WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT360 - Linode Wireguard VPN - vpn-policy-routing

+1 vote
427 views 3 comments
by anonymous

Im trying to deploy three Helium miners on the same RUT360 router connected to a switch on port eth1. The reason for three miners is a lab where i use three high gain panel antennas on the same pole pointing in three different directions. 

Using the latest firmware of the RUT 360.

I have followed this guide for one miner and it works if i use 1 miner: Providing connectivity for Helium miners using the RUT240 - Teltonika Networks Wiki (teltonika-networks.com)

Is it possible, with some modification to the guide of course, to deploy 3 nanodes with the adresses 10.0.1.1, 10.0.2.1 and 10.0.3.1 and three wg interfaces on RUT-side 10.0.1.2, 10.0.2.2 and 10.0.3.2? And route three miners 192.168.0.x/32, 192.168.0.y/32 and 192.168.0.z/32 through this interfaces to get all three out of relayed?

What modifications do we need to make this work?

by anonymous
Hello,

Just to clarify - will these be 3 different devices with 3 different VPS and 3 different VPN tunnels or will it be 3 separate VPN tunnels pointing to 1 VPS which will be used for 3 different devices?
by anonymous

These will be 3 different devices with 3 different VPS and 3 different VPN tunnels.

by anonymous
Hi, Did you ever get this working?

I am trying to do the same thing. I have created 2 instances of Wireguard with separate servers and both are connected. What I'm struggling with is to route anything through the second instance. The first has created firewall rules and everything is being routed through the first.

1 Answer

0 votes
by anonymous

In theory it's possible.

In the case of VPN tunnels, it would be enough to create 3 different WireGuard instances pointing to 3 different end-points (VPS) with different allowed IPs. The only differences in configuration would be to configure a different listening port on the RUT360 for each WireGuard instance (for example port 51820 for Tunnel1, port 51821 for Tunnel2, port 51822 for Tunnel3), as well as point that specific instance to desired VPS. The most important part is to make sure the IP addressing does not duplicate. Also, make sure the listening ports do not get mixed up on the RUT360 side and on the individual VPS side because in the "wg0.conf" file (on VPS), at the very bottom there is a line "Endpoint = 0.0.0.0:51820" - change the port according to the listening port on RUT360 for specific tunnel instance. Also, naturally, slight modification in rules is necessary (for IP addressing) and completely different private/public key pairs must be used for each tunnel.

Regarding the external port forward part on the router - this is where a potential issue might arise. Unfortunately, I cannot give you a definitive answer because this is more of a Helium-specific thing but as far as theory goes, the current requirements in Helium network documentation (for the "Relayed" status) require the external port to be 44158 which, technically, will be true. When creating a new port forward rule, I highly recommend setting the "Source IP" for each rule to respect and forward packets to a specified miner only if it's incoming from the correct VPN tunnel. For example:

VPN tunnel 1

Interface "wg0" of VPS #1 IP: 10.0.10.1/24 | RUT360 WireGuard interface listening on port 51820, tunnel IP: 10.0.10.2/32 | Firewall rule:

Source zone: wireguard

Source MAC address: any

Source IP address (incoming IP in packet header): 10.0.10.1

Source port: Any

External IP address (matching IP of the listening interface): Any, but can be set to 10.0.10.2 to further specify the forward rule

External port: 44158

Internal zone: lan

Internal IP address: [LAN IP of device #1]

Internal port: 44158

 Same goes for every other port forward rule, the only differences would be in the Source/External IP addresses.

VPN tunnel 2

Interface "wg0" of VPS #2 IP: 10.0.20.1/24 | RUT360 WireGuard interface listening on port 51821,  tunnel IP: 10.0.20.2/32 | Firewall rule:

Source zone: wireguard

Source MAC address: any

Source IP address (incoming IP in packet header): 10.0.20.1

Source port: Any

External IP address (matching IP of the listening interface): Any, but can be set to 10.0.20.2 to further specify the forward rule

External port: 44158

Internal zone: lan

Internal IP address: [LAN IP of device #2]

Internal port: 44158

 VPN tunnel 3

Interface "wg0" of VPS #3 IP: 10.0.30.1/24 | RUT360 WireGuard interface listening on port 51822,  tunnel IP: 10.0.30.2/32 | Firewall rule:

Source zone: wireguard

Source MAC address: any

Source IP address (incoming IP in packet header): 10.0.30.1

Source port: Any

External IP address (matching IP of the listening interface): Any, but can be set to 10.0.30.2 to further specify the forward rule

External port: 44158

Internal zone: lan

Internal IP address: [LAN IP of device #3]

Internal port: 44158

Let me know if you need additional guidance regarding this request.

Best regards,

Tomas.