Hi All

A novice user here and looking for some pointers on how i could fix this issue.

I had been successfully using wireguard to get access to my local network. Recently i started looking into a VPN service that i could connect to my router. So i started playing with mullvad vpn and setup my router to have a vpn client so all my network traffic goes via vpn. I followed the following guide https://mullvad.net/en/guides/asus-merlin-and-mullvad-vpn/

Ever since i enabled this i am not able to connect to wireguard from outside my home network. What is interesting is that when i check the status of the connections on the server the endpoint entry has the correct ip but the latest handshake time does not get updated and i no longer have access to my internal network.

peer: xxxx
  endpoint: 73.xx.xx.xx:1543
  allowed ips: 192.168.100.x/32
  latest handshake: 21 minutes, 24 seconds ago
  transfer: 1.24 MiB received, 5.46 MiB sent

Logs from the wireguard client on my android phone have the following:

03-06 00:23:51.800 28912 17051 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Starting...
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: sequential receiver - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: nonce worker - started
03-06 00:23:51.800 28912 28935 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Routine: sequential sender - started
03-06 00:23:51.800 28912 17051 I WireGuard/GoBackend/wg0: Device started
03-06 00:23:52.551 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation
03-06 00:23:52.567 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Awaiting keypair
03-06 00:23:57.557 28912 15089 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Handshake did not complete after 5 seconds, retrying (try 2)
03-06 00:24:02.561 28912 10784 D WireGuard/GoBackend/wg0: peer(vDK2…wCDs) - Sending handshake initiation


I can connect to my network using ISP or VPN IP. The above issue is what i am running into when i use the isp ip address to talk to wireguard.

I tried using VPN IP to talk to wireguard but i could not get port forwarding to work.  I have confirmed port forwarding via mullvad is working as i am using it for other services. As per the mullvad guide i had added the following rule to forward the port to wireguard.

#iptables -t nat -A PREROUTING -i tun+ -p udp --dport 9934 -j DNAT --to-destination 192.168.1.63:54930


So i am not sure if there are additional forwarding rules required and/or policy rules for the vpn client to get this setup working.

On my server my conf is

[Interface]
Address = 192.168.100.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 54930
PrivateKey = xxxxx

[Peer]
PublicKey = xxxx
AllowedIPs = 192.168.100.2/32


on my client my config is

[Interface]
Address = 192.168.100.2
PrivateKey = xxxxx
ListenPort = 21841
DNS = 192.168.1.63

[Peer]
PublicKey = xxxx
Endpoint = ddns:xxx
AllowedIPs = 192.168.1.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

--
Arpit