Hi, just got a Mango unit and was hoping to set this up as a WireGuard VPN Server so that I can connect when away, and use my own home Internet.
Is there any HowTo for this? In particular IP settings to use for something like this as well as if it’s possible to disallow the VPN Clients access to the local LAN.
Local LAN is on 192.168.5.x
I can plug in the WAN port to one of the LAN ports on the Router; it will get a DHCP IP, which I prefer (I can then reserve it in the router)
I can forward the WireGuard port then to this IP
From there on, IP addressing wise, do I need to make any changes or just use the defaults when setting up the WireGuard VPN server?
**the most important is to understand how I can enable/disable local LAN access on the VPN Server.
So I can connect to the Wireguard VPN server with my cell phone (cell connection, wifi off). I can then reach any of the LAN IPs on 192.168.5.0/24 network even though I turned this feature off as suggested, even though I have a 10.0.0.x IP. This setting does nothing at all.
Additionally,
I can not connect to the unit via web browser via the IP assigned on the WAN port. Why? Where can I change this so that it’s possible?
Connecting a client into the LAN port is giving me an IP on the same network 192.168.5.x, like DHCP passthrough rather than 192.168.8.x
**This #2 looks like was fixed when I upgraded from fw 3.12 to fw 3.15
Please advise on the “Allow Access Local Network” issue and #1 above.
Does the “allow access local network” only refer to the 192.168.8.x subnet then? So the VPN client will be assigned a 10.0.0.x IP, and NOT be allowed to access any 192.168.8.x IPs except the Mango device, but it WILL be allowed to access the 192.168.5.x subnet?
The diagram is helpful, and the answers you seek depend more on that other router, I think.
Most everyone who wants to do what you are looking for would take the cable from the ISP and plug it into the WAN port of the Mango, and plug the LAN port of the Mango into a LAN port of the other router, and disable all the routing functions of the other router to make it a dumb switch/AP point. The Mango would do all the routing, DHCP, etc. Then its wireguard server would allow access to the internet but not to its 192.168.8.xx LAN; that behavior would depend on that setting. Your internet speed from the LAN would be limited to the 100mbps ethernet port of the Mango, and of course your internet access through the wireguard server would be limited by the Mango’s processing power and the upload speed of your ISP connection, in any case. It’s a lot to ask that little puppy to do.
The way you have it set up, the Mango’s wireguard server will allow access to its WAN side but not its LAN side. It sees 192.168.5.xx as the WAN side, which is why you have access to all the devices on the other router’s LAN side. That is the intended behavior when, for example, you have OpenVPN or WIreguard servers set up on another internal device. To block anything other than 192.168.5.1 (I assume that is the default gateway) you are going to have to mess with that router’s IP tables to drop any connections from the Mango WAN IP to anything other than the default gateway. Even then I’m not sure the other router’s loopback won’t kick in. Alternatively, you might be able to fool with the Mango’s IP tables to drop anything from the wireguard server to anything other than the other router’s default gateway. That would require digging into LUCI.
Thanks for responding, after doing up the diagram I realized why it wasn’t working as I (mistakenly) expected, diagrams always help out with this.
To your point, this little router it too small to make it my primary, hence it’s why it’s behind my main one. It’s working as expected so that’s good to confirm.
I’ll see if I can make some adjustments, to get it to do what I want as long as it’s not too complicated, like to keep all this stuff as simple as possible!
How can I access the VPN client(s) on 10.0.0.x network, from my upstream router 192.168.5.x then?
Do I need to add a static route to my upstream router? Currently from the VPN clients 10.0.0.x there is no problem to access 192.168.5.x LAN, but viceversa is not the case (expected behaviour I believe)
Mango is on 192.168.5.72 static
Mango’s (internal) network is 192.168.8.x but I don’t use it for any clients, it’s strictly for Wireguard VPN Server (till my upstream router gets this option - I’m told it’s coming in next firmware)
I would like to access 10.0.0.x client(s) from 192.168.5.x devices
You cannot do this easily. As 5.x subnet does not has route to 10.0.0.x tunnel at all.
What you can do is:
Method 1: Connect your devices to Mango’s 192.168.8.x subnet. Then set up some routing on Mango.
Method 2: We have dropin gateway mode in firmware 4.2. This is not avaialble for Mango. But in case it will be available, you can use Mango as drop-in gateway, so all of your devices on 192.168.5.x will be routed to the Mango and Mango will deal with the route there.
Method 1 is what we are using for Site-2-Site VPN setup.
Method 2 is generally for vpn client and adguard home etc. But it should also work for your scenario.
Destination IP 10.0.0.0
Subnet Mask 255.255.255.0
Next Hop 192.168.6.72 (this is the WAN IP of the mango)
I can ping 10.0.0.1 IP just fine, but when I try to ping 10.0.0.5 (client) it gives me
Pinging 10.0.0.5 with 32 bytes of data:
Reply from 192.168.5.72: Destination port unreachable.
Reply from 192.168.5.72: Destination port unreachable.
Reply from 192.168.5.72: Destination port unreachable.
Reply from 192.168.5.72: Destination port unreachable.
Sorry, I’m not very good with routing etc, and did read your post which you said “you cannot do this easily”. What I’m trying won’t work I guess?
The mango is an interim solution till my main router gets Wireguard, so I don’t really want to move clients to hang off the mango, I just got it as a little VPN server unit, after I no longer need it for that it will be my travel router.