FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
+1 vote
1,386 views 24 comments
by anonymous
Hi, just received a shiny new RUTX09 and seems to be a robust piece of kit.

Have a stable internet connection with 4G

HAve tried to set up Wireguard to connect to Torguard VPN.

I have successfully performed a handshake and can ping and traceroute IP and FQDN. (after adding DNS servers to LAN settings) direct from CLI

I cannot use my devices on the internet, there is no ping or traceroute and the devices state there is no internet connection. I have disabled the firewall and it made no difference.

Am I missing a Port Forwarding command?

1 Answer

0 votes
by anonymous

Hello,

Thank you for contacting .

May i know if the device is on the latest firmware ?

Are you sure you are using the correct DNS ?

Are you sure you used correct configurations for adding DNS to LAN settings through CLI ? Can you share ?

 Might be you configured something wrong.

You can also add it through webui. Have you tried from webui ?

And have you checked on the device itself if it has internet connection ?

You can check in System>Administration>Diagnostics 

Thank you. 

Regards,

Ahmed

by anonymous

Thanks for taking the time to respond to me. 

It has the latest firmware : 

RUTX_R_00.02.06.1
Firmware build date 2021-02-11 15:38:18
Internal modem firmware version EG06ELAR03A05M4G
Kernel version 4.14.195

Are you sure you used correct configurations for adding DNS to LAN settings through CLI ? Can you share ?

Can you explain this a bit more please. 

All I have done is: input this into the appropriate fields. 

# TorGuard WireGuard Config

[Interface]

PrivateKey = REDACTED

ListenPort = 51820

DNS = 1.1.1.1

Address = 10.13.128.117/24

[Peer]

PublicKey = REDACTED

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

Endpoint = REDACTED1:1443

PersistentKeepalive = 25

When VPn is OFF, all internet connections are active on all devices and route through ISP

When VPN is ON, all devices CANNOT make connections and ONLY the ROUTER can route through the VPN. This is tested using Traceroute on CLI.

I feel it is a DNS issue but I cannot see where to amend this. 

Do I need to fill out static routes - there are none present. 

by anonymous
Hello,

Could you try with Masquerading on in Network->Firewall->General setting for the wireguard->lan zone ?

Regards,
by anonymous

Hi, MAsquerading made no difference. Same situation.

VPN off: 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         0.0.0.0         0.0.0.0         U     1      0        0 qmimux0

100.93.186.XXX  0.0.0.0         255.255.255.255 UH    1      0        0 qmimux0

149.14.224.XX   0.0.0.0         255.255.255.255 UH    1      0        0 qmimux0

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

VPN ON:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         128.0.0.0       U     0      0        0 Torguard
0.0.0.0         0.0.0.0         0.0.0.0         U     1      0        0 qmimux0
10.13.128.0     0.0.0.0         255.255.255.0   U     0      0        0 Torguard
100.93.186.XXX  0.0.0.0         255.255.255.255 UH    1      0        0 qmimux0
128.0.0.0       0.0.0.0         128.0.0.0       U     0      0        0 Torguard
149.14.224.XX   0.0.0.0         255.255.255.255 UH    1      0        0 qmimux0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
by anonymous
Can you ping www.yahoo.com from a device behind the router ?
by anonymous
Vpn down:

Yes

Vpn up

No
by anonymous
And ping 87.248.100.215 (www.yahoo.com)? So we will see if it is a DNS issue or if it is something else.
by anonymous
Thanks for your continued support.

Pinging on a device the FQDN or the IP is non responsive.

Pinging on the router works on both occasions.
by anonymous
2 questions

 - what is exactly the error message from ping ?

 - can you do a "tcpdump -i any -n -v 'icmp'" on the router and a ping on a device at the same time, and post a few lines from tcpdump ? I would like to see the icmp error codes (or their absence).
by anonymous
VPN UP:

root@Teltonika-RUTX09:~# tcpdump -i any -n -v 'icmp'

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

22:59:17.394492 IP (tos 0xc8, ttl 64, id 55884, offset 0, flags [none], proto ICMP (1), length 546)

    10.13.128.117 > 104.223.91.194: ICMP 10.13.128.117 udp port 61081 unreachable, length 526

        IP (tos 0x28, ttl 56, id 33109, offset 0, flags [none], proto UDP (17), length 518)

    104.223.91.194.53 > 10.13.128.117.61081: 63851 9/4/5 telemetry.malwarebytes.com. CNAME elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com., elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 44.240.17.169, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 34.208.191.220, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 54.212.134.221, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 52.40.122.164, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 54.69.134.133, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 100.20.6.208, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 54.70.150.193, elb-telemetry-prod-external-1332413525.us-west-2.elb.amazonaws.com. A 52.37.53.140 (490)

22:59:17.438681 IP (tos 0x0, ttl 128, id 18947, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 170, length 40

22:59:17.438681 IP (tos 0x0, ttl 128, id 18947, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 170, length 40

22:59:22.012268 IP (tos 0x0, ttl 128, id 18948, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 171, length 40

22:59:22.012268 IP (tos 0x0, ttl 128, id 18948, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 171, length 40

22:59:25.588566 IP (tos 0xc2,ECT(0), ttl 64, id 19031, offset 0, flags [none], proto ICMP (1), length 188)

    100.89.128.162 > 212.183.131.137: ICMP 100.89.128.162 udp port 4500 unreachable, length 168

        IP (tos 0x2,ECT(0), ttl 238, id 9303, offset 0, flags [none], proto UDP (17), length 160)

    212.183.131.137.4500 > 100.89.128.162.4500: UDP-encap: ESP(spi=0xc1f79698,seq=0x54), length 132

