GL-SFT1200 as a secondary Wireguard VPN client - No Internet

Technical Support for Routers VPN, DNS, Leaks
1

Hello,

I am trying to set a GL-SFT1200 as a dedicated secondary VPN router behind a primary Netgear CAX30 (cable modem/router combo). I am setting a Wireguard client on the secondary router to access a Windscribe VPN service.

I have been trying for over two weeks and went through many tutorials and done a lot of research, I also checked similar posts in that forum which helped me a lot with the configuration that I’m sharing below, but I still can’t get it to work.

I’m kind of a beginner in networks, so some of the options that are listed below might be wrong or not needed, so please let me know.

The WAN port of the primary modem/router is connected to the internet source from the ISP, and I have an ethernet connection from a LAN port in the primary router to the WAN port of the secondary router.

Here are the main settings in the primary modem/router:
It has the default Netgear firmware version V1.4.12.2
LAN IP Address: 192.168.1.1
IP Subnet Mask: 255.255.255.0
Use Router as DHCP Server: checked
Secondary router has static IP address reservation “192.168.1.20”
Default DMZ Server: checked, and set to the secondary router WAN IP “192.168.1.20”
Port Forwarding:

External Port               Internal Port         Internal IP Address
UDP: 51820                   UDP: 51820            192.168.1.20       (For Wireguard)
TCP: 1723                    TCP: 1723             192.168.1.20       (For VPN-PPTP Passthrough)

Here are the settings in the secondary router:
Firmware Version: OpenWrt 18.06 r0-d5ed025 / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)
Kernel Version: 4.14.90

Interfaces:

WG0

  • Status:
    Device: WG0
    Uptime: 5h 16m 17s
    RX: 81.56 KB (1147 Pkts.)
    TX: 48.73 KB (772 Pkts.)
    IPv4: xxx.xxx.xxx.xxx/32 (from VPN config)

  • Protocol: WireGuard VPN

  • Private Key: From VPN config

  • Listen Port: 51820

  • IP Addresses: xxx.xxx.xxx.xxx/32 (from VPN config)

  • Bring up on boot: Checked

  • Use builtin IPv6-management: Checked

  • Force link: Checked

  • Metric: 0 (Default)

  • MTU: 1420 (Default)

  • Firewall Mark: empty (Default)

Peers

  • Public Key: From VPN config

  • Preshared Key: From VPN config

  • Allowed IPs:
    0.0.0.0/0
    ::/0

  • Route Allowed IPs: Checked

  • Endpoint Host: From VPN config

  • Endpoint Port: 443

  • Persistent Keep Alive: 25

WAN

  • Status:
    Device: eth0.2
    Uptime: 5h 26m 20s
    RX: 20.05 MB (155384 Pkts.)
    TX: 2.00 MB (20227 Pkts.)
    IPv4: 192.168.1.20/24

  • Protocol: DHCP client

  • Hostname to send when requesting DHCP: GL-SFT1200-b0d

  • Bring up on boot: Checked

  • Use builtin IPv6-management: Checked

  • Force link: Un-checked

  • Use broadcast flag: Un-checked

  • Use default gateway: Checked

  • Use DNS servers advertised by peer: Un-checked

  • Use custom DNS servers: From VPN config

  • Use gateway metric: 10 (Default)

  • Client ID to send when requesting DHCP: empty (Default)

  • Vendor Class to send when requesting DHCP: empty (Default)

  • Override MAC address: (Default)

  • Override MTU: 1500 (Default)

  • Bridge interfaces: Un-checked

  • Interface: eth0.2

LAN

  • Status:
    Device: br-lan
    Uptime: 3h 52m 56s
    RX: 9.30 MB (85102 Pkts.)
    TX: 7.73 MB (83903 Pkts.)
    IPv4: 192.168.8.1/24

  • Protocol: Static address

  • IPv4 address: 192.168.8.1

  • IPv4 netmask: 255.255.255.0

  • IPv4 gateway: 192.168.1.20

  • IPv4 broadcast: empty (Default)

  • Use custom DNS servers: empty (Default)

  • IPv6 assignment length: 60 (Default)

  • IPv6 assignment hint: empty (Default)

  • IPv6 suffix: ::1 (Default)

  • Bring up on boot: Checked

  • Use builtin IPv6-management: Checked

  • Force link: Checked

  • Override MAC address: (Default)

