Flint2 (MT6000) VPN Wireguard server: help to get a connexion working through a custom port in a firewalled environement

Technical Support for Routers VPN, DNS, Leaks
1

Hello,
I'm confronted to a problem with the Wiregaurd VPN server on my Flint2 (MT6000).
I set it up to work on a custom port, like 5223 because it's the only available open port on the network I use when I am at work.

When I use my smarthphone 5G connexion or by sharing it with my computer, the Wiregard server is atteignable and works fine: internet go throught the VPN, and I can access my LAN at home.

But When I'm inside my works networks, I can't get a valid connexion, and nothing works: no internet, no connexion to my LAN...

What am I missing in the configuration?
How can I get it working?

Before having the Flint2, I had a Synology RT2600AC on witch I use with success the SSL VPN server on the same port.
Now, the Synology is in its box, no more connected.

Thanks for the help.

PS : I am on macOS; with the official wireguard client.

2

Guess your work network is good in blocking. Maybe they even drop all UDP traffic.

3

Your guess is maybe right.
Is it possible to create a configuration file with TCP connexion, and on the routeur to route the TPC to the UDP port of the WG server ?

4

No, WireGuard needs UDP.

You can try OpenVPN in TCP mode.

5

Oh I completely forget about OpenVPN.
But in my experience with my ex Synology, on my lag it wasn’t stable : loose of connexion and problem with my custom dns server (AdGuard Home on another computer).
But I could try again.

You can confirm that I can use the same port as WireGuard but on tcp ?

Edit : I just see a subject about tailscale. You think I should look into it ?

6

You can run OVPN on every port you like but it makes sense to use one that is known for TCP traffic. It highly depends on the firewall of your company.

You could try tailscale and zerotier as well.

7

I'll try the OpenVPN :slight_smile:

What is the best configuration to apply?

CleanShot 2024-09-05 at 20.02.53@2x
CleanShot 2024-09-05 at 20.02.53@2x1298×382 24.5 KB

CleanShot 2024-09-05 at 20.03.12@2x
CleanShot 2024-09-05 at 20.03.12@2x1306×444 21 KB

CleanShot 2024-09-05 at 20.03.44@2x
CleanShot 2024-09-05 at 20.03.44@2x1292×758 35.9 KB

I intend to maximise the security, and have get the best speed I can have with the security maxed ^^

8

Certificate only is fine.

1 Like
9

Ok, and for the other settings I screenshotted ?

The OpenVPN on the TCP 80 port is working fine.
I hope it will work fine inside my working network.

10

@admon Do you know if there is a way to configure the VPN through LUCI interface ? Because I used the GL.iNet GUI for wireguard and OpenVPN.

11

All other settings are fine. I doubt it will work on port 80 because firewalls know that they can read the content. If they can't, they block.

Port 443 could be a way, if there is no TLS-Proxy inside your company. If there is, you can try others like

  • 22
  • 3306
  • 3389
  • 3478
  • 5060
  • 5061

But if they know what they are doing, you won't find a working way.

12

Let's hope it'll be working on 80 :slight_smile:
I tryed to know what ports are open, and I have to use this command :slight_smile:

nc -vz portquiz.net 80-5555

and try another range.
But it seems that only the 80 and 5223 are open. But I don't really remember the results ^^

To rebounce about the OpenVPN config: I had to add manually the DNS server IP inside the .ovpn file.
is there a way to do that through the webUI ?

And on my macbook, I must use TunnelBlick to have a working connexion... OpenVPN Connect doesn't let me achieve a working connexion.
Is that normal?

and about this?

