Flint2 with Flint Site 2 site problem

Technical Support for Routers VPN, DNS, Leaks
22

ok, right now I have the 2 routers setup as follows:
on server at Virtual IP (IPv4) 10.0.0.1/24 port 1018
IP 174.85.9.222

Client

  • Server Address xxxxxxx.glddns.com
  • Server Listen Port 1018
  • Traffic Statistics 185.37 KB 1.33 MB
  • Client Virtual IP (IPv4) 10.0.0.2/24
    IP 35.129.37.191

I can log into the client router from the server side so its connected and working

I do NOT have IP Masquerading on on either side only Remote Access LAN

I have rule route on server set to Target address 10.0.0.2/24 no gateway no metric no mtu scope=link
under Firewall "open ports on router" on BOTH I have Port 1018 TCP/UDP enabled

So the Internet side is working but still no local area network or network resources working....

23

That is wrong. The IP address of the LAN, the WG network and the LAN of the other router must be different.

192.168.10.1 LAN for 1st router
10.0.0.2 for WG client
192.168.20.1 LAN for 2nd router
should work.

24

sorry missed a setting, yes
server side LAN Router IP address set to 10.22.10.22 255.255.255.0
Start ip address 10.22.10.99 end 10.22.10.249

client ip address 10.22.20.22 255.255.255.0
Start ip address 10.22.20.99 end 10.22.20.249

25

CLIENT LOG AFTER CONNECT
Wed Jul 3 15:48:40 2024 daemon.notice netifd: wgclient (14221): sh: 1: unknown operand
Wed Jul 3 15:48:40 2024 daemon.notice netifd: Interface 'wgclient' is now down
Wed Jul 3 15:48:40 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Wed Jul 3 15:50:24 2024 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=REKEY-GIVEUP SHLVL=2 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Wed Jul 3 15:50:25 2024 daemon.notice netifd: wgclient (15304): sh: 1: unknown operand
Wed Jul 3 15:50:25 2024 daemon.notice netifd: Interface 'wgclient' is now down
Wed Jul 3 15:50:25 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Wed Jul 3 15:50:25 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Wed Jul 3 15:51:40 2024 daemon.notice netifd: Network device 'wgclient' link is up
Wed Jul 3 15:51:40 2024 daemon.notice netifd: Interface 'wgclient' is now up
Wed Jul 3 15:51:40 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Wed Jul 3 15:51:41 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=3 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_5064 group_8031 group_7349 group_1646 peer_2001 CONFIG_cfg030f15_ports=

26

SERVER log after connection
Wed Jul 3 13:15:21 2024 user.notice wgserver-route: env value:CONTENT_TYPE=application/json GATEWAY_INTERFACE=CGI/1.1 DOCUMENT_URI=/cgi-bin/glc REMOTE_ADDR=10.22.10.111 SHLVL=2 QUERY_STRING= HOME=/ FCGI_ROLE=RESPONDER DOCUMENT_ROOT=/www REMOTE_PORT=64749 HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 HTTP_ACCEPT=application/json, text/plain, / CONTENT_LENGTH=89 HTTP_HOST=10.22.10.22 REQUEST_URI=/rpc SERVER_SOFTWARE=nginx/1.17.7 REQUEST_SCHEME=http HTTP_CONNECTION=keep-alive TERM=linux HTTP_COOKIE=Admin-Token=dAXAEBfH7cwexXa3LoG5YxLGbuF6K0wX PATH=/usr/sbin:/usr/bin:/sbin:/bin HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.9 HTTP_REFERER=http://10.22.10.22/ SERVER_PROTOCOL=HTTP/1.1 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_CONTENT_TYPE=application/json REDIRECT_STATUS=200 REQUEST_METHOD=POST SERVER_ADDR=10.22.10.22 PWD=/www/cgi-bin HTTP_ORIGIN=http://10.22.10.22 SERVER_PORT=80 SCRIPT_NAME=/cgi-bin/glc SERVER_NAME= HTTP_CONTENT_LENGTH=89
Wed Jul 3 13:15:21 2024 user.notice wgserver-route: route_flag=4, dest=10.0.0.2, mask=24, gateway=, metric=, mtu=
Wed Jul 3 13:15:21 2024 daemon.notice netifd: Network device 'wgserver' link is down
Wed Jul 3 13:15:21 2024 user.notice firewall: Reloading firewall due to ifdown of wgserver ()
Wed Jul 3 13:15:22 2024 daemon.notice netifd: Interface 'wgserver' is now down
Wed Jul 3 13:15:22 2024 daemon.notice netifd: Interface 'wgserver' is setting up now
Wed Jul 3 13:15:22 2024 daemon.notice netifd: Interface 'wgserver' is now up
Wed Jul 3 13:15:22 2024 daemon.notice netifd: Network device 'wgserver' link is up
Wed Jul 3 13:15:22 2024 user.notice wgserver-route: route_flag=4, dest=10.0.0.2, mask=24, gateway=, metric=, mtu=
Wed Jul 3 13:15:22 2024 daemon.notice netifd: wgserver (12663): RTNETLINK answers: Invalid argument
Wed Jul 3 13:15:23 2024 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)
Wed Jul 3 15:50:00 2024 daemon.notice netifd: Network device 'wgserver' link is down
Wed Jul 3 15:50:00 2024 user.notice firewall: Reloading firewall due to ifdown of wgserver ()
Wed Jul 3 15:50:00 2024 daemon.notice netifd: Interface 'wgserver' is now down
Wed Jul 3 15:51:37 2024 daemon.notice netifd: Interface 'wgserver' is setting up now
Wed Jul 3 15:51:37 2024 daemon.notice netifd: Interface 'wgserver' is now up
Wed Jul 3 15:51:37 2024 daemon.notice netifd: Network device 'wgserver' link is up
Wed Jul 3 15:51:37 2024 user.notice wgserver-route: route_flag=4, dest=10.0.0.2, mask=24, gateway=, metric=, mtu=
Wed Jul 3 15:51:37 2024 daemon.notice netifd: wgserver (27146): RTNETLINK answers: Invalid argument
Wed Jul 3 15:51:37 2024 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)

27

May I know if the wg server and client (including the LAN of 2 router) work well?

