VPN Server Configuration

I have GL-MV1000 wireguard vpn server configured to work on public IP, as soon as I move to cgnat ip and I try to access it with the remoteit. It does not work thru proxy. I have remoteit version 4.13.6 installed on this router. In addition, ssh http services are working fine thru remoteit. Looking for help on finding the solution. thanks, Piotr

1 Like

Since SSH and http connections are working, this suggests that the configuration of the remoteit Service you are using with Wireguard is not correct or somehow your use of the connection information in the Wireguard client is not correct.

Can you provide more detail please?

Hello Gary,
Can you tell me what should i be looking on the remotit server side? If i move this router to a public ip and set port forwarding it is working all fine, but as soon as i move behind nat, it does not work thru remoteit. I have verified proxy connection address and port multiple times and it seeams there is an issue on the remoteit server side. Router accepts on port 51820 either udp or tcp.

these are my settings:

  • connection name set to router name

  • local port set to 30002

  • lunch type to URL

  • Auto Launch is ON

  • URL is http://[host]:30002

  • Idle timeout 15minutes

  • Routing is peer to peer with proxy failover

  • Local Network Sharing is Off

  • Proxy connection is Off

  • Connection Logging is Off

  • Remote Host Address is 127.0.0.1

forgot to attached a log file.

Hello Gary,
Can you tell me what should i be looking on the remotit server side? If i move this router to a public ip and set port forwarding it is working all fine, but as soon as i move behind nat, it does not work thru remoteit. I have verified proxy connection address and port multiple times and it seeams there is an issue on the remoteit server side. Router accepts on port 51820 either udp or tcp.

these are my settings:

  • connection name set to router name

  • local port set to 30002

  • lunch type to URL

  • Auto Launch is ON

  • URL is http://[host]:30002

  • Idle timeout 15minutes

  • Routing is peer to peer with proxy failover

  • Local Network Sharing is Off

  • Proxy connection is Off

  • Connection Logging is Off

  • Remote Host Address is 127.0.0.1

8000017F7E006C19_2021_12_30T03_10_50Z.log (2.5 KB)

Is that the complete connection log?

Please show the Service Details page, e.g.

image

Also please show me how you have entered the connection details into your VPN client.

Please see attached, screen shots of the connection page.

Piotr

yes, it appears it is a complete log

What is the routing option you are using? (It’s under “Options” on the Service details view).

image

Try “peer to peer only” and “proxy only”. What is the result?

Can you SSH to this device using remoteit?

Get to a console on the device and run the following commands:

connectd -n
connectd -nat

What is the result?

There’s a possibility that peer to peer connections won’t work here, in which case UDP will not work. If that is the case, then you can try configuring Wireguard to use TCP instead and then you’d need to configure a Service for TCP instead of UDP/Wireguard (use the “TCP” option and enter the desired port).

Capture4

Please see attached screen shots of both request. Router is configured to accepted either tcp or udp port.

It looks like you typed in connected, not connectd.

Listen port in Wireguard configuration looks like 46939?

Whereas the remoteit port is set to Wireguard’s default 51820.

These should probably match.

@piotrg were you able to get this working? Is this even possible?

I have a WG server on a remote rpi. Trying to connect from a local ubuntu as a client running through remoteit desktop doesn’t work. I should note that currently both the server and client are on the same local network using the same ISP. Testing without remoteit with both devices on the same local network is successful. So I know WG is working. SSH through remoteit also works fine.

I’ve attached screen caps and remoteit logs. As soon as I start the WG service on the client, I start seeing

80:00:01:7F:7E:00:82:51 !!status 308 seconds since startup lc=26 tc=0
80:00:01:7F:7E:00:82:51 !!throughput txBps=5 rxBps=4 80:00:01:7F:7E:00:82:51 pl=0 80:00:01:7F:7E:00:82:51 it=080:00:01:7F:7E:00:82:51 
80:00:01:7F:7E:00:82:51 this should not be a possible state for UDP proxies
80:00:01:7F:7E:00:82:51 00318> !!status closeudptunnel=41, count=0 td=-1 

And the client eventually disconnects from the remoteit service entirely, ie I get offline notification from remoteit until I stop the WG service on the client. Presumably because the client is trying to route local traffic through the WG VPN but failing?

I’m not sure that’s accurate. The screen cap piotrg posted only shows the client configuration. The listening port on the client is randomly generated on each service start. If in remoteit I add wireguard service with remote port 59820 mapped to local port 33000, I’d expect the endpoint in the WG config to be 127.0.0.1:33000 which should tunnel to :59820. I’m not sure how the listening port fits in. Maybe the issue is that WG actually needs two ports configured in remoteit?

4JW6CWRHXr

Callout got cutoff but it points out a successful connection was logged when connecting without remoteit.

8000017F7E008251_2022_02_11T00_47_21Z.log (25.0 KB)

Help is much appreciated. Thanks.

1 Like

I was unable to make connection with wireguard. I was able to connect successfully with openvpn by changing udp to tcp port. I think b/c remote.it does not support udp ports used by wireguard which I do not see an option to change from udp to tcp either.

Piotr

Good to know. Thank you for the quick response. You are correct in that wireguard does not support TCP. I think using wireguard creates a sort of infinite loop where remoteit ends up trying to route it’s tunnel through the wireguard tunnel which of course is not possible because the wireguard tunnel needs the the remoteit tunnel to work. So it breaks.

Is there a better course of action to implement something like this? even without remoteit.

My use case is a remote rpi running rasbian lite installed on a 3rd party managed network that allows internet access only. In addition to ssh which works great with remoteit, I’d like to access devices on the remote network from my local desktop. I understand I can use things like x11 forwarding to use a browser on the rpi as a middle man to access other devices webadmin pages, and command line for telnet type things but I’d like to be able to connect directly from my desktop.

Now I’m looking at things like ZeroTier and Slack’s Nebula, or maybe tinc? Perhaps I’ll just switch to openVPN.

@kawitt @piotrg sorry for the delay in response. I had to set it up here to see how to make it work. OpenVPN so far…

Let me know if this helps.

1 Like

We are also encountering issues with remote.it and Wireguard on the GL-iNet routers. These are being investigated.

@piotrg Can you please explain how you did it? I tried it with both tcp and udp, without success. I wrote the details here:

Hello, which part you need to explain. For me works fine on TCP=1190 without any issues.

Piotr

I am interested in the OpenVPN part. My VPN server is behind a router, and if I port forward on the router, I can connect to the VPN server, and browse the internet properly. When I connect via remote.it, without the router’s port forward, I can still connect to the VPN server, however, I cannot browse the internet on the client, and the client’s traffic goes crazy.

Do you have any idea where the problem lies? I suspect the problem is in the VPN config, as it is not prepared for such a scenario. In the log I have

Apr  9 16:31:50 ovpn_server_name ovpn-server[434]: myPCname/127.0.0.1:35374 PUSH: Received control message: 'PUSH_REQUEST'
Apr  9 16:31:50 ovpn_server_name ovpn-server[434]: myPCname/127.0.0.1:35374 SENT CONTROL [myPCname]: 'PUSH_REPLY,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)

The push reply from the server may contain config settings that are not valid for such a network layout. Could you please share your VPN config file? And also maybe the push reply, if you have any?