cant connect to wireguard when router connected to a vpn service

Wed Mar 6 09:40:48 CET 2019

Hi All

A novice user here and looking for some pointers on how i could fix this
issue.

I had been successfully using wireguard to get access to my local network.
Recently i started looking into a VPN service that i could connect to my
router. So i started playing with mullvad vpn and setup my router to have a
vpn client so all my network traffic goes via vpn. I followed the following
guide https://mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/

Ever since i enabled this i am not able to connect to wireguard from
outside my home network. What is interesting is that when i check the
status of the connections on the server the endpoint entry has the correct
ip but the latest handshake time does not get updated and i no longer have
access to my internal network.

peer: xxxx
  endpoint: 73.xx.xx.xx:1543
  allowed ips: 192.168.100.x/32
  latest handshake: 21 minutes, 24 seconds ago
  transfer: 1.24 MiB received, 5.46 MiB sent

Logs from the wireguard client on my android phone have the following:

03-06 00:23:51.800 28912 17051 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Starting...
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: sequential receiver - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: nonce worker - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Routine: sequential sender - started
03-06 00:23:51.800 28912 17051 I WireGuard/GoBackend/wg0: Device started
03-06 00:23:52.551 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation
03-06 00:23:52.567 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Awaiting keypair
03-06 00:23:57.557 28912 15089 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Handshake did not complete after 5 seconds, retrying (try 2)
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) -
Sending handshake initiation

I can connect to my network using ISP or VPN IP. The above issue is what i
am running into when i use the isp ip address to talk to wireguard.

I tried using VPN IP to talk to wireguard but i could not get port
forwarding to work.  I have confirmed port forwarding via mullvad is
working as i am using it for other services. As per the mullvad guide i had
added the following rule to forward the port to wireguard.

#iptables -t nat -A PREROUTING -i tun+ -p udp --dport 9934 -j DNAT
--to-destination 192.168.1.63:54930

So i am not sure if there are additional forwarding rules required and/or
policy rules for the vpn client to get this setup working.

On my server my conf is

[Interface]
Address = 192.168.100.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j
ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i
-j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 54930
PrivateKey = xxxxx

[Peer]
PublicKey = xxxx
AllowedIPs = 192.168.100.2/32

on my client my config is

[Interface]
Address = 192.168.100.2
PrivateKey = xxxxx
ListenPort = 21841
DNS = 192.168.1.63

[Peer]
PublicKey = xxxx
Endpoint = ddns:xxx
AllowedIPs = 192.168.1.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

--
Arpit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190306/d1c2d675/attachment.html>