No data traffic when GL-MT6000 is active as VPN client.

tropi · March 13, 2024, 4:08pm

Hello everyone, I hope someone can help here.

Expected behavior:

The router has the WAN IP address of the VPN provider stored in the VPN profile.
All devices connected to the GL-MT6000 use the VPN connection of the router and can surf the Internet.
DDNS connections to servers connected to the router can be established.
Devices can communicate with each other in the LAN.

Detected (faulty) behavior:

If the GL-MT6000 is active as a WireGuard VPN client, no device connected to the router can surf the Internet.
Devices on the router cannot be reached from the Internet. DDNS does not work.
Devices can communicate with each other in the LAN.

My configuration:

FritzBox 7490 as WAN interface
IP address of the FritzBox = 192.168.177.1
Subnet mask = 255.255.0.0
Exposed host
GL-MT6000 with Ethertnet 1 connected to LAN 1 of the FritzBox
Protocol = Static
IP address = 192.168.177.2
Subnet mask = 255.255.0.0
Gateway = 192.168.177.1 (FritzBox)
DNS server = 192.168.178.194 (Pi-hole, at the same time DNS Server)

VPN

GL-MT6000 as WireGuard VPN client
- global proxy
Global options
- Block non-VPN traffic = off
- Allow access to WAN = on
- GL.iNet services use the VPN = off
WireGuard Client Options
- Allow remote access to the LAN = on
- IP masquerading = on
- MTU = 1420
WireGuard Config (ProtonVPN)
- [Interface]
  - Address = 10.2.0.2/32
  - PrivateKey = …
  - DNS = 10.2.0.1
  - MTU = 1420
- [Peer]
  - AllowedIPs = 0.0.0.0/0
  - Endpoint = 146.70.120.210:51820
  - PersistentKeepalive = 25
  - PublicKey = …

Perhaps something needs to be adjusted in the routing. But I don’t know what.

Thank you for your support

admon · March 13, 2024, 4:44pm

Which IP addresses do the other devices inside your network have?
Do they use the Flint2 as the main router?

tropi · March 13, 2024, 4:55pm

I use 192.168.178.1 (main router) in the GL-MT6000 network.
All devices have addresses in the range from 192.168.178.2 to 250.

admon · March 13, 2024, 4:56pm

So the network between die Fritz!Box and the MT6000 is just a transport one, only 2 members?

tropi · March 13, 2024, 4:58pm

Correct, because the GL-MT6000 does not have a DSL modem.

admon · March 13, 2024, 5:01pm

Please connect to VPN and execute the following commands:
nslookup google.com
ping 1.1.1.1

Write both results back here.

tropi · March 13, 2024, 5:04pm

thomas@Tropis-MBP-WLAN ~ % nslookup google.com
Server: 192.168.178.194
Address: 192.168.178.194#53

** server can’t find google.com: SERVFAIL

thomas@Tropis-MBP-WLAN ~ % ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
^C

admon · March 13, 2024, 5:06pm

Hmpf.

WireGuard is always tricky because there are no real logs. Does it work when you connect to ProtonVPN by WireGuard on your MBP?

tropi · March 13, 2024, 5:18pm

When I activate the WireGuard server on the GL-MT6000 and connect to my cell phone, I can access my local network. So I think I have understood the basic functions.

However, the routing (in the FireWall) is new to me. I suspect that some traffic is blocked here when the router connects as a client to a VPN provider. Unfortunately, I don’t know how such routing rules are created. Maybe this would be a way.

admon · March 13, 2024, 5:22pm

No, I was talking about connecting your MacBook to ProtonVPN - so we know that this one is working well.

tropi · March 13, 2024, 5:23pm

Yes, a direct connection from my computer directly to a ProtonVPN server works perfectly.

xize11 · March 13, 2024, 5:43pm

have you defined this dns inside the wireguard tunnel?

Sometimes the wireguard config either needs the entry:

[Peer]
//Some of your data
DNS=192.168.178.194

Or have this entry removed and used as global dns, the vpn software is sometimes a little confusing with this part.

My guess might be that the tunnel doesn’t allow local ips as part of their killswitch for dns, hence the allow wan or lan options.

Can you play with this setting a bit and report back if it did the trick?

Also speaking about your wg config:

Is the endpoint a domain or ip?, if so then you are missing global dns too.

tropi · March 13, 2024, 5:58pm

The tunnel configuration is as follows:
(I have deleted the keys for communication in the forum.)

[Interface]
Address = 10.2.0.2/32
PrivateKey = …
DNS = 10.2.0.1
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.120.210:51820
PersistentKeepalive = 25
PublicKey = …

You mean I should change the DNS entry under “Interface”? There is no such entry under “Peer”.
The Endpoint is a ip,

xize11 · March 13, 2024, 6:02pm

Oops mistake, yes I mean interface

tropi · March 13, 2024, 6:12pm

In the meantime I have tried it out. I swapped the default DNS for mine. Unfortunately, nothing has changed in the behavior. Surfing not possible. DNS resolution fails and the pngs run into the void.

As I said before, since the VPN tunnel can be called directly from the computer and works, I suspect that the firewall is not letting the client’s traffic through.

xize11 · March 13, 2024, 6:24pm

since the issue is not your dns, your wireguard configuration looks fine.

Do you by chance use ipv6 on the Flint 2 ?

ipv6 is not fully compatible with wireguard afaik, it would make sense if it could get stuck on that because I also don’t see a ::/0 inside allowedips, that is not bad, but if ipv6 is active it is.

tropi · March 13, 2024, 6:30pm

IPV6 is disabled, so I don’t think that seems to be the problem.

tropi · March 14, 2024, 8:44am

Thank you for your support.

The error actually seemed to lie in the configuration of wirequard. I had selected all filters when downloading the configuration from the provider. I removed the filters and now at least access to the Internet is working.
This means that all devices behind the router can surf. When checking the external IP address, the IP of the VPN tunnel is displayed for all devices.

!!! Unfortunately, this does not solve the problem of external accessibility. I operate various servers that need to be accessible from outside. Do you have any ideas for this?
“Allow remote access to the LAN” is activated in the "WireGuard client options“.

tropi · March 14, 2024, 8:55am

Thank you for your support.

The error actually seemed to lie in the configuration of wirequard. I had selected all filters when downloading the configuration from the provider. I removed the filters and now at least access to the Internet is working.
This means that all devices behind the router can surf. When checking the external IP address, the IP of the VPN tunnel is displayed for all devices.

!!! Unfortunately, this does not solve the problem of external accessibility. I operate various servers that need to be accessible from outside. Do you have any ideas for this?
“Allow remote access to the LAN” is activated in the "WireGuard client options“.

admon · March 14, 2024, 8:57am

Based on my experience, you can’t use VPN as a standard gateway and being able to connect to these devices without VPN from external at the same time. You could use ZeroTier to get around this limitation.