I have a 750 acting as the VPN Server and a Mango as the client, When I am at the client site I can see everything on the server side network. But when I am at the server side I can’t see anything at client site. So what do I need to change to fix this.
Server network is 192.168.30.0/24 and 750 is 192.168.8.0/24. Client network is 192.168.1.0/24 and Mango is 192.168.8.0/24.
I have equipment connected to the LAN port on the mango which I want to access from the the wifi on the 750.
Thanks.
I don’t know how to do this in openvpn.
Do you want to try wireguard? @kyson-lok can send you a testing firmware and guide.
Let’s say what it will do: it will link two separate offices to one network.
OK great. How do I get it?
Thanks.
Device A needs to log into Device B. Because the remote site hosting Device B is 4G CDN there is no public IP addess. So I figured a VPN would fix that.
If I am at the remote/client site I can access all the machines and equipment at the server side. If I am at the local/server side I can not access any machines at the remote/client side.
I really need to be able to browse both networks as if it was one large network.
Thanks.
So can it be done? I tried wireguard on two other GL-iNET routers I have on had but it appears to be to fiddly. I have 5 diffferent routers and I’d like to get this to work.
@Daggo Could you show me your AR750 and MT300N-V2 firewall configuration and ip route table? Maybe ip route or forwarding rules are missing.
MT300
firewall.conf
config defaults
option syn_flood ‘1’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’
config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’
config zone
option name ‘wan’
list network ‘wan’
list network ‘wan6’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
config rule
option name ‘Allow-DHCP-Renew’
option src ‘wan’
option proto ‘udp’
option dest_port ‘68’
option target ‘ACCEPT’
option family ‘ipv4’
config rule
option name ‘Allow-Ping’
option src ‘wan’
option proto ‘icmp’
option icmp_type ‘echo-request’
option family ‘ipv4’
option target ‘ACCEPT’
config rule
option name ‘Allow-IGMP’
option src ‘wan’
option proto ‘igmp’
option family ‘ipv4’
option target ‘ACCEPT’
config rule
option name ‘Allow-DHCPv6’
option src ‘wan’
option proto ‘udp’
option src_ip ‘fc00::/6’
option dest_ip ‘fc00::/6’
option dest_port ‘546’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-MLD’
option src ‘wan’
option proto ‘icmp’
option src_ip ‘fe80::/10’
list icmp_type ‘130/0’
list icmp_type ‘131/0’
list icmp_type ‘132/0’
list icmp_type ‘143/0’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-ICMPv6-Input’
option src ‘wan’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
list icmp_type ‘router-solicitation’
list icmp_type ‘neighbour-solicitation’
list icmp_type ‘router-advertisement’
list icmp_type ‘neighbour-advertisement’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-ICMPv6-Forward’
option src ‘wan’
option dest ‘*’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-IPSec-ESP’
option src ‘wan’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’
config rule
option name ‘Allow-ISAKMP’
option src ‘wan’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’
config include
option path ‘/etc/firewall.user’
config rule ‘glservice_rule’
option name ‘glservice’
option dest_port ‘83’
option proto ‘tcp udp’
option src ‘wan’
option target ‘ACCEPT’
config include ‘miniupnpd’
option type ‘script’
option path ‘/usr/share/miniupnpd/firewall.include’
option family ‘any’
option reload ‘1’
config include ‘shadowsocks’
option type ‘script’
option path ‘/var/etc/shadowsocks.include’
option reload ‘1’
config zone ‘vpn_zone’
option name ‘VPN_client’
option input ‘ACCEPT’
option forward ‘REJECT’
option output ‘ACCEPT’
option network ‘VPN_client’
option masq ‘1’
config forwarding ‘forwarding_origin’
option src ‘lan’
option dest ‘wan’
config forwarding ‘forwarding_vpn1’
option dest ‘VPN_client’
option src ‘lan’
root@GL-MT300N-V2:~# ip route
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.118
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.3