If not, please refer to admon mention:

image
image794×217 10.7 KB

28

OK, over the Holiday weekend I reset both routers to factory. I set the following
GL-MT6000 Flint 2 (Only Router on Lan)

  • Set Timezone
  • Set Lan to 10.22.10.22
  • Check IP to ISP 174.85.9.222
  • Set winguard Server to IPv4 10.0.0.1/24 port 1018
  • Not sure what to set route rule at?
  • Set Wireguard Server Options – Remote Access Lan ON, MTU 1420
    Note: IP Masquerading OFF Client to Client OFF
  • Set router Firewall Open Ports on Router TCP/UDP port 1018
  • Set Dynamic DNS to Enabled
  • Created host profile for client with DDNS on

GL-AX1800 Flint (Only Router on Lan)

  • Set Timezone
  • Set Lan to 10.22.20.22
  • Check IP to ISP 35.129.37.191
  • Set router Firewall Open Ports on Router TCP/UDP port 1018
  • Set New Provider in Wireguard Client
  • Added Client profile from step 9 above
  • Set Winguard Client Options to Remote Access Lan ON
  • Set Winguard Client Options to IP Masquerading ON
  • Set Winguard Client Options to MTU 1450
  • Set Winguard Client ip to 10.0.0.2/24 port 1018

Started Flint 2 VPN Server = green light

Started Flint VPN Client = green light

Client reports Virtual IP (IPv4) = 10.0.0.2/24

FROM SERVER PC I can access the Client router setting if I put 10.0.0.2 in a browser window.

The VPN part is done and working for internet traffic!

Now for the VLAN - What changes are needed to allow this to access local network resources?

I have windows 10 on all computers, the server has about 4 Drives and a NAS with 2 drives and we have printers on both server and client that need shared – none can be seen yet

To share we use namespaces like [\server1\cdrive](file://server1/cdrive) [\workstation\checkprinter](file://workstation/checkprinter) stuff like that... But that should not matter either the local network is accessable or it is not. Currently it is not. Other than REMOTE ACCESS LAN what other settings are required to finish this?

I assume the last step is the ROUTING tables? but I did not see anything on how to edit those? I would think selecting REMOTE ACCESS LAN on each side did that step for me?

29

xize11

1

Razkle

7d

This could be due two things see @admon reaction, but also it can be dhcps rebind protection.

Does pinging to the wireguard virtual ip work?

edit:

I also notice this:
10.0.0.5/24 usually this is not recommended for a site to site vpn, you essentially want:

the server needs:
10.0.0.1/24 <- many people including myself make the mistake in turning this into a host bit, if it looks like that ending with 0/24 that is wrong this can also be a cause it is not working.

For the peers its better to use more abstract approach:

You use 10.0.0.5/32 and for allowed ip: 0.0.0.0/0 on the client.

Can you explain this a little better? The system sets up the vpn at the .2/24 if I change that to .2/32 then nothing works

30

For the peer having 10.0.0.5/32 means that your client config explicity needs 10.0.0.5, if you replace that with /24 the client peer can be more ip.

Technically if you plan for multiple site to site connections you want a more strict/static approach then 10.0.0.5/32 is more feasible.

If you want peer to peer communication, this will be handled by the wireguard server and from there the firewall rules, so /24 is not needed for this only if you want to talk to the peers directly.

So both peer config can be valid, but /24 makes a peer able to talk directly to other peers.

31

Clip_2024-07-09_16-26-17
Clip_2024-07-09_16-26-171082×788 34.9 KB

Once the 'Allow Remote Access LAN' enabled in the router which as the VPN server, the PC in the router which as the VPN Client is able to access the SERVER router. Can try to ping the Server LAN IP 10.22.10.22 or those LAN devices.

Please shows the return of the 'ip route' in SSH in the Client router.

32

pingtest

33

UPDATE - the network is working on the CLIENT as in I can access SERVER resources via their IP address. instead of their namespace 10.22.10.172 gets me to my workstation instead of "\ \ patrick" so namespaces dont work but IPs do. But the server still does not have access to the clients devices when I try to reach 10.22.20.245 (the client side PC) it cant ping or connect. AND how will this work with printers that are SHARED from windows conputers, they technically dont have an IP address

34

From the server I can ping 10.0.0.2 but nothing else
tSERVER raceroute to 10.0.0.2 (10.0.0.2), 30 hops max, 46 byte packets
1 10.0.0.2 24.927 ms

From the client I can ping 10.22.10.any ip on server and it works.
CLIENT traceroute to 10.22.10.222 (10.22.10.222), 30 hops max, 38 byte packets
1 10.0.0.1 64.458 ms
2 10.22.10.222 64.303 ms

My gut says this is a router table issue on server at this point?

35

ok I went back to Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X) - Technical Support for Routers / VPN, DNS, Leaks - GL.iNet (gl-inet.com)

I applied the route from there with my numbers and BAM! Working as intended! The namespaces dont work but I will just assign IPs to each device and re-map all shared printers from the PCs IP.

routerule
routerule1791×507 204 KB

This problem is resolved! thanks for all the help and pointers!

2 Likes