  • Override MTU: 1500 (Default)

  • Use gateway metric: 0

  • Bridge interfaces: Checked

  • Enable STP: Un-checked

  • Enable IGMP snooping: Un-checked

  • Interface: eth0.1, wlan0, wlan1

DHCP Server

  • Ignore interface: Un-checked

  • Start: 100 (Default)

  • Limit: 150 (Default)

  • Lease time: 12h (Default)

  • Dynamic DHCP: Checked

  • Force: Checked

  • IPv4-Netmask: empty (Default)

  • DHCP-Options: empty (Default)

Firewall - Zone Settings

  • Enable SYN-flood protection: Checked

  • Drop invalid packets: Un-checked

Zones

Name        Zone => Forwardings      Input      Output      Forward      Masquerading      MSS Clamping
lan          lan => WGZone           accept     accept      accept       Un-checked        Un-checked
wan          wan => REJECT           reject     accept      reject       Checked           Checked
WGZone       WGZone => REJECT        reject     accept      reject       Checked           Checked

I am connecting a laptop to the a LAN port of the secondary router. Before adding the VPN Interface, I was able to access the internet through the laptop. However, when I created the VPN Interface and set the zones as above, I don’t have internet access any more. Also the wifi on my phone can see the network, but it says “No internet access”.

I tried the Windscribe config file on different machines connected directly to the primary modem/router, and it’s working fine, so that rules out any issues with the config file and the VPN server.

I tried logging to the primary modem/router portal from the laptop that is connected to the secondary router, but it didn’t work (and I don’t mind, just sharing in case that helps in the debugging)

I used the diagnostic tool on the secondary router, and it’s connected to the internet through the VPN, and I was able to even download some packages to the router through the router’s Software tab. I confirmed that the router is connected to the internet by using ping, traceroute, nslookup, and the following command which showed my IP address as the one in the VPN config.

. /lib/functions/network.sh; network_find_wan NET_IF; network

_get_ipaddr NET_ADDR "${NET_IF}"; echo "${NET_ADDR}"

Here’s the output from the traceroute command on the secondary router:

traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  192.168.1.1  1.959 ms
 2  *
 3  96.34.113.96  9.920 ms
 4  96.34.112.39  11.167 ms
 5  96.34.2.34  14.421 ms
 6  96.34.3.71  12.701 ms
 7  62.115.180.82  12.947 ms
 8  *
 9  *
10  62.115.137.54  30.266 ms
11  *
12  62.115.141.245  55.898 ms
13  *
14  62.115.112.63  122.339 ms
15  62.115.44.250  123.304 ms
16  138.197.244.67  135.773 ms
17  *
18  *
19  *
20  *
21  139.59.209.225  134.297 ms

I tried ping and nslookup on the laptop connected to the secondary router, and both of them failed, and the traceroute command gave me the following output:

traceroute to openwrt.org (139.59.209.225), 64 hops max, 52 byte packets
1 console.gl-inet.com (192.168.8.1) 1.885 ms 1.248 ms 0.939 ms
2 console.gl-inet.com (192.168.8.1) 0.917 ms 0.941 ms 0.937 ms

I downloaded Wireshark to trace the packets, tried to navigate to a website through my browser, and here’s what I got in Wireshark:

Screenshot 2023-10-29 at 1.19.06 PM
Screenshot 2023-10-29 at 1.19.06 PM2586×568 180 KB

I made sure to reboot both routers after every change I made, and also I go to the System and sync the clock to the browser to avoid the race condition.

I have a feeling that it’s a NAT issue that can be solved with a firewall rule, but I don’t know how to do it or what to try next.

Please let me know if any more information is needed.

2

Hi,

why did you so many manual settings instead of using the GL.iNet GUI for it? I would just set the VPN on the 2nd router and set the switch for „Block everything without VPN“

3

Thank you @admon for your reply!

That’s what I tried first, and when I enabled the “Kill switch” its indicator would turn green, but when I enabled the VPN its indicator would turn yellow and the Internet stops working, that’s why I switched to the fully manual configuration after reading other posts.

I can reset the firmware and switch back to the easier method if I know how to fix it, although I think the fully manual configuration would make it easier to debug, unless it’s an issue related to the primary modem/router.

4

Without understand your complex settings completely, I wonder about the Gateway in LAN.

