Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edgerouter connected to NordVPN through wireguard - mail issue. #143

Open
avsiman opened this issue Jan 8, 2023 · 8 comments
Open

Edgerouter connected to NordVPN through wireguard - mail issue. #143

avsiman opened this issue Jan 8, 2023 · 8 comments
Labels
bug/possible A possible bug that has not yet been confirmed

Comments

@avsiman
Copy link

avsiman commented Jan 8, 2023

Package version

1.0.20220627-1

Firmware version

v2.0.9-hotfix.5

Device

EdgeRouter 4 / 6P / 12 - e300

Issue description

I'm using Edgerouter 4 to connect to NordVPN using wireguard. The connection works and I'm able to route traffic, use the internet and run speed test to ensure that everything is working. However on both my computer and iphone the mail apps timeout and won't connect to the gmail and icloud server. On the iphone I'm using the standard mail app and on the windows machine I'm using the built in mail app. I have also tested on SurfShark and have the same result.

When I complete the same setup using using OpenVPN to the NordVPN servers I have no issue and the mail programs work as expected.

With a slightly different setup I can use the wireguard app on my iphone to connect to the edgerouter. I then have this interface routed to the NordVPN server using wireguard and the mail apps work fine.

Has anyone experienced any issues with this?

Configuration and log output

set interfaces wireguard wg6 address *.*.*.*/32 
set interfaces wireguard wg6 description 'NordVPN WireGuard Can - Tunnel'

set interfaces wireguard wg6 listen-port 52523
set interfaces wireguard wg6 route-allowed-ips false

set interfaces wireguard wg6 private-key C***********=

set interfaces wireguard wg6 peer x**********= description nordvpn_Can_server

set interfaces wireguard wg6 peer x********= endpoint 176.*.*.*:51820
set interfaces wireguard wg6 peer x********= persistent-keepalive 25
set interfaces wireguard wg6 peer x********= allowed-ips 0.0.0.0/0
commit

set service nat rule 5004 description 'IDVpnCan'
set service nat rule 5004 log disable
set service nat rule 5004 outbound-interface wg6
set service nat rule 5004 source address 10.0.81.0/24
set service nat rule 5004 type masquerade
commit
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg6
set firewall modify SOURCE_ROUTE_CAN rule 10 description 'traffic from 10.0.81.0/24 to wg6'
set firewall modify SOURCE_ROUTE_CAN rule 10 source address 10.0.81.0/24
set firewall modify SOURCE_ROUTE_CAN rule 10 modify table 2
set interfaces ethernet eth1 vif 81 firewall in modify SOURCE_ROUTE_CAN
commit
@avsiman avsiman added the bug/possible A possible bug that has not yet been confirmed label Jan 8, 2023
@dc361
Copy link

dc361 commented Jan 13, 2023

Would it help to do a traceroute to your mail server over the vpn connection to see where the packets are failing?

@avsiman
Copy link
Author

avsiman commented Jan 13, 2023

I ran a trace route from my internet with no VPN, one with openvpn, and one with wireguard. The results are shown below. By no means am I a networking expert. I enjoy playing with different products and features. I like to see what's possible.

image

image

image

Thanks for your assistance.

@dc361
Copy link

dc361 commented Jan 13, 2023

Ok.. so you can see the SMTP server .. can you use the web interface to gmail while on wireguard? Also I didn't see an mtu setting in your config. Could you try adding: set interfaces wireguard wg6 mtu 1420

@avsiman
Copy link
Author

avsiman commented Jan 14, 2023

No issue using a web browser to connect to gmail. Works fine, MTU in the wireguard interface is already 1420

image

All IoT devices are currently routed through wg6 and have no issues connecting to their cloud servers.

@dc361
Copy link

dc361 commented Jan 14, 2023

Ok.. so what is different about the app while on wireguard. Could it be not recognizing the wg6 interface as being LAN/Wifi connected? Could it be the source route rules?

Anyone else with more experience with source routing want to jump in?

@avsiman
Copy link
Author

avsiman commented Jan 14, 2023

I'm unsure what is different. This is the routing that I'm using to go from wg2(iphone/computer connecting to router remotely) to wg6.

set service nat rule 5005 description 'Wireguard Canada'
set service nat rule 5005 log disable
set service nat rule 5005 outbound-interface wg6
set service nat rule 5005 source address 10.0.92.0/24
set service nat rule 5005 type masquerade
commit
save

set firewall modify SOURCE_ROUTE_CAN rule 11 description 'traffic from 10.0.92.0/24 to wg6'
set firewall modify SOURCE_ROUTE_CAN rule 11 source address 10.0.92.0/24
set firewall modify SOURCE_ROUTE_CAN rule 11 modify table 2
set interfaces wireguard wg2 firewall in modify SOURCE_ROUTE_CAN
commit
save

@dc361
Copy link

dc361 commented Jan 19, 2023

I notice in the example above you set the modify firewall on the wireguard interface (wg2) but in the first example you apply the firewall to the vif interface.

@avsiman
Copy link
Author

avsiman commented Jan 21, 2023

wg2 is the interface that my iphone/laptop uses to VPN to the Router. wg2 interface is then routed to the wg6 interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug/possible A possible bug that has not yet been confirmed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dc361 @avsiman