I travel frequently for work and would like to access my mesh from a hotel or remote location.
I have a MikroTik hAP AC 2 connected to my home WAN and a MikroTIk hAP lite for the travel node.
I did the following:
- setup a static IP Reservation for the hAP AC2 as 192.168.1.xxx
- setup Port forwarding for that same IP address on ports 5525 thru 5534 with TCP/UDP access
- obtained the WAN IP address from my ISP 217.xxx.xxx.xxx
- created a NO-IP DNS name with the ISP IP address 217.xxx.xxx.xxx
In the AREDN hAP AC 2 server Node GUI:
- entered the NO-IP DNS name in the Tunnel Server box
- created a WireGuard Server entry
My question is: what goes in the Remote Node Name box and do I just leave the generated codes in the other boxes?
On the remote node hAP Lite, when I create the WireGuard client. What goes in those entries?
It would be very helpful if someone did a step by step video or post with the new web interface! I see a few with the old interface
Thanks in advance?
Scott WK7G
-
I have a MikroTik hAP AC 2 connected to my home WAN and a MikroTIk hAP lite for the travel node.
I did the following:
- setup a static IP Reservation for the hAP AC2 as 192.168.1.xxx
- setup Port forwarding for that same IP address on ports 5525 thru 5534 with TCP/UDP access
- obtained the WAN IP address from my ISP 217.xxx.xxx.xxx
- created a NO-IP DNS name with the ISP IP address 217.xxx.xxx.xxx
In the AREDN hAP AC 2 server Node GUI:
- entered the NO-IP DNS name in the Tunnel Server box
- created a WireGuard Server entry
My question is: what goes in the Remote Node Name box and do I just leave the generated codes in the other boxes?
On the remote node hAP Lite, when I create the WireGuard client. What goes in those entries?
It would be very helpful if someone did a step by step video or post with the new web interface! I see a few with the old interface
Thanks in advance?
Scott WK7G
-
I assume:
your "Home WAN" is 217.x.x.x from your ISP.
your 'Home LAN' is 192.168.1.x .
your 'Home router' port forwards 5525 through 5534 TCP/UDP to your hAP-ac2. (*)
your home hap-ac2's WAN has a 'DHCP reservation' from your home router of '192.168.1.x' .
you have a 'wk7g.ddns.net' (or similar) that resolves to 217.x.x.x .
you have configured a tunnel server entry on your hAP-ac2 for your hAP-ac-lite.
I assume:
your hAP-ac-lite WAN connects via Wi-Fi or ethernet to a remote internet service and obtains a dynamic IP address.
your hAP-ac-lite has a tunnel client entry for 'wk7g.ddns.net' (which routes to your home hAP-ac2).
How did I do?
(*)
You need one port for each remote AREDN node.
I highly recommend wireguard tunnels instead of legacy.
You would then port forward 5525 (or a range 5525-55xx).
(edit: Strike 6525-65xx)
Semantics:
A 'static' IP address is similar to a 'dynamically assigned DHCP' IP address.
They each appear to do the same thing, however if both are used together,
it may be somewhat errant and/or redundant.
73, Chuck
You have that all correct!
Do I need to change the port forwarding range on my home to 6525-65xx?
Wireguard Server setup:
Tunnel Server(DNS Name of this Tunnel Server) = wk7g.ddns.net
Remote Node Name ="WK7G-hAPAC2"
Wireguard key = "auto generated"
Network:Port = "217.XXX.XXX.XXX:5525" ??? do you leave this autogenerated as well?
Wgt = ???
Assuming this is all ok then on the hAP-AC-Lite the Wireguard client setup:
Tunnel Server(DNS Name of this Tunnel Server) = not required
Remote Server Name = WK7G-hAPAC2
Wireguard Key = "copy from server entry"
Network:Port = 217.XXX.XXX.XXX:5525
Hopefully I have this correct now.
Thanks for helping out a newbie?
Scott(WK7G)
Tunnel Server(DNS Name of this Tunnel Server) = not required
Remote Server Name = WK7G-hAPAC2"
Hi, Scott:
No, in your tunnel client configuration, I think:
remote server name = wk7garedn.ddns.net
gelmce@nc8q-desktop:~$ nmap -Pn 217.147.189.141
Starting Nmap 7.80 ( https://nmap.org ) at 2025-05-17 22:10 EDT
Nmap scan report for 217-147-189-141.silverstar.com (217.147.189.141)
Host is up (0.068s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
5060/tcp closed sip
Nmap done: 1 IP address (1 host up) scanned in 63.87 seconds
So, it looks like you have 1 SIP port open.
Do you have a VoIP device?
-----
gelmce@nc8q-desktop:~$ ping -c 1 wk7garedn.ddns.net
PING wk7garedn.ddns.net (217.147.189.141) 56(84) bytes of data.
64 bytes from 217-147-189-141.silverstar.com (217.147.189.141): icmp_seq=1 ttl=52 time=74.6 ms
--- wk7garedn.ddns.net ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 74.557/74.557/74.557/0.000 ms
gelmce@nc8q-desktop:~$ ping -c 1 WK7G-hAPAC2
ping: WK7G-hAPAC2: Name or service not known
gelmce@nc8q-desktop:~$
Sorry, fixed.
