rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

Local network not accessible via VPN

Open git-lebob opened this issue 1 year ago • 13 comments

When Wireguard connection is active external websites work fine but internal ones are not accessible (example router, pihole) even tough the connection is established (ipv4 matches, ipv6 not available).

If I use the same config file in the "WG Tunnel" App it works flawless.

The router I am trying to access is a Fritzbox 7530 AX with fritzOS 8.0.

git-lebob avatar Sep 30 '24 17:09 git-lebob

Will you please share the config (Interface & Peers) with the private key redacted, if you're comfortable?

ignoramous avatar Oct 01 '24 02:10 ignoramous

[Interface] PrivateKey = *** Address = 192.168.178.205/24,fd00::205/64 DNS = 192.168.178.24,192.168.178.1,2001:9e8:8069:bc00:ba27:ebff:fe5d:dcc1,fd00::e72:74ff:fea2:ff42 DNS = fritz.box

[Peer] PublicKey = *** PresharedKey = *** AllowedIPs = 192.168.178.0/24,0.0.0.0/0,fd00::/64,::/0 Endpoint = ***.myfritz.net:8689 PersistentKeepalive = 25

Thank you for all the work.

git-lebob avatar Oct 01 '24 05:10 git-lebob

There's nothing in the setting that stands out as problematic. Other users have reported a similar issue with trying to connect to Fritz!Box (#1490) internal webpage, though. Is that what you're seeing too? If so, we don't yet know what is causing it, but we've attempted to fix it though can't say for sure if the changes made (due a release in v055o, the next version) has indeed fixed it.

ignoramous avatar Oct 02 '24 06:10 ignoramous

It seems to be related. I will wait for v055o and report back.

git-lebob avatar Oct 02 '24 15:10 git-lebob

I experienced a similar problem, you need to disable the option "Block connections without VPN" in the settings of the device

aviv926 avatar Oct 19 '24 21:10 aviv926

I experienced a similar problem, you need to disable the option "Block connections without VPN" in the settings of the device

I tried both variants. It does not seem to be related.

For some reason I was able to open my pihole page today in both ways. Sth I did not manage before. Still, Fritzbox admin page is loading, but shows a blank page only. No login panel.

This was only possible after switching this vpn off/on in RDNS. Total block is switched on, btw.

git-lebob avatar Oct 20 '24 00:10 git-lebob

Total block is switched

When full blocking is on then a private address cannot go through a VPN tunnel so it will not work for services on a private address. You will need to turn it

aviv926 avatar Oct 20 '24 08:10 aviv926

Sorry, that was a translation issue. I meant lockdown in the wireguard settings not in the phones VPN settings. I tied all the variatons I could think of with phones VPN and wireguards settings btw.

git-lebob avatar Oct 24 '24 15:10 git-lebob

Total block is switched

When full blocking is on then a private address cannot go through a VPN tunnel so it will not work for services on a private address. You will need to turn it

From my point of view that sounds a bit illogical. Why should that be the the case?

Mannshoch avatar Jan 27 '25 07:01 Mannshoch

I'm not an expert on this case but, please enhance this app that way I could route everything over my private VPN. The only exception may be the W-Lan login. But if that is to much. At least please support full transver to Wireguard.

I need that. I currrently use again the wireguard native app but this is wireguard only without app blocking and blocklist control.

Mannshoch avatar Feb 26 '25 11:02 Mannshoch

you already can route everything through wireguard vpn using Rethink. just edit your peer that should be the router to have AllowedIPs = 0.0.0.0/0

CapSel avatar Feb 26 '25 11:02 CapSel

"Do not route Private IPs (experimental)" option is useful in case you're experiencing problems with routing.

If you want to route everything via wireguard proxy just set AllowedIPs = 0.0.0.0/0 and do not enable the option.

If you want to route all but your private nets - for example to make VLC detect DLNA servers - just enable the option. This however breaks access to VPN subnet but everything else goes through the tunnel, even DNS.

Setting AllowedIPs = 192.168.0.0/24 (a subnet) is essentially useless in my experience.

It looks like we need better settings regarding which subnets are to be routed via tunnel.

CapSel avatar Feb 26 '25 12:02 CapSel

Setting AllowedIPs = 192.168.0.0/24 (a subnet) is essentially useless in my experience.

In Advanced mode: The app (which must use that subnet route over WireGuard) must be added to the WireGuard tunnel for it to use it (regardless of "allowed IPs").

In Simple mode: "allowed IPs" should work as expected for all but disallowed apps (apps explicitly marked "Do not proxy" from Configure -> Apps).

That said, incoming connections over WireGuard may not work at all. We tried a bunch of things over the course of last 8 months to fix this, but it seems this is one problem (ie, incoming WireGuard connections) that seems out of reach.

ignoramous avatar Feb 26 '25 16:02 ignoramous

Fritzbox is accessible in v0.5.5t both via WG vpn and via local wifi.

git-lebob avatar Sep 05 '25 13:09 git-lebob

I can't further reach devices in a homenet, only the box herself is reachable better as before. Can see now graphes of to the box binded home automation devices with the original app from avm. (but the homenet here is behind two WireGuard-connected Fritz-Boxes.

And sip telefony with binding the android device as IP telefon further doesn't work really, only connection is shown, but on call it is not functionally. (with original WireGuard android client it works)

p-f-w avatar Sep 06 '25 07:09 p-f-w