ports 80,433 & 8433 are forwarded to internal machine "loadbalancer"
loadbalancer har 2 jobs
obtain SSL for *.real.com
proxy services based on domain name to other internal machines
This is a fairly common usecase I think? and works perfectly - heck I can even access the router with out https warnings this way ( "wrt.real.com" )
The only real difference Is to combat aggressive AI scanning I ruthlessly drop connections from any IP not belonging to a few select ISP's I've chosen to trust. Work great - until you need to travel
So I've setup a wireguard server with:
Remote Access LAN: ON
IP Masquerading: ON
MTU: blank
Client to Client: OFF
When I connect to the VPN server On my phone (wifi off) I can access the internet though the home connection, and access internal machines.
BUT as soon as I go to access any (web) service that is using a port forward I instead get the "Gl.iNet Admin panel" for the router and it's served with a SSL certificate that is only valid for
which of course triggers a 'cert authority invalid' error - as it should as the router has hijacked the connection to serve it's admin panel instead.
Question: How do I avoid this situation so I can actually access my services though the port forwards?
I've tried every combination of "remote access lan" & "ip masquerading" on/off to no avail.
What I'm looking to achieve is for everything to work like I'm physically present on the inside of the lan ( 192.168.1.1/24 )
some of the services can be accessed directly via internal ip, but others refuses connections that doesn't correspond to the proper domain name ( ie. nextcloud.real.com and so on )
This is a usual behavior since you can't access port forwarding from inside the network the forwarding points to. The best way to achieve this is by accessing the internal IPs while connected to your VPN network and think about split DNS (so the DNS server will provide the internal IP rather than the external IP while connected via VPN)
Yes you can, thats how it works currently while not on the VPN - i use 'nextcloud.real .com' regardless if im at home or not so I dont have to change app settings all the time. (And at both instances the domain points the external IP)
It just the routing seems to get messed up when it comming from the vpn, it somehow swaps wan for lan when the external ip is requested.
by contrast setting up the WG instance directly on the router 2. fails which is somewhat anoying as it's ability to run the VPN tunnels was the reason I bought this specific router
I would still very much like to know how to solve the original issue ( that using the wireguard server on the router - port mappings to external_ip:port are ignored )
Possibly "NAT Loopback" is only configured for the LAN segment. Therefore within the LAN going to the external IP + forwarded port will be automatically rewritten to the internal IP+port.
With that missing for that VPN segment, it will not rewrite it. Therefore it will in this case just go to the router's 443 port. And the router has its web-interface running there, which is what you see.
Of course it can be fixed either by configuring the firewall to do that NAT loopback also for the VPN segment (possibly you need to manually add those rules!) or using split DNS, so the router resolves the real.com to the internal IP if it is resolved from within the LAN and VPN segments.
