Home

Forums

Stories

Knowledge Base

Home Network Community > Wi-Fi Routers > Endpoint if be9700 vpn server is behind firewall

< Wi-Fi Routers

Endpoint if be9700 vpn server is behind firewall

daytooner

a week ago

Posts: 5

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2021-06-15

Endpoint if be9700 vpn server is behind firewall

a week ago

Tags:

Model: Archer BE9700

Hardware Version: V1

Firmware Version: 1.0.7 Build 20251027 rel.50074(5553)

I have the be9700 router set up as a wireguard server thru NordVPN. I also currently have a tp link R600 I use as a firewall for my LAN. The problem (probably obvious) is how to set up both firewall and router so that wireguard client sees the LAN ip addresses. In the wireguard client conf file, I set the endpoint to my WAN address on the firewall; it then has assigned IPs for various devices, one being the be9700 WAN port. The 51820 port on the firewall is forwarded to the router. But the vpn tunnel can't see the LAN addresses.

I know this involves NAT and Masquerade somewhere, but I really don't know how or where to set this. Removing the firewall isn't really an option at this moment.

Any help is greatly appreciated.

TIA

ken

3 Reply

terziyski

LV7

a week ago - last edited a week ago

Posts: 8019

Helpful: 6534

Solutions: 1581

Stories: 7

Registered: 2013-10-12

Re:Endpoint if be9700 vpn server is behind firewall

a week ago - last edited a week ago

@daytooner

In general, what you have to do is:

WireGuard requires only one port to be opened, specifically configured for the
UDP protocol. The default port is 51820, although any UDP port can be used. You must forward this port on your firewall to allow external, incoming VPN traffic.
Key Port Requirements:

Protocol: UDP (WireGuard does not use TCP).
Default Port: 51820.
Alternative Ports: Any unused port (e.g., 443, 51821) if the default is restricted.

Configuration Checklist:

Port Forwarding: Set up port forwarding on your firewall from the public IP (WAN) to the internal IP of your WireGuard server - your router WAN IP address.
Firewall Rules: Allow inbound traffic on the chosen UDP port to the router WAN IP address.

If I were you, I would use the R600VPN as a main firewall/router and BE9700 in AP mode.

R600VPN besides being a firewall, supports a couple of VPN server types as well.

Thus, you'll avoid the double NAT in your local network and make the network configuration simpler.

If this was helpful click on the arrow pointing upward to make it blue. If this solves your issue, click the star to make it blue and mark the post as a "Recommended Solution".

daytooner

LV1

a week ago

Posts: 5

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2021-06-15

Re:Endpoint if be9700 vpn server is behind firewall

a week ago

The main problem I have is with the"end point network". How do I get to the site name, and then to the LAN. In the client config generated be the router's vpn server, the endpoints are my LAN (192.168.1.0/24), but how do I tell the client to find that LAN on my site (mysite.xxx). I only saw my LAN in the client config file about that. I did try to bypass the firewall, but it was still the same problem. I must be totally unclear on the concept of wireguard concerning this. Next I will try the OpenVPN server. Another issue I have concerns the (supposed) dual WAN points. On the web admin, under Advanced->Network->Internet, I can only set the Internet port to either the 10G or 2.5 G port. And also, the web pages I have are different from the ones I have seen on the guides on the internet. My router is the TP-Link BE9700, although the pages show Archer. Did I get the wrong router? Please help me! I spent 25 years in network development, with devices like this, but am at a total loss here 😞. So any help is greatly appreciated. TIA, ken

terziyski

LV7

Tuesday

Posts: 8019

Helpful: 6534

Solutions: 1581

Stories: 7

Registered: 2013-10-12

Re:Endpoint if be9700 vpn server is behind firewall

Tuesday

@daytooner

The BE9700 WebGUI may differ from the one you saw in the guide cause different router models have different features and improvements.

As per the two WAN ports - you should use one or the other - you can't use both at the same time for load balancing or WAN failover.

Here's a guide for configuring a Wireguard VPN Server - the example is with an Archer AX55.

Here's a guide for configuring a Wireguard VPN client on an Android/iPhone mobile.

Probably this video could help on the whole configuration process.

If this was helpful click on the arrow pointing upward to make it blue. If this solves your issue, click the star to make it blue and mark the post as a "Recommended Solution".

Endpoint if be9700 vpn server is behind firewall

Endpoint if be9700 vpn server is behind firewall

Information

Voters 0

Tags