Site-to-Site VPN

torrmundi · 2018-12-28T21:39:52.366Z

I have the GL-AR750S Ext (Slate) running v3.009 software. I want to use it to create a VPN that is remotely accessible, as shown in the diagram.

Site-Site%20WireGuard1078×865 61.8 KB

I have the Slate logged into a Wireguard server (AzireVPN). I have my PC also logged into the Wireguard server. However, I cannot get the PC to see the Slate, or vice-versa. What am I missing?

thanks,
/John

torrmundi · 2018-12-28T23:29:29.911Z

I have read the https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/ article. This is for OpenVPN, rather than WireGuard, but the principles should still apply. In this article, they have the remote site setup with a router implementing an OpenVPN client, and the headquarters setup with a OpenVPN server behind a router. My setup is simpler, so I had the Slate as a Wireguard server. I then generated a QR code read that with my phone running the WireGuard app. That creates a new client tunnel in the app. After turning on the tunnel on the phone and starting the server on Slate, I still could not get any connection between the devices (PC connected to Slate, and Android phone). Slate shows only the PC client, not the Android phone. The phone has no internet connectivity.

kyson-lok · 2018-12-29T02:01:39.276Z

If you want to use site-to-site, you have to set up wireguard on your home side. AzireVPN server doesn’t support site-to-site.

torrmundi · 2018-12-29T17:00:54.981Z

Thanks @kyson-lok.

Can I setup Wireguard server on my remote router, and login as client from my home PC or Android? I’ve tried to do this but cannot get connections to the Slate VPN from PC or Android. Android Wireguard claims a connection, but GL admin panel doesn’t show any corresponding client. PC’s TunSafe client shows handshake is continually retrying, even if all firewalls are turned off.

Wireshark shows the traffic on source udp.port == 51820, heading for the correct IP address from the .conf file. However, there’s no return traffic except an ICMP redirect, redirect for host.

I additionally tried setting up a WiFi hotspot with my phone for the PC. This eliminated the ICMP redirects which were coming from my home router, but did not achieve any other result.

Finally, I monitored the WiFi link to the GL router, and found the UDP handshake arriving, but the response from the router’s IP was ICMP, Destination Unreachable, Port Unreachable.

I need to monitor the issue from within LuCi, from the system logs. How should I do this?

~~And do I need to open a port on the firewall of the Slate or of the PC, for the VPN traffic?~~
I found the inbound rule in LuCi for Wireguard (WAN to device at port 51820).

Thirdly, should I quit using Wireguard and concentrate upon OpenVPN instead?

torrmundi · 2018-12-30T02:34:00.974Z

Ok, I enabled logging on the Wireguard zone and performed the login from TunSafe. No log entries. I then enabled the logging on the WAN zone and performed the login from TunSafe. Voila, log entries!
Sat Dec 29 21:10:00 2018 kern.warn kernel: [94382.381792] REJECT(src wan)IN=wlan-sta OUT= MAC=ff:… :08:00 SRC=192.168.1.136 DST=192.168.1.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=23209 PROTO=UDP SPT=51165 DPT=32412 LEN=29 MARK=0x3f00
wlan-sta is IP 192.168.1.115, I don’t know what 192.168.1.136 is. It is not the WiFi or any LAN client. Clearly, it is a firewall issue on Slate. I did not change the firewall, simply allowed the Wireguard Server setup to set the rules.

torrmundi · 2018-12-30T02:41:08.017Z

Does this look right? Why does Wireguard show empty?

image780×368 39.7 KB

kyson-lok · 2019-01-02T02:11:36.857Z

If you want to set up a wireguard server on your home, you have to have a global IP address from your ISP.

torrmundi:

but cannot get connections to the Slate VPN from PC or Android

Would it caused by you haven’t global IP address?

torrmundi · 2019-01-02T04:42:42.139Z

@kyson-lok, the Slate’s wlan-sta IP address is a private IP, assigned by the NATed WiFi AP/Router. That router has a global IP assigned dynamically by the ISP. When I run a browser on the PC connected to the Slate’s br-lan port and use whatismyip.com, the public IP of the router is shown, and the local IP (NATed, 192.168.8.152) of the PC is shown. The local IP of the PC is also the same as the Client IP shown in Slate’s admin panel.