The interface got an IP 192.168.8.1. With this IP comes a Subnet 255.255.255.0 (or /24).
This means your local network goes from 192.168.8.0 (network) to 192.168.8.255 (broadcast)… it can not reach 192.168.1.20, even if this IP is available on the same device.

You need a router in 192.168.8.1, that will send all unknown requests to 192.168.1.20 as next hop.

I’d think this is your configuration error.

5

Thank you @LupusE for the explanation!

I did remove the IPv4 default gateway from the lan settings, restarted both routers, synced clock to browser to avoid race condition, and the results are pretty much the same; secondary router connected to Internet through the VPN (ping, traceroute, and nslookup working fine and showing IP assigned by VPN), while laptop and phone can’t access Internet.

Then I tried adding “192.168.8.1” as the default gateway, repeated the same steps above, and still the same result.

I would like to note though that the failed ping through the laptop says"Destination port unreachable". Not sure if this can help point out the issue.

6

Just to be sure: you don’t test in the same Network?

If your VPN Server is correct routed from WAN to LAN and reachable, a VPN client from LAN can’t reach the VPN Server from this address.
In a simple network it would work to change the VPN server address in the VPN client configuration, but than the port forwarding is out of scope.

So my network isn’t that simple, but what works here should be no problem at your setup.
At worst, we don’t know what Asus means by DMZ … So I would leave this option disabled at first. Just set up port forwarding.

Your Asus got a IP from your provider on Port WAN-Z and the IP 192.168.1.1/24 at LAN-A. Every device at Asus LAN-A or WLAN-A getting an IP from 192.168.1.0/24. They can talk to each other and over the default gateway 192.168.1.1 to the Internet.
The GL.iNet VPN Server is connected via WAN-B to Asus LAN-A and got the IP 192.168.1.20 assigned (via DHCP lease or manual). This is the WAN from GL.iNet. the LAN-B is 192.168.8.1. Every Device connected to the GL.iNet LAN-B can talk to each other, via IP to all devices at Asus LAN-A and to Internet WAN-Z.
The LAN-A devices can’t talk to the LAN-B devices! This is a double NAT. We maybe come to this later.

Now the GL.iNet router can assign a DDNS name from GL.iNet.l, bit every other Dynamic DNS (Qnap, Instar, NoDNS, MyFritz, …) will work as well.

Connect any device to your GL.iNet router and check if you can reach any site on the Internet. Google.com for example or GL-iNet.com … Oh, look a new Flint2. I need to order - Anyways, back to topic.

Now you just need to activate the VPN Server on your GL-iNet router. Use the wizard, it is enough for the moment.
In the configuration a port number is mentioned default Wireguard is 51820. This port 51820 needs to be forwarded at your Asus router from Internet WAN-Z to your your GL-Inet WAN-B 192.168.1.20.

Now the service Wireguard is listening on the above mentioned port, you can check from LAN-A with NMAP: nmap -p 51820 192.168.1.20.
If it works, you need to go to the Internet and check if the forwarding is working with nmap -p 51820 <your dyndns host.domain.tld>.

On your Wireguard Server you can create a Wireguard client configuration. Be sure to use the slider ‘Use DDNS’ on top. Do this from any device in GL-iNet LAN-B.
Use any VPN client, for example the App ‘Wireguard’ for Android or iOS and scan the QR code.
Now deactivate WLAN on your mobile and go to the App Wireguard. There should be one slider, activate it… Now the VPN should work.

Now the way is: Mobile - VPN via Wireguard App - VPN Endpoint GL.iNet Router → GL.iNet WAN-B in LAN-A to Asus WAN-Z
Out of the VPN: Mobile - (Internet WAN-Z) - Asus router - (LAN-A) - GL.iNet router - (Wireguard Routing Magic) - GL.iNet router - (LAN-A) - Asus router - (Internet WAN-Z)

See, LAN-B isn’t involved.
From now on, with the basics working, you can experiment with manual configs and different routings.

Sorry that I do t get in detail. Have had no breakfast or coffee.

1 Like
7

Thanks a lot @LupusE for the detailed explanation, and for your dedication to answer before having breakfast and coffee. I really appreciate it :slight_smile:

I am actually testing in the same network, in LAN-B to be more specific.

So what I’m trying to do is to have only certain devices within my home network to connect to the Internet through VPN service, so I’m trying to set a WireGuard client (not server) on the GL-SFT1200.
My understanding is that the WireGuard server will be a server provided by the VPN service for me, and that I don’t need to set a VPN server at my end unless I want to access my network remotely (which I’m not interested in now). Is my understanding correct?

