VPN port forwarding outgoing blocked

johnmcdtf · yesterday

I have wireguard setup on a home server but it is blocked from sending outgoing packets by the router (Plusnet Hub Two)

If I start a VPN on the LAN, this works. i.e. set the VPN address to the server LAN address and start a session, connects ok.

If I use a port forward rule on the router then the VPN does not connect.

does not work even with router firewall disabled

I'm a new customer to Plusnet, from BT. So with a v similar router what worked on BT does not work on plusnet.

The wireguard server is connected via LAN (not wifi) directly to the router. A static IP is assigned.

port 51820 is the configured VPN port and is set to port forward
checks I've done are:

router log confirms port is opened:

FWL Port Forward Server(192.168.1.101) UDP 51820 accepted a new connection from 00.00.00.00 (hidden address)

I can see the wireguard log as well:
Receiving handshake initiation from peer 1 (00.00.00.00:21980)
Sending handshake response to peer 1 (00.00.00.00:21980)
No route to 00.00.00.00:21980, error -101

any other info to help resolve this?

I'll continue to investigate and will comment back if resolved

MisterW · ‎30-07-2007

This https://bbs.archlinux.org/viewtopic.php?id=300988 might be worth a read

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

johnmcdtf · yesterday

thought to delete the existing VPN tunnels and recreate the tunnels and clients from scratch.

So two tunnels created, one for use on the LAN side, and another for use via WAN and port forwarding. With a new client for each so that I can test either from LAN or WAN from a mobile phone.

Sadly, same situation.

johnmcdtf · yesterday

thanks, I've had a read but have to admit that I'm not familiar with routing tables so struggling to understand that thread.

MisterW · ‎30-07-2007

The solution in that thread was to change the Mtu in the lifeguard config

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

johnmcdtf · yesterday

OK, understand now. I made a quick change to 1200, but still no joy.

I expect it's a routing problem as the tunnel isn't handshaking.

Townman · ‎22-08-2007

@MisterW

AIUI no out bound posts are blocked … or need to be forwarded. However, might inbound port mapping be required for the handshaking?

As a new customer I guess we can rule out the account connection based firewall configuration.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

MisterW · ‎30-07-2007

@Townman

AIUI no out bound posts are blocked … or need to be forwarded.

Correct

However, might inbound port mapping be required for the handshaking?

From @johnmcdtf s posts above, he appears to have the required port forward in place. I use Wireguard myself and all that's required is to port forward UDP on the correct port to the wireguard server IP. In my case I dont use a Hub 2 but that doesnt appear to be the problem, the log posted above shows the port forward is active.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Dan_the_Van · ‎25-06-2007

@johnmcdtf

To confirm you are using a wireguard server, client or both server and client?

Although on the same CP I have moved my VPN server openVPN and Wireguard across three routers, provided the IP Address network is retained (192.168.1.0/24), the VPN host retains the same IP Address through the changes of network, the port forward rule is added, I see no reason why your VPN has stopped.

As stated previously, a retail router in this case a Hub two does not block any out bound ports, the need for a port forward rule is to ensure the inbound wireguard connection has a destination IP Address.

So turning Hubs firewall OFF will not help, you would still need a port forward rule.

This message

FWL Port Forward Server(192.168.1.101) UDP 51820 accepted a new connection from 00.00.00.00 (hidden address)

In this case for a inbound wireguard server connection the hidden IP Address would be the remote device from where the connection is coming from.

So was the home server IP address manually setup through the devices network propertied or DHCP ?

For static (manual set) Is 192.168.1.101, default gateway and DNS IP address are they correct?

Hub default IP is 192.168.1.254.

I would always test a VPN server OFF network not locally on the LAN.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

dvorak · ‎11-01-2008

Moderators Note

This topic has been moved from Broadband to My Router

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'

johnmcdtf · 5 hours ago

SOLVED quick note that it appears resolved now.

As a further test I installed wireguard on a raspberry pi and this worked from LAN and WAN sides. So that indicated that it is NOT a router issue. i.e. the port forward worked as expected to the pi.

So, going back to my server and thinking hard about the setup. I discover it is not accessing external domains reliably. i.e. not even deb.debian.org can be pinged.

I disabled IPv6 on the server and router in case this was relevant. But does not fix issue.

I then consider the addressing. The server is assigned a static address at both router and locally on the server. I change the server back to DHCP request. It is assigned the same IP address Now is can ping domains and the VPN is working!

reenable IPv6 and VPN continues to work ok.

MisterW · ‎30-07-2007

@johnmcdtf thanks for letting us know its fixed.

The server is assigned a static address at both router and locally on the server.

The locally applied static settings will override anything. It sounds like the default gateway wasn't correct and so it had no route to the outside world. Changing to DHCP will have corrected the gateway address since the DHCP server will have supplied it.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Dan_the_Van · ‎25-06-2007

@MisterW

I did consider there was something adrift with the network setting on the home server, that was my thinking behind.

So was the home server IP address manually setup through the devices network propertied or DHCP ?

For static (manual set) Is 192.168.1.101, default gateway and DNS IP address are they correct?

Hub default IP is 192.168.1.254.

Simple fix in the end..

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

MisterW · ‎30-07-2007

I guessed that @Dan_the_Van . However, one would have expected that the BT router and the PN one would have the same default IP and so any static settings on the server would be the same ?

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.