22:59:27.005445 IP (tos 0x0, ttl 128, id 18949, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 172, length 40

22:59:27.005445 IP (tos 0x0, ttl 128, id 18949, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 172, length 40

22:59:31.096141 IP0

22:59:32.010093 IP (tos 0x0, ttl 128, id 18950, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 173, length 40

22:59:32.010093 IP (tos 0x0, ttl 128, id 18950, offset 0, flags [none], proto ICMP (1), length 60)

    192.168.0.62 > 87.248.100.215: ICMP echo request, id 1, seq 173, length 40

22:59:39.827593 IP (tos 0xc2,ECT(0), ttl 64, id 19172, offset 0, flags [none], proto ICMP (1), length 188)

    100.89.128.162 > 212.183.131.137: ICMP 100.89.128.162 udp port 4500 unreachable, length 168

        IP (tos 0x2,ECT(0), ttl 238, id 61045, offset 0, flags [none], proto UDP (17), length 160)

    212.183.131.137.4500 > 100.89.128.162.4500: UDP-encap: ESP(spi=0xc1f79698,seq=0x55), length 132

22:59:40.785703 IP0

^X^C

13 packets captured

13 packets received by filter

0 packets dropped by kernel

Client ping quotes: Request timed out
by anonymous
Looks like the tunnel is inoperant. What is the output of "wg" on the router ?
by anonymous
root@Teltonika-RUTX09:~# wg

interface: Torguard

  public key: Teo4zCja=

  private key: (hidden)

  listening port: 51820

peer: BEK/fz5K47pwf3Bt8q

  endpoint: 149.14.224.66:1443

  allowed ips: 0.0.0.0/0

  latest handshake: 9 seconds ago

  transfer: 1.57 KiB received, 1.46 KiB sent

  persistent keepalive: every 25 seconds

root@Teltonika-RUTX09:~#
by anonymous

    10.13.128.117 > 104.223.91.194: ICMP 10.13.128.117 udp port 61081 unreachable, length 526

So the the lan cannot send date to the wg tunnel. Can you check the firewall, lan->wrireguard->forward and wireguard->lan->forward set both to ACCEPT ?

 

by anonymous

Still not working. 

by anonymous
Oops 61081 is a port used by the dns no relation with wg. Should have read more carefully.

Still one more possibility to debug this issue: the ifconfig counters.

ifconfig Torguard.

start a ping

ifconfig Torguard several times

and compare the TX and RX packets counters. Do they increase regularly (ie not every 25s only) ?
by anonymous
root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0

          TX packets:71 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:156 (156.0 B)  TX bytes:5988 (5.8 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0

          TX packets:98 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:156 (156.0 B)  TX bytes:8148 (7.9 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0

          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:156 (156.0 B)  TX bytes:8372 (8.1 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0

          TX packets:106 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:156 (156.0 B)  TX bytes:8932 (8.7 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:3 errors:0 dropped:0 overruns:0 frame:0

          TX packets:110 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:156 (156.0 B)  TX bytes:9252 (9.0 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:4 errors:0 dropped:0 overruns:0 frame:0

          TX packets:115 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:188 (188.0 B)  TX bytes:9652 (9.4 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:4 errors:0 dropped:0 overruns:0 frame:0

          TX packets:117 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:188 (188.0 B)  TX bytes:9812 (9.5 KiB)

root@Teltonika-RUTX09:~# ifconfig Torguard

Torguard  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.13.128.117  P-t-P:10.13.128.117  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1

          RX packets:4 errors:0 dropped:0 overruns:0 frame:0

          TX packets:117 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:188 (188.0 B)  TX bytes:9812 (9.5 KiB)

Is there an error in the routing tables?
by anonymous
Ok the picture is clear now the TX packet counter increases due to the ping but the RX counter doesn't. It is *very* strange that the value remains so low with a 25s keepalive interval. When did you start / restart the tunnel ? Are you sure about your private/public keys ?
by anonymous
In all honesty I am not sure about anything.

I started the tunnel within secs of the readings. I have to switch off VPN to retrieve your emails and to upload the requests from you.

I thought if I was able to ping the Torguard endpoint from the router then it was a successful connection? And that if I can ping from router to WWW and traceroute then the connection was successful too?
by anonymous
Could you do another test : the ifconfig Torguard as before and a ping from the router on another console ? Check the RX and TX counters, if RX increases normally the bet is that the keys are correct. Then the issue must be at the other end the server doesn't know how to reply to the 192.168.0.x source address from the other device on the lan. Said another way, its AllowedIPs is not correct. Or the masquerading doesn't do what it is expected to do.
by anonymous
I have now tried openvpn with similar issues.

I think it may be a routing problem on the router but don’t know how to start with that.

My thinking behind this is

A) when pinging google.com or trace route google.com from the router cli via putty it shows a route through the vpn  AND ISP if Vpn is disabled.

B) when doing it on a PC behind the router there is no answer UNLESS VPN is disabled and then it goes via ISP

What routing or rules am I missing?
by anonymous

The limitation must come from the AllowedIPs at the other end of the tunnel it is probably restricted to 10.13.128.117.

Can you do another test:

start the tunnel

execute: iptables -t nat -I POSTROUTING -o Torguard -j SNAT --to 10.13.128.117

and retry the ping from another device. Check the counters with ifconfig Torguard.

by anonymous
Nope, now I have no vpn when pinging from the router
by anonymous
SOLVED:

Covered networks had not selected the VPN Wireguard connection "Torguard" in Firewall --> General --> Wiregaurd -> LAN settings
by anonymous
Glad you found it.
by anonymous

Nope more issues, For this with similar another post is https://community.teltonika-networks.com/33512/wireguard-and-dns-servers