VPN Cascading doesn't appear to be working properly on Flint 2

I am running Wireguard client and Wireguard server at the same time. With a client connected to the Wireguard server, my IP address does not show up as the Wireguard client IP. Isn’t this what should be happening?

No, this is not automatic. VPN is first and foremost about linking two networks together. Whether all the traffic is sent over it is a wholly different matter.

I am not familiar with WG myself, but I guess @bring.fringe18 can help.

Based on this page, toggling on VPN Cascading should do what I’ve described:

Your Public Internet facing IP should be the same as your WG Client fr your VPN Provider. Check VPN → Dashboard → VPN Client → Proxy Mode (… & Global Options). Confirm/test via IP Leak.

Otherwise SSH into the Flint 2 & run curl http://ipecho.net/plain; echo & wg show. Post its output before we go as far as digging into logs.

That doesn’t appear to be the case for me. Those IP addresses do not match.

I didn’t see the proxy mode you are referring to in your post.

I sent the output of the logs to you in a direct message.

This assumes firmwar 4.4.6-release1, the current stable for the Slate AX/Flint v1. Flint v2 should be near identical. Set according to your needs… ie: VPN Cascading.


WG Client

VPN/WG Server

I got your PM, obviously. So your WG Client is communicating as it should be (1.89GiB). So it should just be a matter of flipping on the VPN Cascading toggle & making sure other devices have the approp. confs loaded for authenticating to your WG Server. IP Leak should show the same Public Internet IP as your VPN Provider’s IP.

interface: wgserver
public key: [redated]=
private key: (hidden)
listening port: 51820
fwmark: 0x8000
peer: [redacted]=
allowed ips:
persistent keepalive: every 25 seconds
interface: wgclient
public key: [redacated]=
private key: (hidden)
listening port: 53967
fwmark: 0x8000
peer: [redacted]=
endpoint: 5[redacted]6:51820
allowed ips:
latest handshake: 36 seconds ago
transfer: 1.89 GiB received, 56.76 MiB sent
persistent keepalive: every 25 seconds

It appears that I am not able to connect to the WG server as a client anymore. Any idea why this would no longer be working?

I’d disable the WG Client on the Flint v2 to take that out of the equation first. Then I’d try connecting to its WG Server using its LAN IP for the [Endpoint] in the conf for LAN devices as if you’re encrypting all traffic within the LAN w/ WG.

f it works, which it should, then reconnect using Flint v2’s WG Client & enable VPN Cascading.

I have tried this and it haven’t been able to get it to work. I cannot connect to the WG server that I have configured. Pinging the WG server tunnel IP address simply times out. I have also noticed that my DDNS URL is not resolving, even though the router’s DDNS test is working and resolving to the network WAN IP.

Delete all confs & reboot/power cycle. Start fr scratch & check wg show.

Do you think I should power cycle the ISP router? I now wonder if the TTL on the DNS propagation is still serving old records.

I’ve tried power cycling the Flint 2, but that doesn’t appear to solve the problem.

It could only help. I’d then set up WG for the LAN as a test before compounding on VPN Cascading. See attached; you could probably skip the MTU aspect.

Do note most VPN Providers don’t allow incoming/port forwarding when active. Proton VPN is an exception but it requires addn’l software on the router to do so.

I am unable to connect to the WG server. No idea why. It was working perfectly before but I can’t seem to get it working again. Very annoying.

That‘s the issue you have to handle first.
Is the IP returned by https://dnschecker.org/ the correct one?

Yes, that is correct. The IP addresses match, so I don’t understand why there is an issue. Is there anything I need to do in regards to port forwarding? I never had to touch that before, and it was working just fine.

Long story short, I am now able to connect to my WG server as a client again. However, typing in the DDNS URL does not work. I can only access the Flint 2 login page via the WG Server tunnel IP address. How can I make it so that I can use the DDNS URL even when connected remotely (for instance, over 5G or LTE on my iPhone)? Note that the DDNS URL does work while on the local network.

Second issue is that when I am connected to the WG server as a client, the IP address that is being shown via LTE is still the T-Mobile IP address. I know that I am properly connected as a client because the router shows a client is online and I can ping the server from my iPhone. I I think VPN cascading is bugged.

That’d be the expected behaviour. The DDNS is only used to grab the public IPv4 end_point address for the WG Client (techncially a peer). Once it’s resolved/cached the DDNS to IPv4 it then sets up the WG tunnel using whatever static/hard coded tunnel IP you’ve assigned.

  • WG Client: cat /etc/config/wireguard
    • cat /etc/config/wireguard | grep end_point
  • WG Server: cat /etc/config/wireguard_server

The first thing I’d check is to ensure the mobile device is set to ‘Block connections without VPN’ (Android verbiage).

Hi bring,

Thank you for your responses on these. I don’t believe the iPhone has such a function.