Can’t access LAN addresses when passing all traffic via WG VPN tunne

ecfeed · March 23, 2024, 9:55pm

Hi,

I’m trying to make it work on my AX1800 and for some reason only internet traffic goes through VPN tunnel.

wg.conf file I use for the router specifies the following:
[Interface]
Address = 192.168.10.5/32
ListenPort = 51542
PrivateKey = [key]
DNS = 192.168.10.1
MTU = 1420

[Peer]
AllowedIPs = 192.168.1.0/24, 192.168.2.0/24, 0.0.0.0/0
Endpoint = someip:someport
PersistentKeepalive = 25
PublicKey = [key]

I want to get access to 192.168.1.x and 192.168.2.x subnets via VPN too. If I use same config from my laptop directly everything is fine.

In the router I tried enabling / disabling IP masquerading, switching Autodetect and Global proxy mode and enabling / disabling Remote Access LAN. Using latest firmware v4.5.0

Could you suggest what am I missing here?

cfx69 · March 24, 2024, 6:17am

Watching this as I’m having the exact same issue. Like yourself, tried every combination of toggles, dns in the config, etc. Connects, but no access to the remote lan. Using the exact same settings in windows wireguard client, everything works perfect.

Anyone have an insight?

alzhao · March 25, 2024, 8:09am

Can you let me know the typography of the server side?

How does these subnet connected to each other, 192.168.1.0, 192.168.2.0 and 192.169.10.1?

I think it should just work. But better to do a check.

cfx69 · March 25, 2024, 1:23pm

In my case, server side is the latest version of OPNSense, home network is on a 192.168.10.x subnet. Wireguard is using 10.50.50.x and local network on GL-AXT1800 is using 192.168.69.x.

Wireguard will connect, but there is no remote lan connectivity. Checking external IP, it will show remote network (server) side external IP.

It appears to be a DNS issue, even if it’s configured in wireguard to use remote DNS.

Using the exact same client configuration in the windows wireguard client on the same device, everything works perfect. Remote DNS works, can access network resources, etc.

C…

admon · March 25, 2024, 1:36pm

To rule that out, try pinging IPs instead of hostnames.

cfx69 · March 25, 2024, 1:54pm

Tried numerous times while changing toggles and setting DNS= in wireguard config. Cannot ping by IP or name.

Tracert to any IP on remote network fails on first hop and dies.

cfx69 · March 25, 2024, 3:16pm

When I first got the device, it auto-updated to 4.5.0. Since then, I’ve tried with 4.5.16 beta and just now did uboot back to 4.5.0 just to make sure it wasn’t an upgrade issue.

Problem still persists. Wireguard will connect, ipchicken returns remote network external IP, but no DNS resolution to remote network.

Windows wireguard client with exact same settings works perfectly.

C…

hansome · March 25, 2024, 3:57pm

Are you using Global proxy mode?

Can you switch to that, if it still doesn’t work, export log and send me by Private message.

ecfeed · March 25, 2024, 4:14pm

OPNSense with Wireguard server on it.

192.168.1.0 and 192.168.2.0 are managed by OPNSense LAN networks.
192.169.10.0 is subnet of wireguard server for this VPN connection. 192.169.10.1 is ip address of OPNSense.

I use default subnet 192.168.8.0 on AX1800.

hansome · March 26, 2024, 3:00am

@cfx69 found the issue happens when the local wan subnet has a conflict with remote LAN subnet.

To check the route to remote LAN:

ip route get 192.168.1.0/24

It should go by wgclient interface.
If it goes by eth/repeater interface, then the conflict exists.

Two workarounds:

change local wan ip subnet
add a route:

ip route add 192.168.1.0/24 dev wgclient scope link

The correspondent permanent setting can be done in luci, Network-routing: add a route like the following:

I think workaround 2 will be adopted in our future firmware release.

ecfeed · March 29, 2024, 2:41am

Thanks, I can access my local networks now via vpn. Used workaround 2.

Shurov · June 28, 2024, 6:32pm

Can I check my case, which seems very similar?

WG Server - OPNsense router, with 10.0.0.0/16 VLANs configured (10.0.0.0/24 is the main LAN)
It has WG interface configured to be 10.0.5.0/24 (WG clients connect into this range).

Gl.iNet (MT3000 v4.5.16) has local interface configured under 10.10.0.0/24 range.

When I have "IP masquerade" turned off - all the Gl.iNet clients can access home lan (behind OPNsense) via WG under the GL router's IP 10.0.5.5 (seen on the OPNsense).
However, I'd also like to access local devices behind GL router from within my home LAN (so 10.0.0.0/24 -> 10.10.0.0/24), that's why I would like to have "IP masquerade" OFF. But with it's off, I can't access home LAN (10.0.0.0/24) resources from clients behind GL router any more. And I see their real IP (10.10.0.0/24) in firewall logs as blocked by the default floating rule "Default deny / state violation rule".

Is my understanding and thinking of the configuration correct? Please point me in the correct direction

Hoodah · April 15, 2025, 9:20am

It is a year later, but this fix [adding the route in luci] worked for my use case as well, thanks for posting it. I was wondering if it ever made it into the firmware and if there was a more appropriate place for me to be making this routing override?