WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Have you guys actually used Wireguard VPN?

0 votes
1,436 views 10 comments
by anonymous
Have you guys actually used and tested the Wireguard functionality? It's a buggy mess. The webinterface often locks up with some "saving configuration now please wait..." dialog that stays forever and and now for some reason I can't ping anymore just because I changed the IP range inside the tunnel.

I'm using two RUT240 with latest firmware, everything is configured exactly the same. Now one works, one doesn't.

1 Answer

0 votes
by anonymous

Hello,

Have you followed the steps provided in this page: https://wiki.teltonika-networks.com/view/WireGuard_Configuration_Example.

Have you checked other threads related to Wireguard configuration in this forum?

It would also be helpful if you could provide more details in regards to your configuration, or a troubleshoot file.

Best regards,

by anonymous
Yes, I've followed the example and had a working setup with two RUT240 connecting to a Debian Linux 11 Server. No, did not check other threads because the configuration manual was fine and enabled me to configure the routers and have a working setup.

Then I changed the IP addresses of the endpoints inside the tunnel as well as the allowed IPs. That's the only thing I've changed. Did this on both routers. On one it worked, on the other it didn't. I can see the tunnel is established with the "wg" command both on the Linux Server as well as on the RUT240. When I ping from the RUT240 to the Linux server, I don't see the ICMP packets incoming on the Linux Server VPN interface. When I ping from the Linux server to the RUT240, I can see the packets going out on the tunnel interface, but the RUT240 never answers them.
by anonymous
I've resetted the router that didn't pass any traffic inside the tunnel and configured it again with exactly the same settings. Now it's working again.
by anonymous
Now I changed two things:

- Added another allowed IP range in Wireguard settings

- Changed firewall settings for LAN->Wireguard to accept/accept/accept.

Poof and the device is not accessible anymore. Webinterface tells me it couldn't contact the device after config change. Ping doesn't work anymore, Webinterface doesn't work anymore. After Powercycle the same. I can see it still answers ARP requests though.

Seriously, have you guys considered doing some more testing maybe? This is so annoying.
by anonymous
What are your firewall settings for Wireguard -> Lan ?
by anonymous
Before the device became unresponsive it was default (accept/accept/reject if I remember correctly). I have set it to accept/accept/accept.

What the settings are now I cannot tell because the device is not accessible anymore.
by anonymous
Could you draw a diagram of your network with addresses / netmasks on the lan and wg interfaces, allowed IPs ... (a handwritten one will do).

Have you set "Route Allowed IPs" in the peer's Advanced Settings ?
by anonymous

Thanks for your help. 

Yes, I have set "Route Allowed IPs" in the peers advanced settings.

Please see below for a network diagram. So far I have been able to establish the two Wireguard tunnels to the Server on the Internet (the Server on the Internet is needed because the RUT240s are online via LTE network that doesn't provide public IPs) and pinging between the two RUT240 and the Linux Server is possible. I.e. pinging the transfernet IP 172.20.20.2 on RUT240-2 is possible from RUT240-1.

Now I would like to be able to reach the Embedded Controller on Site "B" from the Server that is located on Site "A", i.e 10.30.225.10/26 shall be able to ping 172.20.30.10/24.

Edit: Sorry somehow the image is distorted in the forum here, please use the link on ibb.co to see the full resolution image:

https://ibb.co/7pRqbKq

by anonymous

The simplest:

  • On the RUT240-1 : add 172.20.30.0/24 to the Allowed IPs list.
  • On the RUT240-2 : add 10.30.225.0/24 to the Allowed IPs list.

and on the Debian server: 

  • add 172.20.30.0/24 to the Allowed IPs list of the 172.20.20.2 peer
  • add 10.30.225.0/24 to the Allowed IPs list of the 172.20.20.1 peer

A more granular routing using /32 masks is possible but would bring very little there.

by anonymous
Thanks a lot, now it's working.

Out of curiosity I've tried reproducing the Router becoming unresponsive, i.e. no more pings answered and webinterface not reachable anymore: It happens when you put an IP range in Allowed-IPs that is local on the router. I.e. put Allowed-IPs "172.20.30.0/24" on RUT240-2, hit "save and apply" and poof it's gone.

But my question still remains: Did you guys actually use/try it? Every other time the webinterface just sits there with some message like "configuring ..." or the like and doesn't come back until I hit reload. Sometimes I'm on the main-menu screen, sometimes on the login screen afterwards. Sometimes, after making a change in the Wireguard VPN settings, it doesn't give a message but logs me out and I'm on the login screen again suddenly. This is not very convincing, I'm afraid if I have to do a simple change in the future I'll end up with an unresponsive router or other weird issues.
by anonymous

put Allowed-IPs "172.20.30.0/24" on RUT240-2, hit "save and apply" and poof it's gone

The router will then route to itself and the packets are dropped as soon as the TTL is reached.

But my question still remains: Did you guys actually use/try it?

I use wireguard all the time on a bunch of routers (both OpenWrt and DD-WRT based) / Linux / Android / WINxx devices no issue for me.