Wireguard server with double nat and vpn client

Kaisen · March 31, 2020, 9:51am

I think @stangri means the vpn client I use which is indeed OpenVPN and supports TCP. Only the server is wireguard. But as I wrote changing the client to tcp does not help

trendy · April 3, 2020, 9:45am

Can you try to ip route flush cache ?

Kaisen · April 3, 2020, 2:59pm

I ran the command but nothing changed regarding my problem. Would there be anything I should look out for?

Kaisen · April 5, 2020, 1:12pm

Since this is driving me nuts I now even switched from the openvpn client to a wireguard client with the hope of solving the problem.

It remains however the same; I get incoming traffic on port 5892 but cannot send an answer via the wan route

trendy · April 5, 2020, 1:18pm

I am out of ideas for the time being. However do a search in the forum, as I swear that I have come across this issue before.

Kaisen · April 5, 2020, 5:32pm

Thank you in any case for helping. I actually spent several days searching through forums (also this one) without any success before posting here, so I am not too hopeful anymore

trendy · April 5, 2020, 6:37pm

Until some solution is found, maybe you want to do it for the whole router?
ip rule add iif lo to default lookup 201 prio 16030

Kaisen · April 5, 2020, 8:08pm

Sorry I am not really an expert. What would the rule exactly do? And would I remove it with ip rule list and then ip rule del #?

psherman · April 5, 2020, 8:20pm

Coming in really late here, but do you have another VPN running in addition to WireGuard? OpenVPN? What network is assigned in OpenVPN?

And, if you wouldn't mind, can you post the latest config files (or point me to them - the reply number in the thread, for example) so that anything I suggest is actually relevant.

Kaisen · April 5, 2020, 8:27pm

Do you mean in addition to what I wrote in my initial post? The configs posted there are basically still up to date except for the change proposed in #2.

So it's OpenWrt behind an ISP-Router with a OpenVPN client and a wireguard server. Today I've tried exchanging the OpenVPN client for a wireguard client which does work but the problem remains the same

psherman · April 5, 2020, 8:29pm

But what network do you have defined for openvpn? Can you post that config file?

EDIT: I misread your post... you've got OpenVPN client, not server, so the network isn't defined by this router. That said, are you able to connect OpenVPN? When you do, what IP address is issued to your OpenVPN client interface?

Are you trying to run OpenVPN client concurrently with WireGuard?

Kaisen · April 5, 2020, 8:46pm

See the first few bullet points in my initial post. I am routing the traffic of all clients through the vpn as the default route (which is a commercial vpn provider). This has been working fine for years.

Now I am trying to add a wireguard server so that I can connect from abroad to my home network. This works fine when the vpn client is disabled. As soon as the vpn client connection is up (so yes, the vpn client and the wg server should run at the same time), connecting to the wg server stops working even though I've set up vpn-policy routing accordingly. For example accessing a locally running web server works fine thanks to vpn-policy-routing.

As for the vpn ip see this post: Wireguard server with double nat and vpn client
Check the vpn-policy-routing reload file. It is some internal ip from the vpn provider.

psherman · April 5, 2020, 8:48pm

Ok... sorry, I only skimmed the earlier stuff.

If you disable the OpenVPN client, does the WG connection begin to work?

krazeh · April 5, 2020, 8:54pm

What was the setup for the wireguard 'client'? Wireguard didn't have a server/client model, it's all peer to peer so if you have one wireguard interface working then the differences between the configs should point towards the issue..

Kaisen · April 5, 2020, 9:07pm

Yes it does

Kaisen · April 5, 2020, 9:11pm

As I have said to @psherman the wireguard server works fine as long as no vpn client is active. Either an OpenVPN client (which is described in the configs in my first post) or a wireguard client which I set up for testing today. The wireguard client is setup in the same way as the OpenVPN client with its own interface and own firewall zone. I don't think the wireguard client is really relevant; I just set it up to see whether the problem was somehow specific to the OpenVPN client. It is apparently not.

psherman · April 5, 2020, 9:12pm

So this is purely an issue with the VPN policy based routing as you have proven that the WG interface works (connecting from the internet to the 'server'), right?

Kaisen · April 5, 2020, 9:14pm

Yes, that is the conclusion so far. However, we were not able to pinpoint exactly what is the issue with my policy routing setup. It should work

And it does work for my web server. Just not for the wireguard server

trendy · April 5, 2020, 10:50pm

Force locally generated traffic (everything from the router itself) to use the routing table for wan.

ip rule del iif lo to default lookup 201 prio 16030

LoV432 · June 18, 2020, 3:31pm

Was anyone able to fix this? I m trying to do the same thing and having same issue.