128.0.0.0/1 via 10.8.0.1 dev tun0
180.181.96.56 via 192.168.1.1 dev eth0.2
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.118
192.168.1.1 dev eth0.2 proto static scope link src 192.168.1.118
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.2
AR750
firewall.conf
config defaults
option syn_flood ‘1’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’
config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’
config zone
option name ‘wan’
list network ‘wan’
list network ‘wan6’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
config forwarding
option src ‘lan’
option dest ‘wan’
config rule
option name ‘Allow-DHCP-Renew’
option src ‘wan’
option proto ‘udp’
option dest_port ‘68’
option target ‘ACCEPT’
option family ‘ipv4’
config rule
option name ‘Allow-Ping’
option src ‘wan’
option proto ‘icmp’
option icmp_type ‘echo-request’
option family ‘ipv4’
option target ‘ACCEPT’
config rule
option name ‘Allow-IGMP’
option src ‘wan’
option proto ‘igmp’
option family ‘ipv4’
option target ‘ACCEPT’
config rule
option name ‘Allow-DHCPv6’
option src ‘wan’
option proto ‘udp’
option src_ip ‘fc00::/6’
option dest_ip ‘fc00::/6’
option dest_port ‘546’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-MLD’
option src ‘wan’
option proto ‘icmp’
option src_ip ‘fe80::/10’
list icmp_type ‘130/0’
list icmp_type ‘131/0’
list icmp_type ‘132/0’
list icmp_type ‘143/0’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-ICMPv6-Input’
option src ‘wan’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
list icmp_type ‘router-solicitation’
list icmp_type ‘neighbour-solicitation’
list icmp_type ‘router-advertisement’
list icmp_type ‘neighbour-advertisement’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-ICMPv6-Forward’
option src ‘wan’
option dest ‘*’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’
config rule
option name ‘Allow-IPSec-ESP’
option src ‘wan’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’
config rule
option name ‘Allow-ISAKMP’
option src ‘wan’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’
config include
option path ‘/etc/firewall.user’
config rule ‘glservice_rule’
option name ‘glservice’
option dest_port ‘83’
option proto ‘tcp udp’
option src ‘wan’
option target ‘ACCEPT’
config include ‘miniupnpd’
option type ‘script’
option path ‘/usr/share/miniupnpd/firewall.include’
option family ‘any’
option reload ‘1’
config include ‘shadowsocks’
option type ‘script’
option path ‘/var/etc/shadowsocks.include’
option reload ‘1’
config rule
option enabled ‘1’
option target ‘ACCEPT’
option name ‘RRC’
option src ‘*’
option dest ‘vpn-server’
config rule ‘vpn_server_rule’
option name ‘Allow-OpenVPN-Inbound’
option target ‘ACCEPT’
option src ‘wan’
option proto ‘udp’
option dest_port ‘1194’
config zone ‘vpn_server_zone’
option name ‘vpn-server’
option input ‘ACCEPT’
option forward ‘ACCEPT’
option output ‘ACCEPT’
option masq ‘1’
option device ‘tun-SERVER’
config forwarding ‘vpn_server_wan’
option src ‘vpn-server’
option dest ‘wan’
config forwarding ‘vpn_server_lan’
option src ‘vpn-server’
option dest ‘lan’
default via 192.168.30.1 dev eth0 proto static src 192.168.30.150
10.8.0.0/24 dev tun-SERVER proto kernel scope link src 10.8.0.1
192.168.7.0/24 dev br-lan proto kernel scope link src 192.168.7.1
192.168.30.0/24 dev eth0 proto kernel scope link src 192.168.30.150
192.168.30.1 dev eth0 proto static scope link src 192.168.30.150
On mt300n-v2 side, you should add a forwarding rule as below:
config forwarding
option src 'VPN_client'
option dest 'lan'
Then issueing /etct/init.d/firewall restart to restart firewall.
Adding that to to the firewall didn’t work. Thought that was to simple of a solution.
Can not ping from 750’s IP of 192.168.7.1 to anything on either 192.168.8.x or 192.168.1.x
Last gasp before I throw it all in the rubbish.
Here is the network I want it work on.
Tried Wireguard again WireGuard - GL.iNet Router Docs 2 very different to other sites I’ve read.
It’s all setup on both routers and running.
This running as a test. Remote site with 300M is tethered to a mobile phone.
