VPN router configuration, Dublin northside

El Tarangu

Hello,

I've struggled fruitlessly to set up a a VPN router as described here (scenario #3) - I've purchased 2x Mango routers, and have managed to connect one of them to my eircom router, etc, but being able to access to the network externally is beyond my limited networking capabilities.

So, would be very happy to pay some networking enthusiast a reasonable fee to get me up and running - Mods, I hope it's alright to post such a request here, I won't setting up this for any illegal purpose.

Happy to discuss technical and payment details via pm - thanks!

El T.

niallb

Hiya.

Love these devices!

Did you update the Mango to the latest firmware when you got it?

The newer versions have better options for remote access.

When you say you've managed to connect one to your Eircom router, do you mean using a LAN cable from the WAN port on the mango to a LAN port on the Eircom router? If the connection is anything else, let us know what it is (and the thinking behind it).

If you're just trying to get through to a wireguard server on the mango, you'll need to set a static IP for it on your Eir router and pass through port 51820 most likely.

Happy to help you get this working!

El Tarangu

Thanks a mill for taking the time to respond to me, Niall, and sorry in advance for the long post.

Here's where I have gotten so far (and thanks for the advice on updating the firmware, have done that now, too):

 - Mango Router A is connected from its WAN port into an ethernet port on the Eir Router (there is a WAN port available on the Eir router, if I should be using that). The Eir router is a Sagemcomm CS 50001

 - I connect to the Mango network (GL-xxxxxx-xxx) via WiFi on my laptop

 - I log into the admin panel on Mango, and connect to the eircom wifi - so now I can access the internet while connected to the GL-xxxxxx network - so far, so good

 - I got my public (though not static) IP  by going to https://whatismyipaddress.com/, and copying the IPV4 address

 - go into VPN on the left tab, and turn on Wireguard server

 - this allows me to create a client; I can then scan the qr code generated, of copy the plain text version of the file (Mango1.png). When I turn off the wifi on my mobile and scan the qr code using the Wireguard app, it shows I am connected to the VPN - great.

 - I then went into 'Remote access' in the left panel, and enabled Dynamic DNS (as I don't have a static IP, I need this, as I understand).

 - I enabled SSH, Http access, and some other settings (I also enabled 'GoodCloud.xyz', which was not an option using the previous firmware version) - Mango2.png

This is where I am not sure where to proceed from:

I have a second Mango router, Mango Router B, and I may want to use to eventually log into my home network from a distance. While I am able to open the VPN tunnel by scanning the app on my phone, I'm not really sure how to go about using the .conf file to make Mango B, which could be in Brazil or whatever, connect to Mango A, which is back in Dublin.

I am also a bit confused about dynamic DNS - I have enabled DDNS on Mango A, but have not on the Eir router. And when I do the dynamic DNS test on the Remote Access panel I am told that my router is behind a NAT, or I do not have a public IP Address (Mango3.png) - this makes me suspect that I am missing some DDNS or port forwarding step on the Eir router(?)

When I do an nslookup command (using the DDNS generate by the Mango router)

nslookup xxxxxx.glddns.com 8.8.8.8

I get the following response:

Non-authoritative answer:

Name:   xxxxxx.glddns.com

Address: 86.xxxxxxx

I understand that I am supposed to replace the endpoint in the the .conf file generated by Wireguard from:

Endpoint = [my @IP]:51820

to:

Endpoint = [mydeviceID].glddns.com:51820

But again, once I have saved this as a conf file, I am not sure how I am supposed to deploy or otherwise use it with Mango Router B at a distance. Also, while I can connect to the VPN at present via the QR code, am not so confident that I will be able to figure out what to do if Eir change my IP address at any stage.

I'm sure I am missing some very simple step here, any advice that you or any of the other posters could offer would be gratefully received - thanks a million.

mango1.png

mango2.png

mango3.png

niallb

Hi.

Great feedback.

If you're able to connect to the VPN using mobile from the first QR code, it's possible that the port forwarding has been automatically set up.

Is that likely? If it turns out not to be te case we'll come back to it.

The DDNS will configure with the public IP address from the request, so it's the same for the mango as it's going out through the Eir router.

It's actually worth setting up https access in the mango settings like it is in your image. Your Eir router will probably prevent you reaching it from the outside world, but you'll be able to configure it from the "WAN" address on your local network which is convenient.

Your understanding that you need to change the IP address for the dynamicdns name is correct.

Go to the wireguard server settings, click on management and then click the document icon in the configuration column.

Now choose the Plain Text tab.

Select and copy the whole stanza and paste it into a new file. You need to change the IP address listed on the line beginning with Endpoint

Take the new saved conf file and put it somewhere you can reach it over the network. If you have a web server you can connect to from your phone it'll be handy. You can then use the add tunnel from a file option.

