FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
2,153 views 8 comments
by anonymous
Hello,

I have successfully setup a wireguard interface on a RUTX11 using the provided supplementary packages in firmware version 02.04.1.

Performance is excellent, looks stable for the moment.

However I believe the configuration page "cgi-bin/luci/admin/services/vpn/wireguard/the_wg_interface_name" should offer the option to enter a predefined public key besides the "Generate" one. This is to accommodate the "initiator only" use case with all the parameters assigned by another router. Manually editing /etc/config/network is unavoidable here.

And of course put the optional packages directly in the firmware image else I will loose access to the device in case of remote upgrade ...

Except for this shortcomings, very good job indeed.

Regards,

2 Answers

+1 vote
by anonymous
Hi,

Thank you for this suggestion! I'll make sure it reaches RnD and hopefully, we'll make improvements!

EB.
by anonymous

Maybe this feature will help my setup to work?
I basically got this config from my vendor, and I cant figure out how to make it work on the RUTx11 with the wireguard setting ui:

[Interface]
PrivateKey = [redacted]

Address = [redacted]/24,[redacted]/64
DNS = [redacted], [redacted], [redacted], [redacted]

[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:48574
AllowedIPs = 0.0.0.0/0, ::/0

by anonymous
It doesn't look like this feature will be able to help you, the current ui appears to be sufficient to handle your configuration.

Go to Services->VPN->Wireguard, add a "New Wireguard configuration", edit it, check the "Enable" box  and fill in the "Private Key" and "IP Adresses" fields, then add a new peer, edit it, set the "Public Key", "Allowed IP", "Endpoint host" and "Endpoint port" accordingly. Don't forget to check the "Route the Allowed Ips" box. Depending on the network, a non null value for the "Persistent Keepalive"  may be required.

Then go to Network->Firewall->General Settings, set the input output forwarding rules as required, set the wireguard->lan masquerading checkbox to On.

If all is well, you should be able to ping the "Endpoint Host" at least.

Beware, with AllowedIPs=0.0.0.0/0,::/0 all your traffic will go through the wireguard interface, you may need to restrict it.

Regards,
by anonymous

Thanks

by anonymous

First ssh to the device, and enter "wg" at the command prompt. If the tunnel is up you should have something like:

interface: [redacted]

  public key: [redacted]

  private key: (hidden)

  listening port: 51820

peer: [redacted]

  preshared key: (hidden)

  endpoint: [redacted]:51820

  allowed ips: [redacted]

  latest handshake: 1 minute, 55 seconds ago

  transfer: 199.00 KiB received, 633.54 KiB sent

  persistent keepalive: every 1 minute

0 votes
by anonymous
Thanks, it works now :)

turns out I had to allow forwarding on LAN -> [wan][wireguard] and add DNS-servers manually to the interface.
by anonymous
Good to know. How did you "add DNS-servers manually" ? In /etc/resolv.conf ?
by anonymous
No, I went to network -> interfaces -> Lan and added DNS servers to a list there.

But I had to do factory reset a few times since it seems that removing wireguard stuff in the wrong order left old configuration data on disk, which wasn't visible from the UI. I suspect it had some impact anyway.

The last time I setup wireguard after a few factory resets, it for some reason didn't setup a forward rule under "firewall" automatically (?), but when I added it manually, everything worked as expected.
by
I found the wireguard setup to be quite problematic on the latest FW version. Using the wireguard package downloaded from the list on the device, I was left with an automatically generated interface belonging to the wireguard instance I had configured but with no protocol attached to the interface and no wireguard protocol listed available in GUI dropdown. It is also unfortunate that the instructions in the TT website for using this are wholly inadequate as they make no mention whatsoever of setting up the interface and no mention of any need to adjust firewall settings. In addition, the lack of any indication from the gui that the installation is malfunctional meant that I wasted a lot of time testing an installation that I did not realise could not possibly work. Quite a disappointment. Perhaps I should have been more cautious when I saw that the package was 'not approved by Teltonika' as I installed it but one expects listed packages to be less pathological than this.
by anonymous

What is the "latest FW version" you are talking about ? If it is 02.04.3 I agree with you it is totally unusable it will crash the kernel possibly as soon as you try to start the interface, I had to recompile my own package to get out of the trap.

I spotted the GUI issue also but didn't deem it worthy of a ticket so I didn't report it... Should have.

I agree about the firewall rules, as set the default is not the best choice for the common case.

And for the DNS question there is no easy answer as allowing some of the requests to go through the mobile interface presents a security risk and disallowing them can break mobile operations.

Regards,