Issues connecting to Synology NAS when Wireguard VPN Client running on Beryl AX

Technical Support for Routers VPN, DNS, Leaks
1

Hey folks,

I'm not sure where to start with troubleshooting this, so please bear with me.

I have a GLiNet Flint2 at home on my home network. I have a Beryl-AX Travel modem for use when I'm away.

Between the two, I have followed the plethora of guides to set up a Wireguard VPN between the two so that I can access my home network, services in my home country, be able to work etc...

Nearly everything works perfectly fine with services I have running at home on my home server (docker containers which are open to the internet using NGINX Proxy Manager and Cloudflare DNS). The odd thing that just refuses to work no matter what setting I change on the two routers is accessing my NAS on it's public address (using my own domain and Cloudflare DNS).

If I turn off the Wireguard, everything is working perfectly fine, if I turn it on - it refuses to accept the certificates for any connections to my NAS.

Any thoughts on where I can start to troubleshoot this issue?

2

As long as your VPN is active you can't connect to your public IP via WAN because your package will arrive on the router via VPN (so LAN)

You can try to access your NAS using it's local IP or you can exclude the NAS FQDN from your VPN routing.

3

Thanks @admon ,

You're correct, I can access the NAS's local IP through the VPN.

However, I was confused when my dockers' apps were all working, but my NAS wasn't.

How would I go about excluding the NAS's FQDN? is that something I need to do through the Beryl AX's advanced portal?

4

You just need to change the VPN Proxy mode to "Based on the target domain or IP" and exclude your NAS FQDN there. This should work, but you should test it to be sure.

See VPN Dashboard - GL.iNet Router Docs 4

5

No joy for me :frowning_face:

I still get:

image
image1261×1099 72 KB

6

this is the config i set:

image
image1142×449 19.2 KB

7

Ah, HSTS.
You need to delete the HSTS flag for the domain, see How to Clear HSTS Settings on Chrome, Firefox and IE Browsers

8

:rofl:

Nope, that's now causing my NAS's address to go to my Flint2's login screen :astonished:

I think there must me something else at play here, something on how I've set up the reverse proxy in my network or something maybe?

9

I don't know your exact network topology, so it's difficult to troubleshoot.
If you get the Flint2's login screen, the VPN is still routing the traffic wrong.

10

No worries,

Thanks for your suggestion with the VPN Proxy mode bit anyway, I'll keep digging.

11

I think I fixed it,

My Wireguard client settings on my Beryl AX were set to use the remote DNS server addresses (my two Adguard Servers), I put a DNS rewrite on them so that my NAS's FQDN points to the local IP and bingo, it works.

I'm a little stupid I guess ....

2 Likes
12

Ah, that's the issue.

VPN Proxy exceptions work only if the router is doing all DNS stuff.