No TCP for connected VPN clients (just ICMP)

Technical Support for Routers VPN, DNS, Leaks
21

I go for a walk :smiley:
nano is installed

22

Well there certainly was a hurdle to overcome: after enabling the VPN WG Server GL GUIā€™s defaults for generating WG Client confs automatically set the endpoint to the public IP. I wanted the WG Client device to connect to the WG Server directly within the LAN, not over the WAN/Internet, so of course I changed that to the WG Serverā€™s IP 192.168.10.1 from the perspective of the Client device.

My Client device, the Certa, is known to preform with VPN providers using a MTU of 1320. YMMV.

Server

  • Flint (GL AX1800, f/w 4.2.1-release4)
  • LAN IP 192.168.10.1
  • Server options enabled: GL GUI ā†’ VPN ā†’ VPN Dashboard ā†’ VPN Server ā†’ WireGuard ā†’ [ gear icon ] ā†’ WireGuard Server Options ā†’ Allow Remote Access LAN on, MTU 1320
root@GL-AX1800:~# ip a
[...]
19: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    link/none
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
    inet6 fd00:db8:0:abc::1/64 scope global
       valid_lft forever preferred_lft forever
root@GL-AX1800:~# ip a | grep wgserver
19: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wgserver

root@GL-AX1800:~# wg show
interface: wgserver
  public key: [redacted]=
  private key: (hidden)
  listening port: 51820
  fwmark: 0x80000

peer: [redacted]=
  endpoint: 192.168.10.235:42986
  allowed ips: 10.0.0.2/32
  latest handshake: 43 seconds ago
  transfer: 531.82 KiB received, 7.21 MiB sent
  persistent keepalive: every 25 seconds

root@GL-AX1800:~# cat /etc/config/wireguard_server

config servers 'main_server'
        option address_v4 '10.0.0.1/24'
        option address_v6 '[redacted]1/64'
        option port '51820'
        option fwmark '0x80000'
        option ipv6_enable '0'
        option private_key '[redacted]='
        option public_key '[redacted]='
        option masq '0'
        option mtu '1320'
        option access 'ACCEPT'

config peers 'peer_145'
        option name 'Certa-00'
        option peer_id '145'
        option presharedkey_enable '0'
        option dns '64.6.64.6'
        option persistent_keepalive '25'
        option public_key '[redacted]='
        option private_key '[redacted]='
        option client_ip '10.0.0.2/24'
        option deprecated '0'
        option allowed_ips '0.0.0.0/0, ::/0'
        option mtu '1320'

NOTE: DNS 64.6.64.6 was automatically assigned by the GL GUI setup. It is a Verisign Public DNS that supposedly ā€˜respects your privacy.ā€™ You may want to change that.

Client

  • Certa (GL AR750, f/w 3.216)
  • Downstream from Flint (ie: Flint LAN ā†’ Certa WAN)
  • WAN IP 192.168.10.235
  • LAN IP 192.168.8.1
  • Internet Kill Switch enabled
  • VPN Policy enabled; based on MAC Address only allowed to use VPN
root@GL-AR750:~# ip a
33: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1320 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.2/24 scope global wg0
       valid_lft forever preferred_lft forever

root@GL-AR750:~# ping -c3 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: seq=0 ttl=64 time=1.960 ms
64 bytes from 10.0.0.1: seq=1 ttl=64 time=1.850 ms
64 bytes from 10.0.0.1: seq=2 ttl=64 time=3.316 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.850/2.375/3.316 ms


root@GL-AR750:~# wg show
interface: wg0
  public key: [redacted]=
  private key: (hidden)
  listening port: 42986

peer: [redacted]=
  endpoint: 192.168.10.1:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 41 seconds ago
  transfer: 3.44 MiB received, 1.32 MiB sent
  persistent keepalive: every 25 seconds

root@GL-AR750:~# cat /etc/config/wireguard

config proxy
        option access 'DROP'
        option main_server 'Flint-01'
        option enable '1'
        option host '192.168.10.1'

config peers 'wg_peer_762'
        option name 'Flint-01'
        option address '10.0.0.2/24'
        option private_key '[redacted]='
        option dns '64.6.64.6'
        option public_key '[redacted]='
        option allowed_ips '0.0.0.0/0,::/0'
        option persistent_keepalive '25'
        option mtu '1320'
        option end_point '192.168.10.1:51820'
        option listen_port '42986'

NOTE: Again DNS 64.6.64.6 was automatically assigned by the GL GUI setup. It is a Verisign Public DNS that supposedly ā€˜respects your privacy.ā€™ You may want to change that.

