Question

i want to be able to connect to my lan network(connected to rut950) via wireguard vpn, but whatever I try I fail at setting up my rut950 as wireguard server.

Answer 1

Hello,

We have a detailed WireGuard configuration example on our wiki page here: https://wiki.teltonika-networks.com/view/WireGuard_Configuration_Example

Please note that your router (server) needs to have either a static external public IP or a dynamic external public IP with dynamic DNS service configured, otherwise it won't be accessible by conventional means. If your WAN (internet) IP address on the router is between the following range then I'm afraid it won't be possible to connect to your router directly from somewhere else:

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

100.64.0.0 - 100.127.255.255

192.168.0.0 - 192.168.255.255

Best regards,

Tomas.

Comments

Hi Tomas,

I did it exactly according to the configuration example but can not get a handshake. I do have a public ip 109.xxx.xxx.xxx so that shouldn't be a problem.

---

That's rather unusual, I'd highly advise double-checking the ports and possibly setting WireGuard tunnel MTU to a lower value on both ends (1380 for example).

If that doesn't help, could you please generate a troubleshoot file and send it over to me via private message? I'll leave instructions regarding how to generate the troubleshoot file as well as brief description about what it is below.

What's a troubleshoot file and how to generate it?

A Troubleshoot file contains the device's event logs, configuration files and other information useful for diagnostics. It can be downloaded from your device's WebUI, Troubleshoot page:

System → Administration → Troubleshoot

Best regards,

Tomas.

---

Hi,

is there any chance to connect to one of these IP

100.64.0.0 - 100.127.255.255

We have them on the wireless side.

What we need to do is to connect via LTE into the Network via VPN to directly connect from there to other devices.

Regards

Alex

---

100.64.0.0/10 is a private range of IP addresses used for carrier grade NAT, they can't be reached from the outside world.

So no you can't connect to them.

---

Okay,

thanks for info. But why it works within a normal privat network but not in this range?

I am in this network and I can reach the web gui.

How can I connect into the System via SIM by VPN?

Alex

---

Sorry for the misunderstanding, 100.64.0.0/10 cannot be seen from the rest of the world but a device in this range can reach outside public addresses.

Could you explain what you are trying to achieve exactly ?

---

We want to remotely access all devices directly via IP. To achieve this, we want to connect to the local network using a VPN. Since the system can only be accessed via mobile networks, we need a solution using LTE. For this purpose, we have IoT SIM cards with an IP address in the mentioned range. We can access this range by connecting to the provider's network via OpenVPN. Once connected, we can also reach the web GUI of the Teltonika switch. Now, we want to establish a second VPN using WireGuard, which will allow us to access the internal network behind the router from there.

How can we solve this task?

---

This is a somewhat unusual configuration, the mobile provider giving acces to some parts of its private address range. If you can reach the LTE router on a 100.64.0.0/10 address you shouldn't need to build another VPN layer above the OpenVPN tunnel, just enable NAT on the wan=>lan in the firewall, and add the appropriate routes. This may be a little tricky however.

What is the lan network address of the router ? Of the OpenVPN tunnel ? Of your local lan ? A simple drawing will help here (a handwritten one will do).

If you want to take the wireguard route then you need to set the router as temination point bind the wg interface to a port (51820 ?) assign keys and create a peer. This peer should be able to connect to the router then it will be easy to set the Allowed IPs and reach the devices on the lan. The MTU of the wg interface will need to be set to a small enough value (the MTU of the OpenVPN tunnel minus 80 at most).