I found the picture below in another website, which is basically what I’m trying to do.

Floatchart
Floatchart873×697 186 KB

Your description is exactly what I’m trying to do, expect for

The GL.iNet VPN Server is connected via WAN-B to Asus LAN-A

Where I’m trying to set a GL.iNet VPN client not server, but I’m assuming this shouldn’t cause an issue (or should it?)

Also clients on LAN-B are able to talk to clients on LAN-A and to WAN-Z when the the VPN is disabled on GL.iNet, and when the VPN is enabled, they can’t see clients on LAN-A nor WAN-Z, which I’m assuming is the core issue that I’m trying to solve.

I’m expecting that devices on LAN-A wouldn’t be able to see clients on LAN-B due to double NAT, and I’m okay with it that way.

Again I’m assuming that I only need DDNS if I want to access my home network remotely, which I’m not interested in, so I don’t need to set a DDNS (or do I?)

Oh, look a new Flint2. I need to order

That was exactly my reaction :joy:

I did disable DMZ on the Netgear modem/router, reset the firmware on the GL.iNet router, set a WireGuard VPN client manually by copying the config that I received from the VPN service, enabled “Internet Kill Switch”, rebooted both routers, and synced the system clock to the browser to avoid race condition. I used the GL.iNet GUI wizard this time.

Before enabling the VPN, I made sure that clients in LAN-B are able to talk to clients in LAN-A and WAN-Z, and I’m getting the same public IP assigned by ISP.

After enabling the VPN (and rebooting and syncing clock), the same problem arises, the VPN indicator in the GUI turns yellow instead of green, clients in LAN-B can’t see clients on LAN-A nor WAN-Z anymore.

This time though the router isn’t connected to the Internet (ping, traceroute, and nslookup fails, saying: bad address). I didn’t do any port forwarding in the GL.iNet firewall as I’m assuming the VPN wizard will take care of that (or should I set any?)

I enabled “Allow Access Local Network” in the VPN client, still clients in LAN-B can’t see clients on LAN-A (again it doesn’t bother me, just sharing as I think it might be crucial to identifying the issue)

I tried “nmap -p 51820 192.168.1.20”, but got a message saying host is down, even though I’m able to ping it. I tried “nmap -Pn 51820 192.168.1.20”, and the report says “All 1000 scanned ports on 192.168.1.20 are in ignored states. Not shown: 1000 filtered tcp ports (no-response)”

I’m also suspecting some ports in the primary Netgear modem/router need to be forwarded as well, maybe 443 or 80 or both. Could that be the problem?

Also I’m using the latest stable firmware; 3.216. Should I use the beta version 4.3.7 instead?

8

Yes. Before I start to picture the new setup, please upgrade to 4.x. it is a huge improvement on every GL.iNet device, at least in my setup.

I never worked with an external VPN service. Because I am too paranoid. It is hard to trust the ISP … But where to draw the line?

Ping is ICMP, NMAP is TCP … My fault, forgot to set UDP: nmap -sU -p51820 <VPN provider address>. No need to NMAP your internal device without service/VPN Server.
Nmap needs to work from any client in the network 192.168.1.0/24 to your VPN provider. If the client can reach the endpoint, the GL-iNet should as well.
So no need for DDNS, as you already figured out.

1 Like
9

Thank you @LupusE so much for your help :slight_smile:

That was it, I upgraded the firmware as you suggested, did the same exact steps, and it worked right away.

Not sure what was the issue with the older firmware, but it doesn’t matter anymore as long as it’s working now, and the new GUI is way better!

10

Great, glad to hear it worked out.

Yes there could be issues with external providers in dir ‘old’ 3.x Firmware. I doubt GL.iNet is interested in fixing them, if 4.x works.

Even the beta and RC releases working good for me in standard cases. There can be bugs in special setups. But here, the GL.iNet team is always nice to help debugging and provide a fix. Especially when you are working with them and providing as much information as possible, like you did here.

Good for you, I am writing in a article how to setup GL.iNet routers in RV. Do I already have had the base in my head … So I was more motivated to write down the basics understandably, than solve your issue. Win-Win for both of us :wink:

1 Like
11

Indeed, you’ve been very helpful :slight_smile:

Glad to hear that. Good luck with your article!