Blockquote
root@GL-AR750:~# wg
interface: wg0
public key: hj4/koblahcNxyM2vw02/CRGEDblahc8dXzirflXA3I=
private key: (hidden)
listening port: 55555
peer: 8LOcUQRd/VBAAabKblahT65Y4kcWKyogqpJYR3wHJHM=
allowed ips: 10.0.0.0/24
Blockquote
root@GL-MT300N-V2:~# wg
interface: wg0
public key: FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc=
private key: (hidden)
listening port: 55555
peer: hj4/kojAuEcNxyblah02/CRGEDz+aXc8dXzirflXA3I=
endpoint: 180.181.96.XX:55555
allowed ips: 0.0.0.0/0
transfer: 0 B received, 71.83 KiB sent
persistent keepalive: every 25 seconds
At home site there is a firewall rule in router to direct traffic on port 55555 to 192.168.30.150
But it still doesn’t work…
It seems wireguard is disconnected. If it successes to connectivity, you can see the last handshake. I see that the gl-ar750 behind firewall, it needs to be configured port forwarding.
Derr… What does it say in my last post?
The wireguard peer’s public key of gl-ar750 is inconsistent with mt300n-v2’s public key. On gl-ar750 side, you should issue wg set wg0 add peer FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc= allowed-ips 10.0.0.0/24.
And where does that key come from?
It is not generated by the steps shown on WireGuard - GL.iNet Router Docs 2 2 sets of keys are generated on the client and server separately with commands listed:
"# wg genkey > privatekey
"# wg pubkey < privatekey > publickey
Which gives 4 keys. Where does this 5th one come from? It only appears when wireguard is running???
I tried the command above but is wrong it should be:
wg set wg0 peer FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc= allowed-ips 10.0.0.0/24
Without the “add”
Blockquote
root@GL-AR750:~# wg
interface: wg0
public key: hj4/kojAuEcNxyblaj02/CRGEDz+aXc8dXzirflXA3I=
private key: (hidden)
listening port: 55555
peer: FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc=
endpoint: 1.144.104.XX:3006
allowed ips: 10.0.0.0/24
latest handshake: 7 seconds ago
transfer: 4.24 KiB received, 2.78 KiB sent
peer: 8LOcUQRd/VBAAabKblah65Y4kcWKyogqpJYR3wHJHM=
allowed ips: (none)
root@GL-MT300N-V2:~# wg
interface: wg0
public key: FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc=
private key: (hidden)
listening port: 55555
peer: hj4/kojAuEcNxyM2blah/CRGEDz+aXc8dXzirflXA3I=
endpoint: 180.181.96.XX:55555
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 11 seconds ago
transfer: 2.63 KiB received, 14.30 KiB sent
persistent keepalive: every 25 seconds
I now have 2 routers connected. How do connect to resources behind each router? If information is missing on setting up the configs I could guess there is something missing in the firewall info too.
I think that the device B can access to device A now. And if you want to access to device B from device A, on gl-ar750 side, you should issue wg set wg0 peer FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc= allowed-ips 10.0.0.0/24,192.168.8.0/24 and ip route add 192.168.8.0/24 dev wg0.
I added the extra subnet into the config/network so I don’t have to issue the 1st command.
Blockquote
config wireguard_wg0
option public_key ‘FGp4MksWDblahram60u5k8XxvTmPNWgqIJ8u7+oMQhc=’ # Client’s public key
option route_allowed_ips ‘2’
list allowed_ips ‘10.0.0.0/24’
list allowed_ips ‘192.168.8.0/24’
Which gives:
Blockquote
root@GL-AR750:~# wg
interface: wg0
public key: hj4/kojAuEcblah2vw02/CRGEDz+aXc8dXzirflXA3I=
private key: (hidden)
listening port: 55555
peer: FGp4MksWDX8hblah60u5k8XxvTmPNWgqIJ8u7+oMQhc=
endpoint: 1.144.104.XX:3006
allowed ips: 192.168.8.0/24, 10.0.0.0/24
latest handshake: 1 minute, 59 seconds ago
transfer: 592 B received, 368 B sent
Device B can not see Device A. In fact nothing is seen on either network.
I sent ip route add 192.168.8.0/24 dev wg0 from the console but I can’t see anything on the remote network (192.168.8.x). Pinging shows nothing, traceroute goes out the main gateway and dribbles around the internet till it fails.
All I have now is a tunnel between the 2 routers. How do send data from the LAN/WiFi ports of the routers down the tunnel? And how do I make it persistent so the routes/paths are on when the routers start?
How about stopping mwan3 on both sides?
And how do I do that?
/etc/init.d/mwan3 stop
