Wireguard Server on router behind NAT

My one router SP1200 is behind an ISP-provided router and therefore for DDNS test I get this message " Your DDNS is resolved as 1xx.xx.xx.xx
But this router is behind NAT or you do not have a Public IP address".

I want to set up a wireguard server on this router, can I achieve this? In Wireguard configuration will I be using DDNS address as the server address?

If the IP 1xx.xx.xx.xx is the address of your ISP provided router and you are able to setup a port forwarding from your ISP provided router, it should work fine.

If 1xx.xx.xx.xx is not your Internet IP, than you need to find another DDNS service or a way to reach your router permanent.

Another way is to find another place to install the Wireguard server and let the SP1200 connect as client and build a VPN that way.

Is the IP in the WAN interface of your GLiNet router:

• 10.0.0.0 to 10.255.255.255
• 172.16.0.0 to 172.31.255.255
• 192.168.0.0 to 192.168.255.255

then your ISP router does perform NAT. To have a Wireguard server working then, setup portforwarding to your GLiNet router from your ISPs router.
I am not sure if the DDNS client on the GLiNet router can look up it’s public IP(WAN IP on ISP router), but it should be able to do that.

Is the WAN IP on the ISP router:

• 100.64.0.0 to 100.127.255.255

Then your ISP does Carrier-Grade NAT and you simply cannot run a Wireguard Server that can be reached from the internet, because there is NAT performed before your ISP’s router. You cannot setup port-forwarding in that case, so it will not work.

Hi!

Even if this thread is old, I’d like to jump in here with a similar problem.

My setup is an ISP cable router. I attached my GL-AR750S to one LAN Port and set it up as a Router. In the IPS router, I set up a DMZ for the slate.

I also set up DDNS on the slate. After setting up a WireGuard server on the slate I set up a WG client on my iPhone. As Endpoint in the phone config, I set up the DDNS name (XXXX.glddns.com).

• After setting up DDNS I hover over the field “DDNS” and open the page XXXX.glddns.com. There I am asked for a username and password. Basically, I don’t know what credentials I have to enter here, and what this page is about? Seems that this page is reachable whether “HTTPS” is activated, or not?!
• I can’t get WG server working. Endpoint in the client config seems to be resolved correct, but I can’t access any client from WG client.

Thankful for every help!

GL router does not ask for username. So this is your ISP router? Can you post a screenshot?

It doesn’t look like the page of my router.

Bildschirm­foto 2023-04-13 um 08.34.562549×1563 113 KB

This is the landing page of my ISP router:

Bildschirm­foto 2023-04-13 um 08.44.031920×1016 48 KB

Furthermore I’m surprised, that the page (glddns.com) is reachable, whether DDNS service is switched on- or off on Slate?!

Can you check if you have another router above the ISP router?

Check your ISP router’s public IP and see if you can access that IP and open the web page of the ISP router. Of course you need to open port 80 on your ISP router.

The DDNS is IP resolution. Even you turn it off, the last IP is recorded and will remain.

This is the WAN Gateway. Looks different, too?!

Bildschirm­foto 2023-04-13 um 14.45.452860×1522 216 KB

Bildschirm­foto 2023-04-13 um 14.49.461746×1312 49.9 KB

You are accessing using the Internal IP addresses.

I mean, login your ISP router, check out what is the WAN IP and test if that is your public IP.

Unfortunately, I can’t find the public IP.

Bildschirm­foto 2023-04-13 um 14.58.431796×1030 54.5 KB

10.10.4.179 is its WAN IP.

So 10.10.0.1 is the UniFi router. Can you login this one and find the WAN IP?

No, I don‘t have credentials for that one.

Sorry for misunderstanding, 10.10.4.179 leads to the mainpage of my ISP router, too.

Then you cannot use your network as vpn server.

ok, that’s to bad. Would it help, if I ask the ISP to put my router (10.10.4.179) to a DMZ?

I don’t think so. As this “ISP router” still have one upstream router, I wonder if this is the true ISP router. You need to do DMZ or port forward on the Unifi router at least

I agree. The „ISP“ is just a reseller, providing a cable net for the holiday park with several homes.

You could look into using something Tailscale or ZeroTier. They have servers that help with NAT traversal. I personally use Tailscale, and it works great wherever I go and I never have to think about NAT issues. Tailscale is built on top of Wireguard, so it is fast and secure. It is quick and easy to install, and requires minimal configuration.

Tailscale is designed to allow devices with it installed and signed into the same account to seamlessly talk directly to each other. You can get it to work more like a regular Wireguard VPN using Tailscale’s Subnet Router and Exit Node features. Setting up a device as a Subnet Router allows access to an entire network without installing Tailscale on each device. Setting up an Exit Node allows you to route all of the traffic from your device through the exit node like a regular VPN.

Thanks for the hint. Do you know if this service could be installed on my Slate router?

If it is has Firmware 4.2, Tailscale and ZeroTier support is built in. If not, it definitely can be installed as long as there is space available.

Here’s a guide that should work for devices on on the 3.x firmware: Installing Tailscale on the GL-AR750S Travel Router – Tech Blog