No TCP for connected VPN clients (just ICMP)

Technical Support for Routers VPN, DNS, Leaks
22

Well there certainly was a hurdle to overcome: after enabling the VPN WG Server GL GUI’s defaults for generating WG Client confs automatically set the endpoint to the public IP. I wanted the WG Client device to connect to the WG Server directly within the LAN, not over the WAN/Internet, so of course I changed that to the WG Server’s IP 192.168.10.1 from the perspective of the Client device.

My Client device, the Certa, is known to preform with VPN providers using a MTU of 1320. YMMV.

Server

  • Flint (GL AX1800, f/w 4.2.1-release4)
  • LAN IP 192.168.10.1
  • Server options enabled: GL GUI → VPN → VPN Dashboard → VPN Server → WireGuard → [ gear icon ] → WireGuard Server Options → Allow Remote Access LAN on, MTU 1320
root@GL-AX1800:~# ip a
[...]
19: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    link/none
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
    inet6 fd00:db8:0:abc::1/64 scope global
       valid_lft forever preferred_lft forever
root@GL-AX1800:~# ip a | grep wgserver
19: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wgserver

root@GL-AX1800:~# wg show
interface: wgserver
  public key: [redacted]=
  private key: (hidden)
  listening port: 51820
  fwmark: 0x80000

peer: [redacted]=
  endpoint: 192.168.10.235:42986
  allowed ips: 10.0.0.2/32
  latest handshake: 43 seconds ago
  transfer: 531.82 KiB received, 7.21 MiB sent
  persistent keepalive: every 25 seconds

root@GL-AX1800:~# cat /etc/config/wireguard_server

config servers 'main_server'
        option address_v4 '10.0.0.1/24'
        option address_v6 '[redacted]1/64'
        option port '51820'
        option fwmark '0x80000'
        option ipv6_enable '0'
        option private_key '[redacted]='
        option public_key '[redacted]='
        option masq '0'
        option mtu '1320'
        option access 'ACCEPT'

config peers 'peer_145'
        option name 'Certa-00'
        option peer_id '145'
        option presharedkey_enable '0'
        option dns '64.6.64.6'
        option persistent_keepalive '25'
        option public_key '[redacted]='
        option private_key '[redacted]='
        option client_ip '10.0.0.2/24'
        option deprecated '0'
        option allowed_ips '0.0.0.0/0, ::/0'
        option mtu '1320'

NOTE: DNS 64.6.64.6 was automatically assigned by the GL GUI setup. It is a Verisign Public DNS that supposedly ‘respects your privacy.’ You may want to change that.

Client

  • Certa (GL AR750, f/w 3.216)
  • Downstream from Flint (ie: Flint LAN → Certa WAN)
  • WAN IP 192.168.10.235
  • LAN IP 192.168.8.1
  • Internet Kill Switch enabled
  • VPN Policy enabled; based on MAC Address only allowed to use VPN
root@GL-AR750:~# ip a
33: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1320 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever

root@GL-AR750:~# ping -c3 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=64 time=1.960 ms
64 bytes from 10.0.0.1: seq=1 ttl=64 time=1.850 ms
64 bytes from 10.0.0.1: seq=2 ttl=64 time=3.316 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.850/2.375/3.316 ms


root@GL-AR750:~# wg show
interface: wg0
  public key: [redacted]=
  private key: (hidden)
  listening port: 42986

peer: [redacted]=
  endpoint: 192.168.10.1:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 41 seconds ago
  transfer: 3.44 MiB received, 1.32 MiB sent
  persistent keepalive: every 25 seconds

root@GL-AR750:~# cat /etc/config/wireguard

config proxy
        option access 'DROP'
        option main_server 'Flint-01'
        option enable '1'
        option host '192.168.10.1'

config peers 'wg_peer_762'
        option name 'Flint-01'
        option address '10.0.0.2/24'
        option private_key '[redacted]='
        option dns '64.6.64.6'
        option public_key '[redacted]='
        option allowed_ips '0.0.0.0/0,::/0'
        option persistent_keepalive '25'
        option mtu '1320'
        option end_point '192.168.10.1:51820'
        option listen_port '42986'

NOTE: Again DNS 64.6.64.6 was automatically assigned by the GL GUI setup. It is a Verisign Public DNS that supposedly ‘respects your privacy.’ You may want to change that.

HTTP Traffic

2023-07-05 17_22_53-GL.iNet Admin Panel - Chromium
2023-07-05 17_22_53-GL.iNet Admin Panel - Chromium949×1053 52.5 KB

(Works just fine w/ HTTPS, too)

1 Like