Endpoint Wireguard VPN over Wireguard Router Client VPN

Technical Support for Routers VPN, DNS, Leaks
1

Hello,

I am trying to set up the following scenario:

Untitled Diagram.drawio (2)
Untitled Diagram.drawio (2)1322×311 32 KB

What I want to do is establish a VPN from the GlInet travel router to the VPN server 1. Once this tunnel has been established and I have a laptop connected to the GLinet network, I want to create a VPN from the laptop to VPN server 2.

The problem I have is that when connecting to the second server from the laptop I am arriving through the Public IP of the GLinet and not from the public IP of server 1.

In my opinion, the GLInet router is not sending the wireguard traffic of the client (Laptop) through tunnel , I have verified and the rest of the traffic such as web, ping, etc. goes through tunnel 1 correctly.

Any idea what could happen?

Thank you.

2

So you’re saying GL traveler router does not send your 2nd WG initiated connection inside Tunnel 1?

Can you probe WG listening port on Server 2 from the laptop and see the source IP of your traffic?

Edit: check the Wireguard’s configuration option nohostroute to get nested tunnels.

3

What VPN policy do you use?

4

I am using “global proxy” as VPN policy

5

That’s what I think. I’ll do the tcpdump that you propose to verify it.

Where should I apply this “nohostrute”? in the configuration on the wireguard servers? or clients?

edit: From what I see here (nohostroute) is an openwrt configuration, I am not very clear how I should apply this to the glinet router

6

Yes on gl router:

uci set network.vpn.nohostroute=“1”

But as @admon said you need to check the PBR rules after establishing the first tunnel; the option in question might get created automatically. To verify it issue:

uci show

7

i think best is to check wireguard this way to verify what the issue is by elimination of a few things:

  1. does wireguard show proper tx/rx at both ends?
  • and still no connection?, and also no preshared key involved?, likely a routing issue.
  • and still no connection?, maybe the allow lan needs to be enabled.
  1. does wireguard not show proper tx/rx at both ends?
  • a firewall issue or handshaking issue, make sure the communication is also allowed to lan for the travel router and the keys are up to date
8

What mentioned is irrelevant to his issue. He already mentioned that the first tunnel is working

9

From the console I try to apply this command but it does not work, in the uci show I do not have this configuration option.

root@GL-SFT1200:/etc/config# uci set network.vpn.nohostroute=“1”
uci: Invalid argument

My router versions:

glinet version: 4.3.7
openwrt version: 1.06
wireguard-tools package: 0.0.20181218-1

it’s right?

We have verified again as follows:

  • VPN of the router connected to server 1
  • We connect Laptop to server 2
  • Ping to the internal network of server 2 from the laptop
  • We turn off the tunnel on server 1
  • The ping is still running correctly so I understand that the traffic is not going through tunnel 1 as we thought.
10

The tunnels both work correctly independently, the main problem is that the traffic from the tunnel established by the laptop does not pass through the tunnel established by the glinet (or so we suspect).

11

I see, i did misreaded sorry.

Could you check some output with commands:

route and ip route ?

You said that ping etcetera worked, but not a website this seem to be a issue i also had not so long ago.

However the wgserver was for me on a vanilla OpenWrt, the fix for me was when i edited the interface for wireguard and go to advanced tab, the checkbox default gateway has to be checked for the server, this sound weird at first since this is often discouraged on the client, but it seems for the server it works the best way if it follows the lan route and firewall.

Can you check if that change behaviour?, or is this full gl-inet firmware?

Then you might enable allow access to wan in the server.

12

Smells like DNS error.

13

For me it showed two things timeout and refused, though for me it was really a routing issue, but my topology is very advanced.

In tcpdump i saw 0 traffic even though ping worked.

14

Can you check if that change behaviour?, or is this full gl-inet firmware?

my wg servers are dockers on different servers in different locations. These work correctly since they have several clients each working well.

You said that ping etcetera worked, but not a website this seem to be a issue i also had not so long ago.

I have not talked about web because it seems simpler to analyze this case through ping and traceroute.

Smells like DNS error.

Regarding the DNS, it works correctly and in my opinion it is not very relevant here. The DNS resolves correctly, in fact the ping is being resolved by DNS.

15

This is confusing! because at the beginning you said ping is going through the tunnel …

Anyway, once the first tunnel is successfully connected, share the WG gl client configurations. I am suspecting that GL’s PBR Global Proxy is conflicting with your configuration! It could be fixed using the option that I referred to at the beginning of the discussion.

Lastly, uci show is a command and not option. If you execute it it will show you all openwrt configurations including the VPN’s. Try it again.

16

This is confusing! because at the beginning you said ping is going through the tunnel …

Well, I explained myself wrong, after activating tunnel 2 on the client, no traffic passes through tunnel 1 of the glinet.

Anyway, once the first tunnel is successfully connected, share the WG gl client configurations. I am suspecting that GL’s PBR Global Proxy is conflicting with your configuration! It could be fixed using the option that I referred to at the beginning of the discussion.

This is my tunnel 1 client configuration:

[Interface]
PrivateKey = XXXXXXX
ListenPort = 51820
Address = 10.13.13.3/32
DNS = 192.168.0.6, 1.1.1.1

[Peer]
PublicKey = XXXXXXX
PresharedKey = XXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xxx.xxx.xxx:51820

Lastly, uci show is a command and not option. If you execute it it will show you all openwrt configurations including the VPN’s. Try it again.

I understand, my router does not show any “network.vpn.nohostroute” at the output of command “uci show”.
And as I showed in the previous message, the “uci set network.vpn.nohostroute=“1”” command does not work either, could it be a problem with the openwrt version?

17

How did you ping to a ip or domain ??

I see here a local dns, you are sure this dns works from the wgclient ?

18

The DNS works for me, anyway, I don’t quite understand what problem the DNS could be causing in my problem. Maybe I haven’t fully explained the case or I don’t see how the DNS could affect me.

19

Thanks! For the AllowedIPs option specify the IP of the vpn server 1. And add this to the configuration:

FwMark = 51820

For the second WG configuration on the laptop don’t make these two changes.

Test any let us know.

20

Thanks! For the AllowedIPs option specify the IP of the vpn server 1.

The internal wg IP of the server right (10.13.13.1)? Or the public?

FwMark = 51820

Should this be added in the configuration of server 1? or the client?

And regarding the issue of uci set network.vpn.nohostroute=“1”? Is it normal that this command is not available in my router? Could it be the openwrt version?