Bypassing CGNAT with WireGuard - Possible Configurations?

User123 · September 28, 2024, 6:37pm

Hi. Recently, my ISP implemented CGNAT, which has prevented me from accessing the WireGuard server on my router. However, I do have a VPS with WireGuard server and a static IP. Is there a way to configure my router to connect to this VPS server, so that it becomes accessible through the VPS's IP, while ensuring that my LAN clients do not route their internet traffic through the VPN?

Quidn · September 29, 2024, 3:44am

Yes. "Customize Routing Rules" allows multiple site-to-site network behind CGNATs. No need to access even to the LuCI.

User123 · September 29, 2024, 6:36am

I'm not sure which routing rule to apply for the router's WireGuard client. I've already set up a rule for 192.168.1.0/24, but it's not working. I need all devices connected to the same VPN network to be able to access the router's LAN.

bruce · September 29, 2024, 7:25am

Quidn post means how to use the proxy mode to route the traffic of the LAN clients.

There is not public IP for the CGNAT. The simple way is creating a VPN server in the VPS, the GL Router and other devices as the VPN clients.

User123 · September 29, 2024, 8:57am

Okay, I've found a solution. My initial goal was to access my IP cameras from outside the local network. Previously, I could achieve this by using the WireGuard server functionality on my router. However, after my ISP implemented CGNAT, this method became ineffective. So, what did I do? I connected my router to my VPS via WireGuard. I added the IP addresses of my cameras to the 'allowed IPs' list in my router's client configuration on the VPS. Then, in the router VPN settings, I selected the option 'VPN Policy Based on the Client Device' and added my IP cameras to the list. Now, any client connected to my VPN can directly access the cameras via their IP addresses.

Lastimosa · September 29, 2024, 10:11am

Why not just use something like Tailscale?

User123 · September 29, 2024, 10:14am

Firstly, I'm not familiar with that. Secondly, I'd prefer to avoid using any third-party services that are beyond my control, if possible.

Quidn · September 29, 2024, 12:09pm

That could be a workaround, but against to your requirement:

while ensuring that my LAN clients do not route their internet traffic through the VPN

Security concerns aside, to accurately reflect your requirements,

On the VPS: Enter your LAN CIDR block(e.g., 192.168.8.0/24) into allowed_ips
On the router's WireGuard Client menu:
-- Enter your WireGuard network CIDR block(e.g., 10.0.0.0/24) into allowed_ips and create a route rule of it
-- Turn on Remote Access LAN
-- Turn off IP Masquerading

That's it. If you have just one site and every other peers are just client devices, nothing more to config.

Quidn · September 29, 2024, 12:31pm

In this setup, because of OP already running own WG server, using Tailscale is more complex I feel. Moreover there's nothing pro because it's just one site which behind the CGNAT.

One of so great thing about GL.iNet routers is that you can do setup like this by very easily in the default UI of stock firmware. This is very unique advantage which I really impressed. So... Tryout!

Lastimosa · September 29, 2024, 1:57pm

With my always changeable topology and frequent double (and occasionally even triple nat-ting) as well as frequent reliance on LTE WAN failover using CGNAT, Tailscale has never once failed me even with my own WG and OVPN servers running. It is the stuff of magic...