Servercomponent on RAS doesnt work with Wireguard but with openvpn

Mjayjoe · May 4, 2022, 5:38pm

VPN-Router: Glinet Router GL-MT300N-V2

Firmware: 3.211 based on OpenWrt 19.07.8

Client: Raspberry Pi 2 Model B Rev 1.1 with dyndns ( ddclient)

Hello Folks,

Im running an Server Component Sucessfully with the openvpn Protocol through my RAS.

But if i change the protocol to wg, no connection from outside isnt possible anymore.

I tried several vpn Provider, but on any is still the same with wg its not possible to get an connection from outside and with the same ones everything works fine over openvpn.

I’m using the glinet interface to run the wireguard client.

But i also use luci for making customized port forwardings rules.

iptables -A INPUT -i tun0 -p tcp --dport 51813 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -p tcp --dport 51813 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -p udp --dport 51813 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun0 -p udp --dport 51813 -m state --state NEW,ESTABLISHED -j ACCEPT


iptables -I FORWARD -i tun0 -p udp -d 192.168.2.12  --dport   51813  -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d 192.168.2.12   --dport  51813 -j ACCEPT
iptables -t nat -I PREROUTING -i tun0 -p tcp --dport  51813 -j DNAT --to-destination 192.168.2.12:45345
iptables -t nat -I PREROUTING -i tun0 -p udp --dport 51813 -j DNAT --to-destination 192.168.2.12:45345
iptables -t nat -A PREROUTING -i tun -p udp --dport 51813  -j REDIRECT --to-ports 45345
iptables -t nat -A PREROUTING -i tun -p udp --dport 51813  -j REDIRECT --to-ports 45345

Here is my network.file:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdae:5c56:dd97::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-MT300N-V2-45f'
	option ipaddr '192.168.8.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option hostname 'GL-MT300N-V2-45f'
	option metric '10'
	option ipv6 '0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option disabled '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'e4:95:6e:46:64:5f'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'e4:95:6e:46:64:60'

and my mwan3:

config globals 'globals'
	option enabled '1'
	option mmx_mask '0x3F00'

config interface 'wan'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'

config interface 'wwan'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'

config interface 'tethering'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'

config interface 'modem_1_1'
	option enabled '1'
	list track_ip '8.8.4.4'
	list track_ip '8.8.8.8'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '2'
	option interval '5'
	option down '3'
	option up '8'

config member 'wan_only'
	option interface 'wan'
	option metric '1'
	option weight '3'

config member 'wwan_only'
	option interface 'wwan'
	option metric '2'
	option weight '3'

config member 'tethering_only'
	option interface 'tethering'
	option metric '3'
	option weight '3'

config member 'modem_1_1_only'
	option interface 'modem_1_1'
	option metric '4'
	option weight '3'


config policy 'default_poli'
	list use_member 'wan_only'
	list use_member 'wwan_only'
	list use_member 'tethering_only'
	list use_member 'modem_1_1_only'
	option last_resort 'default'

config rule 'default_rule'
	option dest_ip '0.0.0.0/0'
	option use_policy 'default_poli'

All, other Rules are at least Defaults and not modified from myself.

But honestly im not really confident about how files is should post here to create an clear overview about my constellation.

Best regards

alzhao · May 5, 2022, 8:06am

Actually I am not quite sure about your setup.

The router is vpn client, connect to what vpn server?

The Pi is connected to the router? or?

The iptables rules is for openvpn. Wireguard interface is wg0. Is this taken into account?

Mjayjoe · May 5, 2022, 7:36pm

ok now im a little bit perplex

i really forgot to add the wg interface rules , mea culpa

the last try was 2mont ago, with the ovpn connection and this hasnt worked with these custom rules:

WG:
 
 iptables -I FORWARD -i wg0 -p udp -d xxx.xxx.x.1  --dport 55345 -j ACCEPT
iptables -I FORWARD -i wg0 -p tcp -d xxx.xxx.x.1  --dport 55345 -j ACCEPT
 iptables -t nat -I PREROUTING -i wg0 -p tcp --dport 55345 -j DNAT --to-destination xxx.xxx.x.1:22350
 iptables -t nat -I PREROUTING -i wg0 -p udp --dport 55345 -j DNAT --to-destination xxx.xxx.x.1:22350
 #iptables -t nat -A PREROUTING -i tun -p udp --dport 55345  -j REDIRECT --to-ports 22350
 #iptables -t nat -A PREROUTING -i tun -p udp --dport 55345  -j REDIRECT --to-ports 22350

Then 2 days before now i used an other vpn provider ( airvpn) with theses rules:

###wg-airvpn######
iptables -A INPUT -i wg0 -p tcp --dport 22040 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o wg0 -p tcp --dport 22040 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wg0 -p udp --dport 22040 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o wg0 -p udp --dport 22040 -m state --state NEW,ESTABLISHED -j ACCEPT
##test-end###
##wg-airvpn-cr###
iptables -I FORWARD -i wg0 -p udp -d 192.168.3.12  --dport   22040  -j ACCEPT
iptables -I FORWARD -i wg0 -p tcp -d 192.168.3.12   --dport  22040 -j ACCEPT
iptables -t nat -I PREROUTING -i wg0 -p tcp --dport  22040 -j DNAT --to-destination 192.168.3.12:22050
iptables -t nat -I PREROUTING -i wg0 -p udp --dport 22040 -j DNAT --to-destination 192.168.3.12:22050
iptables -t nat -A PREROUTING -i wg -p udp --dport 22040  -j REDIRECT --to-ports 22050
iptables -t nat -A PREROUTING -i wg -p udp --dport 22040  -j REDIRECT --to-ports 22050
###################

and these rules are working flawless now

i dont know, why the service hasnt worked with ovpn, but with airvpn im really satisfied so far.

so sorry for whirl up Dust

best regards