HTTP Traffic

2023-07-05 17_22_53-GL.iNet Admin Panel - Chromium
2023-07-05 17_22_53-GL.iNet Admin Panel - Chromium949Ɨ1053 52.5 KB

(Works just fine w/ HTTPS, too)

1 Like
23

woooow :smiley: thanks!
I will try to understand it a bit later and try to translate it into my network.

#Edit: as I understand, you connect your Client (GL-AR750) via the WAN port to the Servers LAN port (GL-AX1800)

Server LAN IP: 192.168.10.1
Client WAN IP: 192.168.10.235
WG-Server IP: 10.0.0.1
WG-Client IP: 10.0.0.2

So you have nothing in between as it seems.

I have rather complicated setting here:

  • WG-Server runs on 10.0.0.2/32
    -WG-Client runs on 10.0.0.3

  • Brume2 (LAN 10.1.1.2) connected via LAN to the DMZ of the IPfire (10.1.1.1)

  • FWrouting from 10.1.1.2 to the whole external network (192.168.178.0/32) with source NAT of the IPfire (192.168.178.2)

  • IPfire (192.168.178.2) connected to the ISP router (192.168.178.1)

  • PORTforwarding (WG) from ISP router to the IPfire (192.168.178.2)
    -PORTforwarding (WG) from the whole external network (192.168.178.0./32) to the Brume2 in the DMZ (10.1.1.2) with destination NAT of the IPfire (192.168.178.2)

-DNS is set to 1.1.1.1 just to test and be sure

Result:

  • I see the Client in the VPN dashboard with 1 Client (1 Online), but I get no connection to the internet. I tried different MTU (1320, 1380, 1420).
    - logs of IPfire show DROP_CTINVALID from 10.1.1.2 (Brume2 in the DMZ) to 10.0.0.3 (Smartphone Client connected via WG) with sourcePORT 53 and ICMP protocol.

As it seems some DNS problem?

1 Like
24

Weā€™re dealing in IP is this case so it certainly shouldnā€™t be DNS related.

Correct. Itā€™s as if Iā€™m setting up my entire LAN to be WG encrypted, communicating to the Flint as the LANā€™s WG Server for outgoing Internet access. The Internet still sees my public IP as assigned by my ISP. By default the GL GUI uses the WG Serverā€™s public IP for that endpointā€¦ which makes sense as most people want to connect to a WG Server regardless where they are (eg: coffee shop Wi-Fi).

Correct again; this is as simple as I can conceive of a setup operating.

Mine runs as 10.0.0.1/24 per its confā€™s option address

In your case Iā€™d suggest trying another computer to be set as DMZā€™d in IPFire; see if you can establish connectivity that way then replicating my setup as if it is completely physically disconnected from your IPFire server before integrating it into the DMZ.

Youā€™re looking to remove as many possible variables before introducing the DMZ question. I suspect Iā€™m nearing the end of any advice I can give 'ya, though. I donā€™t have the capability to run a IPFire install/machine at my locationā€¦ I donā€™t have a lab these days. :frowning:

25

ok, I got it so far. Thanks a lot! I will try to implement something different into DMZ and see if it works with that. Just wondering about, because my configuration seem to be ok and as I understood yours, itā€™s similar (just without the extras). But sure, these extras could be (and possibly areā€¦ the pain in the aā€¦).

1 Like
26

My pleasure.

Yeah, I think itā€™d be very helpful to get something/anything else working in a simplified fashion into the DMZ first just so you know.

ā€œBetter to have it & not need it than need it & not have it.ā€