Brume: Access WGUI an ssh via WAN from main-router

AleksCee · 2019-12-07T21:40:48.213Z

Hello,

I like to use the Router as an Wireguard Server behind my cable router. So I have configure a static ip for the WAN Interface via the GUI. Then I enable in the firewall port 80 and 22 to access the router from the network of the WAN interface. All is good. But if I start the wireguard Server some additional firewall rules are enabled and I have no access from the WAN interface to the web or ssh servers on the router to configure my clients any more. Only the access over LAN ports at the Brume works. But I don’t want to connect a extra pc to the LAN port for configuration. Have you a any hints for me how doses this could by work?

ISP <> my router (192.168.1.0/24) → WAN of the Brume (192.168.1.223) with the wireguard.

I like to access the web and ssh on the Brume from my 192.168.1.0/24 network.

Thanks, Alex.

sfx2000 · 2019-12-08T23:53:38.986Z

Put Brume behind the FW, and let it be the WG end-point

Fix it’s IP to a static IP inside your LAN, and port forward just the WG ports.

Don’t need to do port forwards other that WG on the edge router

AleksCee · 2019-12-09T06:09:16.696Z

I have do this, but if the WG Server is started I can’t access the static ip any more.

sfx2000 · 2019-12-10T03:36:26.846Z

Check your setup… WG, like OpenVPN, when acting as a server, you likely will have to come into the LAN from the outside if your Gateway doesn’t support NAT redirection.

In the example below, Brume is 192.168.8.189, port forwarding SSH and WG - this screenshot is not from Brume, it’s from the GW router.

WG_FW_NAT_Ports1248×672 65.1 KB

AleksCee · 2019-12-10T05:58:28.856Z

Hi,

My problem is actually not the WG access. I can access the Brume from my Lokal lan on the static ip 192.168.1.223 from the devices at my main router. But if I start WG I can’t access the Brume web Interface any more.
I only can access it via a client which is connected via WG. But I like to manage the Brume from my main lan if the WG is running.

Something after starting wg seams to block the access to the webGUI on the WAN interface which is connected to the main routers lan.

Main router 192.168.1.1/24
Brume WAN 192.168.223 (static)
Brume LAN 192.168.8.1/24 (the default)
Brume WG 10.0.1.0 (the default)

hydn · 2021-04-20T16:09:38.171Z

Did you get this to work?

AleksCee · 2021-04-20T17:23:22.715Z

No, I have not try any further after this post. Have you get it to work?

hydn · 2021-04-20T17:46:22.358Z

Just purchased. Going to try to use to provide VPN to all devices connected to my edge router. So will let you know.

AleksCee · 2021-04-20T18:12:25.559Z

Cool, good luck! I‘m happily awaiting your results.

hydn · 2021-04-28T13:00:32.456Z

I got it two work. There’s documentation on that. Forgot the link but it told me to setup these two options. After I did that it worked…

image733×639 34.1 KB

Found another doc page, but don’t remember the other page that gave the specific instructions. But here’s the excerpt from the other page:

Use VPN for all process on the router : Generally, the traffic of all processes running on the router such as GoodCloud will be routed through VPN if there is a connected VPN client (e.g. WireGuard, OpenVPN, Shadowsocks). In this case, these processes will lose Internet if VPN is disconnected. In order to ensure a proper operation of these processes, you can disable this option. As a result, they will not use VPN. - VPN Policies - GL.iNet Router Docs 3

Oh, also I added port forwarding on my router for ports 80 and 443 to the Brume’s IP address. Don’t forget that step! haha. Also found that by searching forums:

Remote access to home network using VPN server of GL-AR150 Technical Support for Routers

Hmmm… That’s good, now I understand a bit better what @alzhao meant when mentioning port 111 for the router and port 111 again later. This means the list of actions I must do are: on the router: set static IP for AR150 on the router: open port 1194 and direct it to the static IP I defined on AR150: configure OpenVPN and save config file to use in my computers. That should do it, right?

Edit: Make the policy change and just apply port forwarding for ssh ports also if you want remote SSH which I just tested also.

Now my issue is, last night the internet/VPN dropped and the router does not auto-reconnect. Hoping to find a solution to that! That’s a deal-breaker for me.