Wireguard VPN through a router

Short Version:

Is it possible to properly mask your IP / DNS with Wireguard through a router?

Long Version:

I have a dedicated residential VPN

IF I use the providers app on my computer and I connect to VPN with wireguard my IP and DNS is properly masked.

However IF I use a Wireguard configuration with my router (created by the wizard from the provider), the IP / DNS is not correct and my location leaks.

The provider tells me that I must use open VPN if I want my IP / DNS to be properly masked through a router. Otherwise I can only use their app.

Is this case true for wireguard or just something that my provider is doing that makes it so?

Open VPN isn’t terrible. The speed is more that adequate for what my connectivity needs in the USA. My concern is that if I travel and I go someplace where speed is not the greatest yet, I don’t want to throttle myself anymore than I currently am.

I would say that it’s most likely your router that is the problem; which manufacturer and model is it?

If you connect with the official Wireguard client (not the providers) for Windows, does it work properly?

It might help if you post the Wireguard config here too, without the sensitive parts ofc.

I would say that it’s most likely your router that is the problem; which manufacturer and model is it?

I am currently using a Firewalla Gold Plus but was previously using a GL iNet GL-X3000.

If you connect with the official Wireguard client (not the providers) for Windows, does it work properly?

Connecting from Windows was never the problem. It works if I have the software installed. But I need to have it on my router. Thats where it doesn’t work.

# Provider WireGuard Config
[Interface]
PrivateKey = Removed=
ListenPort = 53036
MTU = 1390
DNS = 1.1.1.1
Address = Removed
[Peer]
PublicKey = Removed=
AllowedIPs = 0.0.0.0/0
Endpoint = removed:1443 (THE IP that would be here is different than what my IP is on the OpenVPN but if I change it then it wont connect)
PersistentKeepalive = 25

There is a lot more information in the open vpn config.

EDIT: Added additional details

Try removing ListenPort and DNS from the Interface-section. Maybe the Cloudflare DNS does something weird. ListenPort is very rarely needed for clients.

Some of these questions might be a bit dumb but this is kind of a hard problem to pinpoint…

  • Have you tried changing the MTU? Try 1420, 1490 and 1260.

  • The IP you put in the Interface-section as Address, is that the IP that the Wireguard interface receives when you connect? Is it a single IP (/32) specified or a subnet range (/31 and below)?

My guess is that you are getting a LAN IP from your provider and getting NATed to WAN, which could cause some problems depending on a lot of factors. I shouldn’t be a problem in theory, but yeah…

Does your regular ISP use CGNAT or some other sort of NAT that could complicate things?

  • Have you tried using both IP and hostname as Endpoint?

  • Does your provider offer other ports than 1443 to connect to?

  • What do you mean more specifically by “wrong” DNS and IP?

  • Are they your actual IP and DNS as if you weren’t using any VPN at all, or are they something entirely different?

  • Can you still use the internet when that happens?

  • Try running a traceroute to 1.1.1.1, it might reveal something useful here.

OpenVPN configs are far more useful and detailed, as you say, and I much prefer that to Wireguard configs but the tradeoff in speed vs. verbosity is a hard one sometimes.
If the Wireguard client for Windows works, have you checked its logs for anything strange?

I am not familiar with the Firewalla products but I see that they are based on Debian which is a good thing at least; it might be necessary to fuck around with firewall rules depending on that NAT question or if something else is weird.

  • Have you tried connecting to another Wireguard provider/server than the one you are troubleshooting now using the Firewalla?

For reference I have a static, non-NATed IP from my provider and my config looks like this;

[Interface]
Address = <the actual WAN IP I get from the provider>/32
PrivateKey = <privkey>
DNS = 46.227.67.134, 192.165.9.158 (two DNS-servers on the providers network, publicly available so no need to remove)
MTU = 1420

[Peer]
PublicKey = <pubkey>
PresharedKey = <psk>
AllowedIPs = 0.0.0.0/0
Endpoint = <Wireguard server on the same /24 as my external IP, but not *the same* IP>:9930
PersistentKeepalive = 21

I can remove the DNS entry and it would just use my regular ISPs DNS-servers, but I prefer having these as they are on the same route as my VPN traffic goes and therefore I won’t leak DNS queries even if it is know which servers I use.