How to access my LAN devices through VPN server?

Hello community I really need help.

  • I have my Spitz AX connected with starlink via ethernet (lan 1 port because dish is connected on hub on the wan port)
  • Router is setup with VPN wireguard client (mullvad) and VPN server going through dynamic dns service.
  • I have a few IOT devices that connect to the router via WIFI

When I am connected to my wireless everything is good; I access all my lan devices. for example my heater is on http://192.168.8.169

now I use my phone connected via LTE and spin up a wireguard client to my spitz AX.
vpn on my phone says “connected”

First issue; in router control panel the wireguard server says 0 client connected ! Weird ??? but my phone says it is connected… what to trust ??

here is the log

Thu Nov 30 10:16:34 2023 daemon.notice netifd: Interface 'wgserver' is setting up now
Thu Nov 30 10:16:35 2023 daemon.notice netifd: Interface 'wgserver' is now up
Thu Nov 30 10:16:35 2023 daemon.notice netifd: Network device 'wgserver' link is up
Thu Nov 30 10:16:35 2023 user.notice mwan3[9020]: Execute ifup event on interface wgserver (wgserver)
Thu Nov 30 10:16:35 2023 user.notice mwan3[9020]: Starting tracker on interface wgserver (wgserver)
Thu Nov 30 10:16:38 2023 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)
Thu Nov 30 10:30:24 2023 daemon.notice netifd: Network device 'wgserver' link is down
Thu Nov 30 10:30:25 2023 user.notice mwan3[26774]: Execute ifdown event on interface wgserver (unknown)
Thu Nov 30 10:30:25 2023 daemon.notice netifd: Interface 'wgserver' is now down
Thu Nov 30 10:30:25 2023 user.notice firewall: Reloading firewall due to ifdown of wgserver ()
Thu Nov 30 10:31:02 2023 daemon.notice netifd: Interface 'wgserver' is setting up now
Thu Nov 30 10:31:03 2023 daemon.notice netifd: Interface 'wgserver' is now up
Thu Nov 30 10:31:03 2023 daemon.notice netifd: Network device 'wgserver' link is up
Thu Nov 30 10:31:03 2023 user.notice mwan3[29641]: Execute ifup event on interface wgserver (wgserver)
Thu Nov 30 10:31:03 2023 user.notice mwan3[29641]: Starting tracker on interface wgserver (wgserver)
Thu Nov 30 10:31:06 2023 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)

Now obviously if I type http://192.168.8.169 on my phone nothing happens.

here are a few screenshot of my configuration



The log from your cell phone would be more interesting.

@admon after digging I finally found log on my phone and there is apparently a handshake issue

I added the configuration via QR code


hi,
Please try to add configuration via file, and replace address of “Endpoint” with LAN address(default is 192.168.8.1). And run commands below to allow traffic from wgserver to lan, which can refer to No internet access via Brume2 - #16 by hansome

uci set firewall.wgserver2lan=forwarding
uci set firewall.wgserver2lan.src='wgserver'
uci set firewall.wgserver2lan.dest='lan'
uci set firewall.wgserver2lan.enabled='1'

# set LAN masquerading
uci set firewall.@zone[0].masq='1'
uci set firewall.@zone[0].masq6='1'
uci commit firewall
/etc/init.d/firewall reload

Hi @fangzekun

I tried what you said replacing the ip with local one and it did not work connecting from LTE (as expected I guess)
But it works if I connect using the router WIFI of course but that defeats the purpose of the vpn right ?
I guess it confirm the VPN works in theory but is just not working on WAN.

So I guess it might work after inputing the commands above ? but where do I input them? is there a console access somewhere or I must SSH ?

@fangzekun

I tried inputing the commands via ssh; went ok but still cannot connect to VPN via LTE

Is the server you want to connect to using cellular WAN? Like LTE, 5G or something?

@admon I want to connect from my phone (LTE) to my spitz AX router (Starlink or LTE) that is running wireguard vpn server

LTE and Wireguard Server is mostly a no-go.
LTE / Cellular uses CG-NAT (Carrier-Grade NAT) which makes it impossible to open ports.

Your server should be always connected by a non-cellular line with no CG-NAT - at least if you use IPv4 only.

@admon whaaatt ??? Im no expert but that makes no sense to me… What is the point of a VPN if you cannot access it by WAN ? how do you access you lan devices from anywhere ? Do I use OpenVPN then ? Also I can run mullvad VPN on the phone using wireguard…

On side note I even tried using another wifi (so no LTE) from my phone and it does not work…

As I described above, it is not about the device that connects to the Wireguard server.

It is about the Wireguard server itself.
The server must not be behind CG-NAT. This is usually the case with cellular data.


Edit:
You could try to use ZeroTier as an VPN replacement. I am not quite sure if it works, but it’s worth a try.

1 Like

@admon it is not behind LTE at the moment it is behind starlink; I also tried using repeater mode; still nothing

Bad news: Starlink uses CG-NAT as well.

So you have to use some VPN for getting around (How to Port Forward on Starlink & bypass CGNAT gateways | this is not a recommendation, just a information) it or trying ZeroTier (In fact I am not sure if it will help, since I can’t test with an CG-NAT device here, but just checking it out won’t hurt)

2 Likes

@admon this is really disheartening; thank you for your insight; I will lookup at this cgnat issue a bit more in depth.

But that does not explain why it still does not work in repeater mode through regular ISP (it should right ?)

and what is the point of GL-inet offering a feature on a premium TRAVEL router that cannot work the way it is intended. I mean what is the point of having your own vpn that only works in LAN ?

I also tried ZeroTier but I don’t like this kind of obsucre service and it does not work either.

You have to have the ability to ensure the default port for WG Server’s 51820 is able to accessed from the Public Internet. CGNAT isn’t public, as you know.

If 51820 can’t be reached by anyone on the 'net to the ISP’s modem, then no traffic will be able to connect to the GL device’s running WG Server instance.

WG Client mode is used when travelling; it does not require an incoming port to be opened before using it (eg: connecting to Surfshark, Mullvad, IVPN, Proton VPN, etc.)

1 Like

ok but you are not answering your quotes.

Why it does not work in repeater mode either (no CGNAT there) and why offer a VPN SERVER on a travel router when you know it will not work… ?

How does anyone access their IOT devices using Spitz AX if you cannot port forward while traveling ? I mean in 2023 it seems like a trivial thing to do ? What am I missing here ?

Would be great to have a clear answer from Gl.inet staff also

WG Server works in Repeater mode. It requires the Upstream Router to forward all incoming traffic to port 51820 to the GL device just as an ISP’s modem requires.

You can’t go through a door if it’s locked shut.

1 Like

In repeater mode right now; does not work for me

I am in repeater mode;
I check on a website that I am going through the isp; all ok
cannot connect to vpn server

so I go to a port checker and indeed port 51820 for the wireguard server is CLOSED. Is there a problem there ? is the router supposed to open it or should I do that manually ?

I open 51820 and no joy :frowning:



You don’t need to manually open ports on the GL device acting as the WG Server; the GL GUI handles that all for you.

I think you should try replicating a far more simplified Client/Server setup before introducing WAN/ISP IPs or LTE. Here, substitute my Certa for a mobile phone running the WireGuard application in the following HOW-TO & this should be as straightforward as it gets:

Then we can make the necessary modifications regarding outside/Internet-side connectivity.

1 Like