Question

RutX11, FW version RUTX_R_00.07.02.1

I'm trying to connect RUTX11 using mobile SIM (no public IP) to my home router (edgerouter x) with wireguard. My purpose is to connect these two LAN networks. My home router has public ip address and I am able to establish working wireguard connection from my android phone.

I cannot get wireguard working with RUTX11 however.

root@Teltonika-RUTX11:~# wg

interface: samaani

public key: Hsc-------------------------------ilKV0=

private key: (hidden)

listening port: 51820

peer: iqN-----------------------------5N6cqlY=

endpoint: public.ip.address:51820

allowed ips: 10.10.69.0/32

I can ping google.com or 8.8.8.8, but I cannot ping my home router's public IP from RUTX11. I can ping it from my android phone (or anywhere else).

Here's my home router setup:

interface: wg0
  public key: iqN------------------------------------5N6cqlY=
  private key: (hidden)
  listening port: 51820

peer: M6-----------------------------------4jNyQ=   <---- android phone, no issues
  endpoint: 85.xx.xx.xx2:15887
  allowed ips: 10.10.69.2/32
  latest handshake: 32 seconds ago
  transfer: 14.29 KiB received, 38.31 KiB sent

peer: Buw-------------------------------5dXg8=   <---- Linux PC behind home router (edgerouter x), no issues
  endpoint: 192.168.1.102:51820
  allowed ips: 10.10.69.3/32, 10.42.0.0/24
  latest handshake: 1 minute, 18 seconds ago
  transfer: 110.64 KiB received, 170.81 KiB sent

peer: Hsc---------------ilKV0=    <--- RUTX11, mobile SIM, no handshake, no connection
  allowed ips: 10.10.69.4/32


 

Answer 1

Hello,

In the peer settings there is a setting allowed ips: 10.10.69.0/32.

I suggest trying a different IP address, one not ending with 0 as it denotes a whole network or try a different mask value, for example 24.

Another place to double check is if you have entered correct keys.

Best regards,

Žygimantas

Comments

I have tried now several different allowed ips as you suggested: for eg 10.10.70.60/24 and 10.10.50.6/24.

CLI, however, shows all the time an allowed ip that ends in "0". If I edit peer's allowed-ip to be 10.10.50.6/24, CLI shows it like this:

root@Teltonika-RUTX11:~# wg

interface: samaani

public key: Hsc-------ilKV0=

private key: (hidden)

listening port: 51820

peer: iq-----------------5N6cqlY=

endpoint: public.ip:51820

allowed ips: 10.10.50.0/24

root@Teltonika-RUTX11:~#

EDIT: I tried changing now the allowed ips to 192.170.170.1/24 yet the above CLI information remains the same after "wg" command.

---

When you have a mask 24 on the ip of 10.10.70.60/24, the mask matches the first 24 bits of the address, the 10.10.70 part. So it makes no difference what is in the last 8 bits and the RUTX11 is setting it to 0. If you look when the value is greater than 24, you will find the value of .60 would remain there.

You should check your keys are correct. I too am struggling and have days in this but I have a connection at least.

Am thinking perhaps another solution. It would be really nice if the folks at Teltonika put up a working example of a wireguard configuration that 1) connects to an outside VPS, and 2) routes all traffic there (I believe this happens in wireguard if the allowed ip's are 0.0.0.0/0).  I can ping, get DNS, see my remote IP is the VPS but cannot connect from the ssh session on RUTX11 via wget to a server, nor from my iPhone connected over wifi.  My use case is use RUTX11 as a failover for my Pfsense only connected on a lan port (so  not have failover solution itself become another failure point), using wireguard to get a fixed IP so I can use that ip in other places as an allowed ip in a firewall. Sample instructions  like this would be perfect: https://wildlab.org/index.php/2022/02/24/vps-vm-vpn

I have 2 wireguard vpns setup on openwrt devices, and one from a ubuntu box that do this exact setup with ease.

---

I have tried now:

1. disabling firewall --> no handshake

2. full factory reset and setting up new wireguard instance --> no handshake

I can ping the target from CLI, but it doesn't initiate the handshake.  And as said before, I don't have any issues to make wireguard connection from other devices to the same target. Only RUTX11 has this problem.

Any help ?

---

I have the unencrypted private key from the interface on the RUTX11 interface, the private key what ever is there. then on the peer I have the unencrypted public key from the peer, a preshared key, and Route Allowed IPS set to ON and a keep alive of 25. There is no-where for DNS, and no value to put on the interface for the public key - these values have no matches from the wireguard-install.sh script that creates the peer. Would be nice to have a real example, and explaination on the DNS settings on the RUTX11 as I appear to have a DNS issue on my tunnel

---

Hello,

Please check the Wireguard configuration example below:

https://wiki.teltonika-networks.com/view/WireGuard_Configuration_Example.

Best regards

Answer 2

I got it finally working by selecting "Route allowed IPS" and adding keep alive 25s. I think especially the  keep alive was the answer since I had tried the "route allowed ips" option before.

And before this "keep alive" trick, all my other clients worked only with 0.0.0.0/0 wildcard in Allowed IPs section. However, after activating "keep alive" of 25s in these clients as well, they also connect beautifully with other IPs (like 10.10.69.0/24).

Anyway, everything works now!

If someone knows why optional "keep alive" helped this much, please share your knowledge!

Thanks anyone who tried to help!

Comments

The need for Keep Alive is explained in the Wireguard page here, section NAT and Firewall Traversal Persistence. Since your RUTX11 is behind NAT (no public IP), it might be a reason.

---

Glad you got it working. The RUTx11 configuration example provided by another is two Teltonika devices. What would be best would be to have one Teltonika and an external wireguard server as well. That is probably the most common setup, and would clear ambiguity of what values from wireguard server to put where on the RUTX11, since they don't match, like they do on other openwrt devices. It seems to me that the values in a conf file created by wireguard-install.sh script ought to map straight to values on the RUTX11 with no confusion. The script provides a QR code to make this easy, yet it's not on the RUTX11. Sample configuration file with bogus values (Note, there is no public key for the interface that the RUTX11 wants, and there is no place on the RUTX11 for the DNS, not really sure why there is a switch for route allowed ips, as the point of 'allowed ips' in the conf is to route them -- it's redundant -- but does seem to be a sticking point perhaps the 'advanced' part on peer should simply be merged into the 'basic' part, there are only a few values)
[Interface]
Address = 10.7.0.8/24
DNS = 208.67.222.222, 208.67.220.220
PrivateKey = nizEmXW2UgxjK8UzQVdlVJma4vADlQQcxZNqZJKUbGE=

[Peer]
PublicKey = EP4vzuY58KLG/+LSKim/UbrPbBUXMtmlUHeINVHnqFh=
PresharedKey = FkxqC7CUZUVhGC+rDUhNs5UWZ3xlohYWD8LB0jOvrtw=
AllowedIPs = 10.7.0.8/32
Endpoint = 174.122.196.116:51820
PersistentKeepalive = 25