Make a second client config for the other mango. Don't try to reuse the same one; it's just harder to keep track. The codes are ike magic, but it's much easier to edit as text. Copy it as above and then open the Wireguard client page on the other mango. Paste the config in the box under "Add manually"

Let's see where that gets you. We'll probably have to come back to the Eir settings, but let's get this finished first.

El Tarangu

Thanks again for the response, I have advanced a little bit before reading your message and have gotten this far:

I initially discovered that connecting to the VPN from my phone (on 4g data) rendered the internet on the phone unusable. Changing the setting on Peer from:

[Peer]

PublicKey = (hidden)

AllowedIPs = 0.0.0.0/0,::/0

to:

[Peer]

PublicKey = (hidden)

AllowedIPs = 10.0.0.2/32

 - The internet starts working on the phone again when the VPN tunnel is open. However, when I checked my IP address with the tunnel open, the IP address is showing up as France (where my SIM card is from, and what normally shows up when checking the @IP with only mobile data turned on), rather than the @IP of the Mango A router in Dublin.

Thanks for the steps for the Wireguard conf server file, seems really obvious now! So, I did as suggested, and created a new profile from the Wireguard server panel (while logged into the admin panel on Mango A), and then swtiched to Mango B, and created a Wireguard client profile here using the same details.

It's saved and not showing any errors or anything when I launch WG client on Mango B, but when I try to create a VPN tunnel with Mango B (powered by the USB of my laptop, but not connected by ethernet), and with mango B connected to the internet via the hotspotted connection from my mobile phone, the VPN icon on the admin panel still appears to be disconnected (Mango4.png), and the @IP shows up for France, rather than for Ireland.

Here are the details of the the new WG client file used on MangoB.

[Interface]

Address = 10.0.0.4/32

ListenPort = 17030

PrivateKey = [private key]

DNS = [DNS]

[Peer]

AllowedIPs = 10.10.10.1/32

Endpoint = [device no].glddns.com:51820

PersistentKeepalive = 25

PublicKey = [public key]

Thanks again for all of the advice so far

El T.

mango4.png

El Tarangu

Update - I got it working!! Well... most of the time.

Will update with the steps I followed later on, will try to iron out the last of the kinks in the meantime; at the moment am getting a 'unable to resolve dns host name' error when I disconnect and then try to reconnect again (with the exact same details that had worked moments before).

niallb

Excellent news

Check to make sure that the DNS server you set in the config can resolve internet hosts. Check also that you can reach it through the tunnel. Is it a 10.0 or a 10.10 address?

When you drop the tunnel it can take more than a few seconds for resolution to fall back to the previous name server. If you don't need to resolve hosts on your local or remote LANs you can set the [DNS] value to a well known public one like 8.8.8.8 or 1.1.1.1 .

El Tarangu

This is how I eventually got this setup working, posting here in case it helps anyone else in future. As suspected, it was the settings on the Eir router that needed to be changed.

I logged into the admin panel of the eir router, and added the @IP of MangoA into the DMZ (mango-dmz.png - surprised to find that there is only one slot available in DMZ).

I also added a port forwarding rule using the following details:

Custom service name: [name]

Service: Other

Protocol: UDP

External host: *

External port: 51820

Internal port: 51820

I also changed the allowed IPs on the client back to:

AllowedIPs = 0.0.0.0/0,::/0

-it seems that it was not this after all that was creating problems. All of the DNS settings, and everything else were left exactly as had been generated from the Mango router. I think maybe it was the case I was just too impatient initially waiting for the DNS thing to resolve, as you suggested, as after it not working for a few minutes, and me not changing anything, it started working again.

Lots of the solutions I saw proposed online mention these settings:

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

-but I did not need them in the end.

The only thing that I have not manged to do so far is to connect to the network by either SSH or HTTP. But there seems to be a way of managing the routers remotely using the GoodCloud management service that comes with the router, I think I will need to wait until I have Mango B plugged in to it's permanent home before setting this up in earnest.

Again, thanks a million for all of your advice! Was really tearing my hair out up until the moment you replied to me.

El T

mango-dmz.png

mango-port-forward.png

dorothy97

https://www.boards.ie/discussion/comment/119685060#Comment_119685060

Hi Niall, I'm in the process of setting up the same as above and I'm wondering if I can ask you some questions about it - the answers above have been really helpful but there's still a problem in my set up that I'm struggling to figure out. Been at it every evening for the past two weeks and still no success. I'm happy to pay for the service if you're willing to give me a hand! :)

niallb

Sure.

If you start by providing the same kind of information about your setup and what you want to achieve I'll check in as I get a chance.

What kind of broadband (and modem/router) is at each end?

Have you already bought a pair of VPN endpoints like the mangos or something else?

Are you intending to use wireguard or do you have a more specific requirement?

Let us know what you've already done and we'll see if we can get it finished for you.