So would OpenVPN allow a local IP address for a server?

kyson-lok · 2019-01-02T07:21:13.630Z

torrmundi:

Slate’s wlan-sta IP address is a private IP, assigned by the NATed WiFi AP/Router

In this case, it can’t act as server. However, if your NATed AP/Router has a global IP address, you can try to configure port forwarding on it.

jolouis · 2019-01-02T14:10:19.477Z

Just to expand on kyson-lok’s answer:
One of the two sides of the system needs to have either a static public IP address, or be running some kind of DDNS client that maps to the public IP address of that location. The NAT firewall/AP/Router which has the public IP on it also needs to have the appropriate port forwarding setup so that VPN traffic destined for that public IP (i.e. the traffic from the client trying to connect) will be sent through to the GL device with the VPN server on it.

Old-skool metaphor to help you understand all this:
Think of the VPN server as a specific employee working in a large company. In order for your client device to get through to that person, you need two things: 1) The public phone number of the company, and 2) the receptionist to be able to forward you from the front desk to the proper floor/office.

is the public IP, 2 is the the port forwarding/nat rules.

Many ISPs do not assign “static” public IPs; so in order to make sure you are always connecting to the one that belongs to the site with your VPN server, you may need something like DDNS.

torrmundi · 2019-01-03T12:13:36.887Z

@jolouis I think you’re correct. My remote site that has the Slate will be connecting into a marina’s WiFi AP. There’s no way I’ll always have the same IP assigned every time.

I found this mention of DDNS in the somewhere on gl.inet:
“Dynamic Domain Name Service(DDNS) is a service used to map a domain name to the dynamic IP address of a network device. Only supported by testing firmware v3.010 and above right now.”

So I think I’ll have to move to a test firmware.

kyson-lok · 2019-01-04T03:18:11.790Z

The DDNS functionality only work for global IP address, or behind a router with global IP address so you have to configure port forwarding.

torrmundi · 2019-01-06T15:57:07.419Z

Thanks for all the help. I’m now running ddns using software 3.010. In addition, I have added port forwarding for Wireguard port 51820 to the router that Slate is connected to and as a result now I can setup Wireguard tunnels from the local PC or from Android to the Slate. In addition, the Slate admin page is remotely accessible.

However, I thought that each client PC connected to the Slate’s VPN would be able to ‘see’ each other in the Network view of Windows Explorer, and share files. This is not the case. What is missing?

kyson-lok · 2019-01-07T01:16:28.939Z

You can press Windows + R key to show “RUN” box, then enter \\your pc ip address.

torrmundi · 2019-01-07T13:30:52.476Z

@kyson-lok, that worked for the local pc to log into the PC connected to Slate’s LAN port. But the other way failed (Slate local PC to remote PC). “Network error. Windows cannot access \10.0.0.3”. Ping works from 10.0.0.3 to 10.0.0.4, but not from 10.0.0.3 (Slate local) to 10.0.0.4 (remote PC).

kyson-lok · 2019-01-08T01:45:16.354Z

It causes by missing static route. Could you please draw a topology diagram? So I can tell you how to add static route.

torrmundi · 2019-01-08T04:40:06.098Z

@kyson-lok here’s my test network. The Slate router will eventually be connected to a WiFi access point somewhere in the internet, rather than on my home router.

image807×344 20.1 KB

kyson-lok · 2019-01-08T07:36:08.758Z

Why did you set up a WireGuard client on local laptop(10.0.0.4)?

In this diagram, it should work by default. You can ssh to the router, stop the mwan3, then try again.

mwan3 stop
echo " " > /proc/net/nf_conntrack

torrmundi · 2019-01-08T18:26:07.469Z

After mwan3, with remote PC connected to VPN, but local PC not connected to VPN, neither ping direction works and neither login to VPN IPs work. After connecting both VPN clients, (and disable/enable the remote PC ethernet adapter), ping and login to local PC works. Ping and login to remote PC fails. This is identical behavior as before mwan3 command. I did this procedure twice to be sure. I have not rebooted the Slate.