Edgerouter connected to NordVPN through wireguard - mail issue.

[avsiman]

Package version

1.0.20220627-1

Firmware version

v2.0.9-hotfix.5

Device

EdgeRouter 4 / 6P / 12 - e300

Issue description

I'm using Edgerouter 4 to connect to NordVPN using wireguard. The connection works and I'm able to route traffic, use the internet and run speed test to ensure that everything is working. However on both my computer and iphone the mail apps timeout and won't connect to the gmail and icloud server. On the iphone I'm using the standard mail app and on the windows machine I'm using the built in mail app. I have also tested on SurfShark and have the same result.

When I complete the same setup using using OpenVPN to the NordVPN servers I have no issue and the mail programs work as expected.

With a slightly different setup I can use the wireguard app on my iphone to connect to the edgerouter. I then have this interface routed to the NordVPN server using wireguard and the mail apps work fine.

Has anyone experienced any issues with this?

Configuration and log output

set interfaces wireguard wg6 address *.*.*.*/32 
set interfaces wireguard wg6 description 'NordVPN WireGuard Can - Tunnel'

set interfaces wireguard wg6 listen-port 52523
set interfaces wireguard wg6 route-allowed-ips false

set interfaces wireguard wg6 private-key C***********=

set interfaces wireguard wg6 peer x**********= description nordvpn_Can_server

set interfaces wireguard wg6 peer x********= endpoint 176.*.*.*:51820
set interfaces wireguard wg6 peer x********= persistent-keepalive 25
set interfaces wireguard wg6 peer x********= allowed-ips 0.0.0.0/0
commit

set service nat rule 5004 description 'IDVpnCan'
set service nat rule 5004 log disable
set service nat rule 5004 outbound-interface wg6
set service nat rule 5004 source address 10.0.81.0/24
set service nat rule 5004 type masquerade
commit
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg6
set firewall modify SOURCE_ROUTE_CAN rule 10 description 'traffic from 10.0.81.0/24 to wg6'
set firewall modify SOURCE_ROUTE_CAN rule 10 source address 10.0.81.0/24
set firewall modify SOURCE_ROUTE_CAN rule 10 modify table 2
set interfaces ethernet eth1 vif 81 firewall in modify SOURCE_ROUTE_CAN
commit

[dc361]

Would it help to do a traceroute to your mail server over the vpn connection to see where the packets are failing?

[avsiman]

I ran a trace route from my internet with no VPN, one with openvpn, and one with wireguard. The results are shown below. By no means am I a networking expert. I enjoy playing with different products and features. I like to see what's possible.

Thanks for your assistance.

[dc361]

Ok.. so you can see the SMTP server .. can you use the web interface to gmail while on wireguard? Also I didn't see an mtu setting in your config. Could you try adding: set interfaces wireguard wg6 mtu 1420

[avsiman]

No issue using a web browser to connect to gmail. Works fine, MTU in the wireguard interface is already 1420

All IoT devices are currently routed through wg6 and have no issues connecting to their cloud servers.

[dc361]

Ok.. so what is different about the app while on wireguard. Could it be not recognizing the wg6 interface as being LAN/Wifi connected? Could it be the source route rules?

Anyone else with more experience with source routing want to jump in?

[avsiman]

I'm unsure what is different. This is the routing that I'm using to go from wg2(iphone/computer connecting to router remotely) to wg6.

set service nat rule 5005 description 'Wireguard Canada'
set service nat rule 5005 log disable
set service nat rule 5005 outbound-interface wg6
set service nat rule 5005 source address 10.0.92.0/24
set service nat rule 5005 type masquerade
commit
save

set firewall modify SOURCE_ROUTE_CAN rule 11 description 'traffic from 10.0.92.0/24 to wg6'
set firewall modify SOURCE_ROUTE_CAN rule 11 source address 10.0.92.0/24
set firewall modify SOURCE_ROUTE_CAN rule 11 modify table 2
set interfaces wireguard wg2 firewall in modify SOURCE_ROUTE_CAN
commit
save

[dc361]

I notice in the example above you set the modify firewall on the wireguard interface (wg2) but in the first example you apply the firewall to the vif interface.

[avsiman]

wg2 is the interface that my iphone/laptop uses to VPN to the Router. wg2 interface is then routed to the wg6 interface.