Wireguard external IP routing to AXT1800 internal IP

stev0 · 2022-11-20T08:56:29.664Z

Hi all I’m trying to set up an AXT1800 to access my home’s internal services remotely using Wireguard. I have an Unraid server running Wireguard and a remote tunneled access peer.

On my phone, connected to LTE and tunneled thru Wireguard using the Android client, I can access my internal services using my domain just fine. For example’s sake, let’s pretend my external IP is 1.2.3.4 (1-2-3-4.myisp.com) and my domain is domain.com – here is what a ping looks like from my phone:

$ ping service.domain.com
PING cname.domain.com (1.2.3.4) with 56(84) bytes of data
64 bytes from 1-2-3-4.myisp.com (1.2.3.4): icmp_seq=1 ttl=63 time=67.7 ms

However on the AXT1800 with the same Wireguard peer config, I’m able to access my internal services directly through IP and port, but not using the domain. Looking at the ping response from a client of the AXT1800, I get the AXT1800 IP (192.168.8.1) returned:

$ ping service.domain.com
PING cname.domain.com (1.2.3.4) with 56(84) bytes of data
From console.gl-inet.com (192.168.8.1) icmp_seq=1 Destination Port Unreachable

Since the same Wireguard peer config works fine on my phone, I’m assuming this is a routing issue rather than a Wireguard config issue, but I’m not sure where to look from here. This seems basic, but unfortunately I’m past my networking knowledge and don’t know how to search for a solution. Hopefully I’ve kept this short enough to digest without leaving out pertinent details – any ideas?

K3rn3l_Ku5h · 2022-11-20T12:54:55.347Z

What is the Firmware?
What are the AXT1800 DNS settings and is adguardhome running?

Sense you can reach it I am assuming you have a static IP or DDNS set up correctly?

The AXT1800 is the client trying to access the server, Correct?

I do not work for and I am not directly associated with GL.iNet

stev0 · 2022-11-20T17:38:26.502Z

I’m on firmware 4.1.0 (Nov 16). The DNS settings are as follows:

DNS Rebinding Attack Protection: off
Override DNS Settings for All Clients: off
DNS Server Settings > Mode: Automatic

AdGuard is currently disabled. I have DDNS set up for my domain.com which is working fine everywhere including from the AXT1800 when it is not connected to Wireguard. And that’s correct, AXT1800 is the WG client trying to access the server, which is on my Unraid box at home

edit: Another data point, if I SSH into the AXT1800 and ping service.domain.com, all of the packets are lost instead of returning its own IP as shown above. I can, however, ping the internal IP of the service and get a response.

K3rn3l_Ku5h · 2022-11-21T19:12:23.797Z

I think you need to add the internal IP of the server to the allowed IP of the client config file or the AXT1800 IP range needs to be added to the allowed IP of the Server config.

I am not I 100% on that.

stev0 · 2022-11-21T21:19:49.875Z

Thanks for the suggestion, I tried adding the AXT1800 range to the WG server AllowedIPs and restarted the WG service but unfortunately the issue remains and the symptoms are the same (IP access works, domain access doesn’t work). For reference, here are my configs after the update:

WG server (click to show)

[Interface]
PrivateKey=redacted
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

[Peer]
PublicKey=redacted
PresharedKey=redacted
AllowedIPs=10.253.0.2,192.168.8.0/24

WG client (click to show)

[Interface]
Address = 10.253.0.2/32
ListenPort = 6321
PrivateKey = redacted
DNS = 192.168.1.1

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wg.domain.com:51820
PersistentKeepalive = 25
PublicKey = redacted
PresharedKey = redacted

K3rn3l_Ku5h · 2022-11-22T02:02:35.774Z

The AXT1800 client is not using the Servers DNS?
Maybe something to do with subnet, although I doubt it.

Is this the same issue?

