-inet router to your main router and disconnect lan from it then insert 192.168.0.0/24 in alloweds ip of WG client config.
In WG server of gl-inet router enable “Allow Remote Access LAN”.

scottgs · November 21, 2022, 11:35pm

Ok Thanks for the help!

If I disconnect the LAN port, I’m thinking that I have no way to talk to the GL-AR300 router for configuration? But I’ll try it right now.

For the other:

Inserting the allowed IP 192.168.0.1/24, or 192.168.0.0/24
selecting “Allow Remote Access LAN” at the server

As I posted, and showed in the screenshots, I’ve done this over and over and over and over and over again, for days, all to no avail. So either I’m doing it wrong, or something else is wrong, or it just doesn’t work.

Do my screenshots look ok?

Thanks again.

scottgs · November 21, 2022, 11:59pm

I just tested it, and if I disconnect the LAN port on the GL-AR300 router, I can no longer reach the router’s management interface. Is there something else I need to do, in order to for it work both the LAN and WAN through the WAN port?

Anyway, I’m still stuck and it won’t work.

yuxin.zou · November 22, 2022, 1:36am

First, the LAN segment where your PC is located cannot be 192.168.0.0/x.
Next, check the routing on your PC. With AllowedIPs configured and the wireguard client running, execute the following command.

route print
tracert 192.168.0.100

scottgs · November 22, 2022, 2:10am

I don’t believe the LAN segment where my remote laptop PC is, is 192.168.0.0/x, but I believe it is 10.0.0.3.

Look at the screen shots which I previously attached. Am I misunderstanding?

Here’s the results of the print route and tracert

NOTE: my network devices that I care about reaching are in the 192.168.1.0/24 subnet. But I’d be incredibly super happy to be able to route to either 192.168.1.0/24 or the 192.168.0.0/24 subnets.

C:\Users\TOUGHBOOK 31 MK5>route print

Interface List
81…WireGuard Tunnel
20…20 c6 eb 8f 03 c9 …Intel(R) Ethernet Connection (3) I218-LM
77…00 ff f7 82 86 3a …TAP-Windows Adapter V9 for OpenVPN Connect
46…4c 34 88 4f 8c 07 …Microsoft Wi-Fi Direct Virtual Adapter
19…4e 34 88 4f 8c 06 …Microsoft Wi-Fi Direct Virtual Adapter #2
37…94 8d 84 58 52 5d …Generic Mobile Broadband Adapter #18
41…4c 34 88 4f 8c 06 …Intel(R) Dual Band Wireless-AC 7265
1…Software Loopback Interface 1

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 100.90.204.26 100.90.204.25 311
0.0.0.0 0.0.0.0 On-link 10.0.0.4 0
10.0.0.4 255.255.255.255 On-link 10.0.0.4 256
100.90.204.24 255.255.255.252 On-link 100.90.204.25 311
100.90.204.25 255.255.255.255 On-link 100.90.204.25 311
100.90.204.27 255.255.255.255 On-link 100.90.204.25 311
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 10.0.0.4 0
192.168.1.255 255.255.255.255 On-link 10.0.0.4 256
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 100.90.204.25 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 100.90.204.25 311

Persistent Routes:
None

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
37 311 ::/0 2600:1004:b101:4636:bc5a:e992:9416:c917
37 311 ::/0 fe80::bc5a:e992:9416:c917
1 331 ::1/128 On-link
37 311 2600:1004:b101:4636::/64 On-link
37 311 2600:1004:b101:4636:1d17:23de:4e8f:c0a8/128
On-link
37 311 2600:1004:b101:4636:2631:c168:aaa0:92ce/128
On-link
37 311 2600:1004:b101:4636:fc85:64fa:4cbb:4416/128
On-link
37 311 fe80::/64 On-link
37 311 fe80::1208:c511:a05c:2c3b/128
On-link
1 331 ff00::/8 On-link
37 311 ff00::/8 On-link

Persistent Routes:
None

C:\Users\TOUGHBOOK 31 MK5>tracert 192.168.0.100

Tracing route to 192.168.0.100 over a maximum of 30 hops

1 101 ms 56 ms 59 ms 10.0.0.1
2 54 ms 65 ms 58 ms 192.168.1.254
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * ^C
C:\Users\TOUGHBOOK 31 MK5>
C:\Users\TOUGHBOOK 31 MK5>tracert 192.168.1.100

Tracing route to 192.168.1.100 over a maximum of 30 hops

1 105 ms 56 ms 57 ms 10.0.0.1
2 10.0.0.1 reports: Destination host unreachable.

Trace complete.

yuxin.zou · November 22, 2022, 2:37am

I am referring to the LAN IP(The IP segment of the Ethernet or WLAN on your PC) and not the virtual IP on the wireguard.

scottgs · November 22, 2022, 2:48am

I’m not seeing where my remote PC is on the 192.168.0.x/24 LAN segment?

I’m connecting through a cellular modem that is integral to the remote PC.

But, I’m not very familiar with this, so I may need help understanding where to look?

yuxin.zou · November 22, 2022, 2:55am

From here, the packet trying to access 192.168.0.100 reaches 192.168.1.254 with VPN. is it your device?

scottgs · November 22, 2022, 2:57am

Yes, 192.168.1.254 is the LAN router/gateway/firewall to the internet on my Home LAN, not on the remote laptop PC.

Referencing the diagram, it’s the “Router Switch” Blue box.
All of the 192.168.“0”.x addresses are now 192.168.“1”.x

yuxin.zou · November 22, 2022, 3:33am

So the IP of the NAS is now 192.168.1.100?
So if you tracert 192.168.1.100 or tracert 192.168.1.12 on your PC, will it reach it?

scottgs · November 22, 2022, 4:00am

No, the NAS is now 192.168.1.10

No, a tracert from the remote laptop PC will not reach 192.168.1.10, and it will not reach 192.168.1.12. I cannot reach anything on the 192.168.1.x subnet, except for 192.168.1.253, which is the GL-AR300M VPN server.

C:\Users\TOUGHBOOK 31 MK5>tracert 192.168.1.10
Tracing route to 192.168.1.10 over a maximum of 30 hops
1 100 ms 57 ms 58 ms 10.0.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * ^C

C:\Users\TOUGHBOOK 31 MK5>tracert 192.168.1.12
Tracing route to 192.168.1.12 over a maximum of 30 hops
1 96 ms 57 ms 56 ms 10.0.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * ^C

C:\Users\TOUGHBOOK 31 MK5>tracert 192.168.1.253
Tracing route to 192.168.1.253 over a maximum of 30 hops
1 51 ms 62 ms 56 ms 192.168.1.253
Trace complete.

C:\Users\TOUGHBOOK 31 MK5>

yuxin.zou · November 22, 2022, 7:23am

If 10.0.0.1 is the virtual IP on your AR300M, then the router appears to have no problems.
Because your AllowedIPs already contain 0.0.0.0/0, the routing table is correct even if 192.168.1.0/24 is not added. Traffic packets will also reach the gateway correctly.

Please check LuCI → Network → Firewall on the AR300M and make sure that wgserver → lan is accepted.

scottgs · November 22, 2022, 9:30pm

This is what I show for LuCi → Network → Firewall