savage75
Occasional Visitor
- Nov 12, 2022
- #1
Hi folks!
Trying to set Wireguard VPN on ASUS ZenWiFi AX (XT8) so I can access my local network through it (as below)
Peer1 (10.6.0.2) connects successfully to the wireguard server, also it can ping 10.6.0.1 (wgs1) and 192.168.0.2 (LAN) but can’t connect to other devices on (192.168.0.0/24) network.
Peer1 VPN config
Trying to understand routing tables on asus router side:
from the asus router side, I can ping all the networks 10.6.0.0/24 and 192.168.0.0/24 so thats looks fine.
I couldn't find on asuswrt ssh side any server config file under /tmp/etc/wg
the reason for that so I can add NAT enabled on [INTERFACE] section of server config when the tunnel is Up and Down but no luck ?
PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE
I missed to mention: The local network 192.168.0.0/24 has Unifi Udm Pro with IP 192.168.0.1, has DHCP enabled and because Its behind ISP router with dynamic IP I couldn't fix any VPN solution to it (without using external VPS solution).
Can someone help me out on this, many thanks.
Last edited:
bbunge
Part of the Furniture
- Nov 12, 2022
- #2
Am a bit confused by your diagram. You show two connections from the "cloud" to your LAN (192.168.0.1 router and .2 what looks like a switch). Why? I have Wireguard server set up and can access all LAN hosts via the Wireguard VPN and Instantguard. I also use the default LAN address of 192.168.50.0/24. If that 192.168.0.2 device is a managed switch I recommend you try an unmanaged switch and let the router hand out DHCP addresses.
savage75
Occasional Visitor
- Nov 14, 2022
- #3
bbunge said:
Am a bit confused by your diagram. You show two connections from the "cloud" to your LAN (192.168.0.1 router and .2 what looks like a switch). Why? I have Wireguard server set up and can access all LAN hosts via the Wireguard VPN and Instantguard. I also use the default LAN address of 192.168.50.0/24. If that 192.168.0.2 device is a managed switch I recommend you try an unmanaged switch and let the router hand out DHCP addresses.
Thnx @bbunge, I updated the thread.
I missed to mention the local network ( the LAN:192.168.0.1 is Unifi Udm Pro router with DHCP enabled) and because the router behind the ISP router with dynamic IP I can't use it for VPN connection.
bbunge
Part of the Furniture
- Nov 14, 2022
- #4
savage75 said:
Thnx @bbunge, I updated the thread.
I missed to mention the local network ( the LAN:192.168.0.1 is Unifi Udm Pro router with DHCP enabled) and because the router behind the ISP router with dynamic IP I can't use it for VPN connection.
And you are running this as a home network? The UDM Pro has a VPN server! Looks like you need to get rid of the ISP router or bridge it and set the DDNS on the UDM Pro and use the Asus as a wireless access point. Otherwise you have spent the big bucks on a mess.....
savage75
Occasional Visitor
- Nov 14, 2022
- #5
bbunge said:
And you are running this as a home network? The UDM Pro has a VPN server! Looks like you need to get rid of the ISP router or bridge it and set the DDNS on the UDM Pro and use the Asus as a wireless access point. Otherwise you have spent the big bucks on a mess.....
Its some kind home office network as the ISP router is shared internet connection so no way ti change the settings or bridge it. On Asus router I have 3G mobile connection so I can manage it as I need.
As Asus router I use their built-in DDNS to deal with dynamic IP and wireguard will be great to access my local network. If I don't get help with this so I can get the Asus back and look for other options.
savage75
Occasional Visitor
- Nov 15, 2022
- #6
I found the problem and fix it by
1- adding NAT masquerade
#iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE
2- then save the changes
#iptables-save
3- restart iptables service
#service restart-firewall
Voilà! working just fine
C
Coal
New Around Here
- Dec 3, 2022
- #7
Thanks savage, I was struggling with this for a while.
