WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUTXR1 - Wireguard Handshake failed, no connection from client

0 votes
2,036 views 2 comments
by
Hi,

I have configured wireguard server on my RUTXR1. But no client can be connect to the server.

Error message: Handshake for peer 1 (213.xxx.xxx.xxx:51820) did not complete after 5 seconds, retrying (try 2)

Firmware ist RUTX_R_00.07.01.2.

RUTXR1 config:
Private Key: mIlcoLnGy...
Public Key: /PnNTArZw...
Listen Port: 51820
IP Addresses: 10.11.3.2/32, 10.11.3.3/32

client config:
[Interface]
PrivateKey = 8LgT4...
Address = 10.11.3.2/32
DNS = 1.1.1.1, 8.8.8.8
MTU = 1420
[Peer]
PublicKey = /PnNTArZw...
AllowedIPs = 10.11.1.0/24, 10.10.1.0/24
Endpoint = [mydomain.com]:51820

firewall settings are okay I think.

Kind regards
Tom

1 Answer

0 votes
by anonymous

Hello,

I'll assume the endpoint domain hostname, which is the RUTXR1, is being resolved in this case from the failed handshake output that you've provided. I have a question regarding the public key - I can see that on both sides it begins the same - are you using the exact same public key both on the client side as well as the server (RUTXR1) side? If that's the case then this is the primary reason why the handshake is failing - one of the sides does not have its public key configured properly. Each side must have its own private key and another side (peer) public key entered in the [Peer] section. Please refer to the WireGuard configuration example on our wiki page:

https://wiki.teltonika-networks.com/view/WireGuard_Configuration_Example

Generic information about the WireGuard service on our RUTXR1 series devices can be found here: https://wiki.teltonika-networks.com/view/RUTXR1_VPN#WireGuard

Also, I believe even if you fix the public keys mismatch, you won't have any connectivity due to incorrectly defined WireGuard tunnel IP addresses - at the moment the server and the client wireguard interface IP address is duplicated. Server side: 

RUTXR1 config:

Private Key: mIlcoLnGy...

Public Key: /PnNTArZw...

Listen Port: 51820

IP Addresses: 10.11.3.2/32, 10.11.3.3/32

And the client side:

[Interface]

PrivateKey = 8LgT4...

Address = 10.11.3.2/32

Please refer to the provided configuration example for the correct configuration setup. It will be necessary to change the IP address values slightly. Also, I'd recommend matching MTU size on both sides as well (currently MTU is specified only on the client side).

Best regards,

Tomas.

by
Hello,

I don't want to set up a server-to-server connection, but the RUTXR1 should be the Wireguard server where the clients should connect - thus a client-to-server connection. In this case, the public key must be identical on both the server and the client according to the Wireguard description. The examples in the Teltonika wiki shows only server-to-server connections, but no example for client access with wireguard. I have modified the ip addresses so the server and the client have a unique adress.

Kind regards

Thomas

Do you give a example for a configuration of the RUTXR1 as a server and a Windows 10 as a client with wireguard?
by anonymous

The principle is about the same when creating a client configuration on Windows client for example. On Windows, you'll need to add a new interface using the WG client which will automatically contain a private and public key. The public key of Windows machine (the client) must be known on the server (RUTXR1) side and that public key must have its allowed IP address assigned.

Consecutively, the Windows client must know about a public key of the RUTXR1 on its interface [Peer] section as well as allowed IPs in the tunnel. You may choose to use a full tunnel by entering either 0.0.0.0/0 (or 0.0.0.0/1128.0.0.0/1) in the AllowedIPs line on the client side which, essentially, makes wireguard tunnel a proxy server.

As an example, I'm attaching my own WG configuration from my Windows client which is used to connect to my router (which acts like a server). Some settings like ports and IPs are different but the idea remains exactly the same. In this example I'm only trying to access the LAN resources (whole 10.10.35.0/24 subnet) behind my remote router.

[Interface]

PrivateKey = <Private key value of the Windows machine>

ListenPort = 55544

Address = 10.20.30.3/32

[Peer]

PublicKey = <Public key value of the router/server>

AllowedIPs = 10.20.30.0/24, 10.10.35.0/24

Endpoint = <External IP of the router/server>:55544

PersistentKeepalive = 30

If you still need some assistance with configuration, please generate a troubleshoot file from the router and send it over to me via private message. I'd like to take a closer look at your current WG configuration on the RUTXR1.

What's a troubleshoot file and how to generate it?

A Troubleshoot file contains the device's event logs, configuration files and other information useful for diagnostics. It can be downloaded from your device's WebUI, Troubleshoot page:

System → Administration → Troubleshoot

Best regards,

Tomas P.