Allow Remote Access LAN - how does this work? Technical Support for Routers

I am trying to understand how this “Allow Remote Access LAN” work. Let’s say my LAN is 192.168.0.x. I start a WireGuard server on the router and I connect to it from a client so the client gets an IP of 10.0.0.2. Does this function mean that if I have a NAS on my LAN 192.168.0.100 I will be able to access it somehow from the VPN client? I guess I will need some extra firewall settings for that? And what about the client side, how my windows client will know the route to 192.168.0.100 from the …

stev0 · 2022-11-22T02:50:36.371Z

The DNS setting listed above (192.168.1.1) is my home gateway, a UniFi Security Gateway. Your question did give me the idea to try 10.253.0.1 (WG server) and 192.168.8.1 (AXT1800) as DNS settings but unfortunately DNS failed to resolve any addresses at all in both cases.

Using 192.168.1.1 (USG) or a public DNS like 1.1.1.1 results in the same ping behavior as noted in the original post, where the correct 1.2.3.4 external IP is pinged, but the response always says it’s from 192.168.8.1. I checked dig and in both of these cases the response is the correct external IP, so it really seems something is amiss with the translation between external and internal IP (hairpin NAT?):

service.domain.com.	300	IN	CNAME	cname.domain.com.
cname.domain.com.	300	IN	A		1.2.3.4

The linked issue seems to be different, because in my case I can access everything on my LAN by direct IP and port when connected to WG on an external network, indicating to me that the firewall is letting traffic through properly.

Another thing I’ve tried is eliminating NAT on WG by removing PostUp and PostDown from the WG server config, adding a static route on my USG from 10.253.0.0/24 (WG subnet) to 192.168.1.10 (the Unraid server running WG), and adding a rule on my USG firewall to allow 10.253.0.0/24 (WG subnet) access to 192.168.1.0/24 (LAN subnet). but unfortunately the same behavior persisted.

alzhao · 2022-11-22T08:31:22.947Z

stev0:

have an Unraid server running Wireguard and a remote tunneled access peer

Can you check what is the DNS setting in your wireguard config?

AXT1800 should use this DNS to resolve your local domain which should be correct. Otherwise it may be buggy.

stev0 · 2022-11-22T18:59:06.145Z

I’m using my home gateway as the Wireguard DNS – I posted my WG server and client configs here:

Wireguard external IP routing to AXT1800 internal IP Technical Support for Routers

Thanks for the suggestion, I tried adding the AXT1800 range to the WG server AllowedIPs and restarted the WG service but unfortunately the issue remains and the symptoms are the same (IP access works, domain access doesn’t work). For reference, here are my configs after the update:
WG server (click to show)
[Interface] PrivateKey=redacted Address=10.253.0.1 ListenPort=51820 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started' PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o…

I verified with dig service.domain.com @192.168.1.1 that my correct external IP is being resolved, and indeed in the ping response in the original post, you can see the correct external IP logged before the responses. For some reason the external IP is getting routed/translated incorrectly to the AXT1800

K3rn3l_Ku5h · 2022-11-22T20:03:41.180Z

Is your Phone (LTE connection) using IPv6?
AXT1800 Doesn’t use IPv6 by default?

Guessing at this point. It seams a IP routing table is not configured correctly. It could be that it did not make a clean switch to NFtables.

OpenWrt Forum – 5 Sep 22

OpenWrt 22.03.0 first stable release

Hi, The OpenWrt community is proud to announce the first stable release of the OpenWrt 22.03 stable version series. It incorporates over 3800 commits since branching the previous OpenWrt 21.02 release and has been under development for about one...

Reading time: 31 mins 🕑 Likes: 168 ❤

stev0 · 2022-11-22T20:48:56.554Z

Interesting thought, it could be related although I’m not sure how exactly to check.

So far I’ve been using a LTE USB modem with a data-only SIM from the same provider as my phone to test the AXT1800 + WG connection. I checked and the AXT1800 doesn’t get an external IPv6 address through LTE. My phone on LTE with no tunnel does get an external IPv6, but when tethering the AXT1800 to it, I get IPv4 only. Home internet is IPv4 only as well.

FWIW, I bought this AXT1800 about two weeks ago. I’m pretty sure I recall the loaded firmware as 3.x.x, which if that’s correct would’ve had an older OpenWrt version making that theory plausible. I think I did update firmware before trying LTE or WG, if that matters at all.

edit: As a test, I changed the PDP type on the LTE modem from IPv4 to IPv4v6 and enabled IPv6 on the AXT1800. I got an external IPv6 address, but the original issue persisted.