Supernode tunnels use 6525-xxxx.
Regular node tunnels use 5525-xxxx.
Wireguard tunnels use UDP.
Legacy tunnels use TCP.
"Do I need to change the port forwarding range on my home to 6525-65xx?"
No, 5525 (or 5525-55xx). Do not adjust your set.
Wireguard Server setup:
Tunnel Server(DNS Name of this Tunnel Server) = wk7g.ddns.net
Yes, but use the real dynamic domain name.
wk7g.ddns.net did not resolve for me.
Remote Node Name ="WK7G-hAPAC2"
Fine.
Wireguard key = "auto generated"
Yes.
Network:Port = "217.XXX.XXX.XXX:5525" ??? do you leave this autogenerated as well?
Yes, autogenerated. Should look like this format: 172.31.87.180:5525
Network:Port = Wgt = ???
If left blank...defaults to integer 1.
-----
Wireguard client setup:
Tunnel Server(DNS Name of this Tunnel Server) = not required
Remote Server Name = WK7G-hAPAC2
No, this should be the real .ddns.net domain name or the IP address of your home router's ISP address.
Wireguard Key = "copy from server entry"
Network:Port = 217.XXX.XXX.XXX:5525
No, this will be formatted like: 172.31.244.96:5527 and
copied from your home tunnel server.
73, Chuck
Thanks for your patience and time!
Scott WK7G
I recommend you look the docs over if you have an issue before posting here.
73
Orv W6BI
Scott WK7G
73
Orv W6BI
I think I'm having problems with my ISP not allowing port forwarding. I go to www.canyouseeme.org and put in my external ip address and port 5525 and it shows the request failed.
Orv W6BI
The WAN IP Address: = 217.147.189.141 (this is my IP address in my ISP Router)
Router node name:=WK7G-MT-hAPAC2-QTH
The hAPac2 is connected to an ethernet switch.
The GL-AR300M15 is connected to my laptop that is connected to the WAN via Wifi and the node is on ethernet to my laptop.
I was pinging the 217.147.189.141 via my laptop in a cmd shell from my laptop.
I included 2 screenshots of the Tunnel server setup as well as the Client setup.
Thanks
When I configured my office router to forward traffic from the internet (Port 5525) to "Server" I failed to "Save" the settings in the office router. It's a Verizon "Home Internet" device and I missed the "Save" button at the top of the screen after entering my settings. DOH!
What worked for me:
1 In your router, assign a reserved LAN IP address for your AREDN Server device.
2 Create a Port Forwarding rule sending internet Port 5525 data to your AREDN Server reserved IP address.
3. *SAVE* the Port Forwarding rule.
The AREDN User Interface top to bottom:
Server Settings
Tunnel Server: The current internet (WAN) IP address of your home/office router. (Or appropriate Dynamic DNS statement. I'm not using one)
Add tunnel: "Wireguard Server".
Enter the device name of the authorized tunnel CLIENT node.
Note the Wireguard key and network IP address generated automatically
Click Done
"Commit" the changes on the main screen.
Client Settings
Tunnel Server: Blank, does not apply.
Add tunnel: "Wireguard Client".
Add the current internet (WAN) IP address of your home/office router where the "Server" node is located. (Or appropriate Dynamic DNS statement. I'm not using one)
Enter the identical Wireguard key and network IP address that were generated for the "Server" node.
Click Done
"Commit" the changes on the main screen.
I set the "Client" node Radio to "WAN Client" mode and connected it to "Hotspot" service from my cellphone.
My "Server" node Radio is "Off" and its WAN port is cabled to my office LAN.
I have read through the documentation so many times now. I have watched video after video and I seem to be missing something.
I have created the server entries exactly as they should be.
Trouble shooting Questions:
1. When yoiu create the server entry, when does the box to the right of the [remote node name] turn from white to solid green. I assume if you click on it and it turns to red that it is disabled.
2. When you create the Client entry on the remote node when does the box turn to green?
I am trying to troubleshoot why I can't get it active. Is it my ISP port forwarding not working? Is it a setting for my server node or is it on my client node?
Orv W6BI
I used opened a windows powershell and used the test-netconnection command. Something must be blocking access.I know it was testing TCP and not UDP but either way it failed. I'm learning, but it's quickly going beyond my network experience.
I finally got my tunnel to work! Thanks to K9LMR!!!
What I changed to make it work was in the CLIENT setup
The key was not using the actual name of the SERVER Node and instead putting in the actual ISP WAN IP address in the Remote Server Name box.
I appreciate all the constructive help from everyone. I hope this helps someone else in the future!
Scott
I love this hobby because folks behind and within projects like AREDN not only create amazing firmware/software but offer all levels of support to anyone who asks.
Offering little more than my amateur callsign, I've enjoyed conversations on countless radio and non-radio subjects.
73, David