10909 questions

13001 answers

20269 comments

26789 members

0 votes
313 views 6 comments
by
I am using RUT955 as wireguard peer with AWS Server running wire guard server on static IP.

Note: Getting internet from WAN and 4G

Over WAN generally It is working fine and connecting to server and I can ping AWS to RUT955 and vice versa.

The issue starts when failover happen. Rut955 switches from WAN to 4G.

But I can't ping AWS server anymore.

I have checked after some time, it is only possible to ping, when I define a wireguard interface in ping command

ping -I wg0 <VPN server Ip address>

Normal ping command doesn't work: ping <VPN server IP address>

Can you give a guide how can I fix it?

2 Answers

0 votes
by
Just an Update:

Wireguard client can ping VPN server if no failover is configured.

Once failover is enabled for mob1s1a1 and wan. cant ping VPN server using ping command.

Must mentioned interface (-I wg0) to ping.
by

Hello,

Thank you for your question.

Could you provide two troubleshoot files from your RUT955? One when everything is working correctly and you can ping the AWS server, and one when failover is active and you can't ping the servers.

You can find it on your devices WebUI > System > Administration > Troubleshoot.

Also, try to change your VPN MTU on both the router and AWS VPN server to 1380.

On RUT955 you can change it by navigating to WebUI > Services > VPN > Wireguard edit your tunnel and navigate to advanced settings:

Don't forget to also change MTU on your server.

Kind regards,

Edvinas

0 votes
by

I have attached troubleshoot file

Two folders included inside. One shows troubleshoot when ping working an other when ping not working

FolderInsideWithPingandNoPing

Only thing chnaged from my side is, I enabled failover for WAN and mob1s1a1.

Both of those WANs are live and Online.

Note: Ping with wg0 interface mentioned is working fine and pinging Server (10.1.1.1)

ping -I wg0 10.1.1.1
 

by
Hello,

I've checked your configuration, but I could not find the issue yet, here is a few more things that I need for you to check:

1. Connect to your AWS SSH and type command: cat /etc/wireguard/wg0.conf then send me the output of it (hide your private key).

2. I was not able to ping your public IP (only the SSH port was open), check your AWS firewall settings, you've probably disabled ping requests from unknown IP addresses. Please open ping to all IP addresses.

3. Also try again to lower MTU on both the AWS server and RUT955 device MTU to 1360.

Kind regards,

Edvinas
by

ICMP was blocked on AWS. I enabled it.

Changed MTU to 1360 on both server and client.

Also, after some debugging, I got it working somehow (not ideal)

I blocked wireguard from adding any routes by switching off:

Route Allowed IPs (inside wireguard peer settings)

Then ran following:

ip route add 10.1.1.0/24 via 10.1.1.4 dev wg0

Note: 10.1.1.4 is ip address of teltonika router client and 10.1.1.1 is the VPN address of AWS server

Now I can

ping 10.1.1.1

Though still no sure VPN is using which link (WAN) or (WWAN)

cat /etc/wireguard/wg0.conf  file from AWS sever given below

by
Hello,

Could you clarify what you mean by "not ideal"?

If you have further issues please provide a new troubleshoot file from the RUT device.

And also from your routers SSH run command: traceroute google.com

Kind regards,

Edvinas
by
Not ideal means, I cant ping the local lan through remote vpn server

Notice in wg0.conf: 192.168.X.X are local lan devices.

I am trying to figure out the ip route add command to resolve this issue.

Furthermore, there is a serious issue: I dont have a control over which network VPN is running.

For example. imagine a situation where WAN is down and 4G is up. VPN working fine over 4G.

Then WAN come back up. Failover switch router to WAN. But I noticed VPN still using 4G.
by

Not ideal means, I cant ping the local LAN through a remote VPN server

  1. Check if you have configured correctly routes from the VPN server to a Teltonika device
  2. Check if the WireGuard zone can forward traffic between zones (from WG to lan/ from lan to WG)
Notice in wg0.conf: 192.168.X.X are local lan devices.
I am trying to figure out the ip route add command to resolve this issue.
  1. What does the traceroute show?
  2. If static route is needed: ip route add <subnet_you_want_to_reach> via <gateway_IP> dev <interface name>
  3. This route will disappear on network reboot/power cycle of the VPS. Remember to add it as a persistent route
Furthermore, there is a serious issue: I dont have a control over which network VPN is running.
For example. imagine a situation where WAN is down and 4G is up. VPN working fine over 4G.
Then WAN come back up. Failover switch router to WAN. But I noticed VPN still using 4G.
  1. Is the Failover configured with the Flush connections option? You can find this setting in Network > Failover and by pressing the Edit button and enabling the Disconnect and Connect options:
Kind regards,
Edvinas