ANd by the way, thank you for your help :slight_smile:

13

Hello @admon
I'm now connected through my OpenVPN server, with 80 TCP port from my work's network.
All seems to work fine. But in the log I got 2 warnings:

2024-09-06 12:19:17.462809 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
...
2024-09-06 12:19:17.853710 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Warnings in context 
2024-09-06 12:19:17.461052 2 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.461099 MANAGEMENT: CMD 'pid'
2024-09-06 12:19:17.461188 NOTE: --mute triggered...
2024-09-06 12:19:17.461568 *Tunnelblick: Established communication with OpenVPN
2024-09-06 12:19:17.462094 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
2024-09-06 12:19:17.462784 5 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.462809 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-09-06 12:19:17.462819 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-09-06 12:19:17.466790 MANAGEMENT: >STATE:1725617957,RESOLVE,,,,,,
2024-09-06 12:19:17.658682 TCP/UDP: Preserving recently used remote address: [AF_INET]my_public_ip_at_home:80
2024-09-06 12:19:17.658822 Socket Buffers: R=[131072->131072] S=[131072->131072]
2024-09-06 12:19:17.658871 Attempting to establish TCP connection with [AF_INET]my_public_ip_at_home:80
2024-09-06 12:19:17.658899 MANAGEMENT: >STATE:1725617957,TCP_CONNECT,,,,,,
2024-09-06 12:19:17.665154 TCP connection established with [AF_INET]my_public_ip_at_home:80
2024-09-06 12:19:17.665256 TCPv4_CLIENT link local: (not bound)
2024-09-06 12:19:17.665288 TCPv4_CLIENT link remote: [AF_INET]my_public_ip_at_home:80
2024-09-06 12:19:17.665367 MANAGEMENT: >STATE:1725617957,WAIT,,,,,,
2024-09-06 12:19:17.683651 NOTE: --mute triggered...
2024-09-06 12:19:17.683797 1 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.683858 TLS: Initial packet from [AF_INET]my_public_ip_at_home:80, sid=dde58be0 e68e6194
2024-09-06 12:19:17.712070 NOTE: --mute triggered...
2024-09-06 12:19:17.790750 3 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.790885 [OpenVpn server] Peer Connection Initiated with [AF_INET]my_public_ip_at_home:80
2024-09-06 12:19:17.790935 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-09-06 12:19:17.791091 NOTE: --mute triggered...
2024-09-06 12:19:17.853500 1 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.853631 PUSH: Received control message: 'PUSH_REPLY,persist-key,persist-tun,redirect-gateway def1,route-gateway 192.168.11.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.11.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2024-09-06 12:19:17.853710 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2024-09-06 12:19:17.853804 OPTIONS IMPORT: --persist options modified
2024-09-06 12:19:17.853830 NOTE: --mute triggered...
2024-09-06 12:19:17.855150 3 variation(s) on previous 5 message(s) suppressed by --mute
2024-09-06 12:19:17.855194 Opened utun device utun4
2024-09-06 12:19:17.855229 MANAGEMENT: >STATE:1725617957,ASSIGN_IP,,192.168.11.2,,,,
2024-09-06 12:19:17.855263 /sbin/ifconfig utun4 delete
                           ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2024-09-06 12:19:17.873070 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Does it mean I've done something wrong?

And last question, in the event that I wish to use LUCI from an OpenWRT firmware, is there a way to configure the VPN servers (OpenVPN and Wireguard) as I did with the GL.iNet interface?

Thanks in advance.

14

I don‘t know about luci methods but all VPNs can be configured using shell and the config files of course.

15

Yes, I know I can configure through shell... but I prefer a GUI ^^

I see those package in the luci Systtem / app:

luci-app-openvpn
luci-i18n-openvpn-*
vpn-policy-routing

luci-app-wireguard
luci-i18n-wireguard-*
luci-proto-wireguard

luci-app-vpn-policy-routing
luci-i18n-vpn-policy-routing-*

Do you think those app are safe to install in order to get used to the LUCI interface way to configure?

16

You can't use luci to modify OpenVPN nor WireGuard.

The reason is simple: The VPN servers are customized to work with the GL firmware (and GUI). So there is, for example, no "proto-wireguard" installed, even if WireGuard itself works. Luci will not find the corresponding configs.

You can use luci to create new servers, but I am not sure if they will work. I would say they will conflict with existing ones. To use luci for VPN management, you should go plain OpenWrt (so without GL GUI)

17

Ok, @admon , I understand. So I don't want to mess with the GL firmware configuration of VPN servers.

I just hope there will be an update soon to have some app up to date.

1 Like