However the settings aren't saved when the router is rebooted. To fix this do the following:
- Open router settings >> Administration >> System
- Set "Enable JFFS custom scripts and configs" to Yes and click Apply
- SSH or WINSCP into the router and go to /jffs/scripts
- Create a new file called nat-start
- Write this code into the file and save
Code:
#!/bin/shiptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE
- Give the file execute permissions "chmod 755 nat-start"
- Reboot the router and the masquerade setting persists
savage75
Occasional Visitor
- Dec 3, 2022
- #8
Coal said:
Thanks savage, I was struggling with this for a while.
However the settings aren't saved when the router is rebooted. To fix this do the following:
- Open router settings >> Administration >> System
- Set "Enable JFFS custom scripts and configs" to Yes and click Apply
- SSH or WINSCP into the router and go to /jffs/scripts
- Create a new file called nat-start
- Write this code into the file and save
Code:
#!/bin/shiptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE
- Give the file execute permissions "chmod 755 nat-start"
- Reboot the router and the masquerade setting persists
Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?
C
ColinTaylor
Part of the Furniture
- Dec 3, 2022
- #9
savage75 said:
Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?
Custom scripts are a Merlin feature. As I said in your duplicate thread, I'm not aware of a way of doing this in stock firmware.
savage75
Occasional Visitor
- Dec 3, 2022
- #10
ColinTaylor said:
Custom scripts are a Merlin feature. As I said in your duplicate thread, I'm not aware of a way of doing this in stock firmware.
Ok @ColinTaylor I wonder if Merlin supports free DDNS function as asuswrt official?
C
ColinTaylor
Part of the Furniture
- Dec 3, 2022
- #11
savage75 said:
Ok @ColinTaylor I wonder if Merlin supports free DDNS function as asuswrt official?
It does but Merlin doesn't make firmware for the XT8. There's a fork for the XT8 which I guess would work the same:
GitHub - gnuton/asuswrt-merlin.ng: Extends the support of Asus Merlin firmware to more routers
Extends the support of Asus Merlin firmware to more routers - GitHub - gnuton/asuswrt-merlin.ng: Extends the support of Asus Merlin firmware to more routers
github.com
C
Coal
New Around Here
- Dec 4, 2022
- #12
savage75 said:
Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?
Oh, yes I'm running Merlin's firmware because my AX58U doesn't support wireguard. I didn't realise scripts were an exclusive feature.
I came across a PostUp command you can insert into the wireguard config file which runs as soon as a VPN is established. An example used here: https://docs.pi-hole.net/guides/vpn/wireguard/internal/
Trouble is I don't know where the wg.conf file is actually located, but apparently you can replace it with another file using "wg setconf" command. I've not actually tried this myself though.
K
KHODU
New Around Here
- Dec 6, 2022
- #13
Greetings everyone.
I own an RT-AX3000 (58U) and did the much-awaited update to version 388.1.
The issue is I can't get Wireguard to work. It's not straightforward and doesn't have the same UI as OpenVPN.
Is there any guide or video to correctly set the Wireguard?
Anyone who knows how kindly help.
Thanks.
Part of the Furniture
- Dec 7, 2022
- #14
Welcome to the forums @KHODU.
Try using Better Search at the top of the page to search for those instructions. More information on your setup and endpoint would also be helpful.
S
synergyme
New Around Here
- Dec 21, 2022
- #15
If your on a dynamic ISP you might be better setting up DDNS and use the domain name within the Wireguard config for clients.
G
guho
Regular Contributor
- Dec 23, 2022
- #16
savage75 said:
I found the problem and fix it by
1- adding NAT masquerade
#iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o br0 -j MASQUERADE2- then save the changes
#iptables-save3- restart iptables service
#service restart-firewallVoilà! working just fine
Yes, I had the same problem of only being able to connect to the router IP, not other LAN IPs from Wireguard client. But why does this need to be a nat/maquerade rule? One would think it should be possible to access LAN resources without NATing, just bridging the wireguard subnet to the LAN subnet. For now I've adopted your fix and am grateful you posted this.
O
Obladi
New Around Here
- Feb 21, 2023
- #17
savage75 said:
Thx! I really appreciate it, the only thing that I can't find the option "Enable JFFS"on my router but it exists on ssh side, I guess this one should works just fine on routers works with Merlin's firmware or I'm missingsomething ?
It is not working on Merlin. Router is Asus AX86S.
You must log in or register to reply here.