TP-Link Archer C7 v4 - VPN into my NAS for free

Hello, I asked a similar question a few months ago but the thread went stale
I have a TP-Link Archer C7 v4 and a Netgear NAS
I have been using the FileBrowser app to access my files remotely on my iPhone and iPad
I have heard that the FileBrowser app is not secure :frowning:
Q: Is it possible to VPN into my network for free?
Thank you in advance

Is your C7 running openwrt? If so, take a look at wireguard.

EDIT: sorry that I didn't see your other thread... but we can continue here.

1 Like

Looking at your other thread, it looks like you have WG installed. Let's review the config from the router and also from your iPhone/iPad.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '****:****:****::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.254'

config device
        option name 'eth0.2'
        option macaddr '**:**:**:**:**:**'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option metric '20'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'A****************************************Vw='
        option listen_port '1234'
        list addresses '10.14.0.1/24'
        option metric '10'

config wireguard_wg0
        option public_key 'x****************************************xA='
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'MJM'\''s peer'
        list allowed_ips '10.14.0.3/32'
        list allowed_ips '0.0.0.0'
        list allowed_ips '::0/0'

root@Molloy-WRT:~# cls
-ash: cls: not found
root@Molloy-WRT:~# clear
root@Molloy-WRT:~#  option public_key 'x****************************************
xA='
-ash: option: not found
root@Molloy-WRT:~#         option route_allowed_ips '1'
-ash: option: not found
root@Molloy-WRT:~#         option persistent_keepalive '25'
-ash: option: not found
root@Molloy-WRT:~#         option description 'MJM'\''s peer'
-ash: option: not found
root@Molloy-WRT:~#         list allowed_ips '10.14.0.3/32'
-ash: list: not found
root@Molloy-WRT:~#         list allowed_ips '0.0.0.0'
-ash: list: not found
root@Molloy-WRT:~#         list allowed_ips '::0/0'
-ash: list: not found
root@Molloy-WRT:~#








cat /etc/config/firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'CCTV'
        option src 'wan'
        option src_dport '85'
        option dest_ip '192.168.1.239'
        option dest_port '85'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option dest_port '9'
        option src_dport '9'
        option name 'WoL'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.10'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WoL - NAS'
        option src 'wan'
        option dest_ip '192.168.1.13'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '4343'
        option dest_port '9'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '1234'
        option dest_ip '192.168.1.13'
        option dest_port '1234'

config zone
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option name 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

The iPhone settings ...
What exactly do you need?
TiA

It appears that this side acts as the 'server' -- so remove the allowed_ips for 0.0.0.0 and ::0/0. (leaving only 10.14.0.3/32).

And, assuming this is indeed the 'server' peer, you can remove the metrics from both the wan and the wireguard interfaces. Those shouldn't be necessary and may cause problems.

This redirect is wrong and is going to prevent your WG from connecting since it is redirecting to an entirely different host. Delete it.

Then, add a rule (instead of a redirect) to allow the inbound connection for WG.

config rule
        option name 'Allow-Wireguard'
        option src 'wan'
        option dest_port '1234'
        option proto 'udp'
        option target 'ACCEPT'

Restart your router after making these changes and try to connect again... if that doesn't work, show me your configuration from your Phone (when you go to 'edit' the WG details) -- a screenshot is fine.

1 Like

Hello,
Thank you for you message ...

I have completed the steps but got stuck on

Assuming this is indeed the 'server' peer, you can remove the metrics from both the wan and the wireguard interfaces. Those shouldn't be necessary and may cause problems.

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option metric '20'

I cannot locate where these details are ...