FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
512 views 2 comments
by anonymous
Hallo

I'm trying to migrate from GL.Inet to RTUX11.

One thing I need is to route all traffic over WireGuard + KillSwitch.

I'm already failing on the WireGuard...

I'm able to setup the WireGuard connection and routing ONLY when I set as allowed IP's 192.0.0.0/8.

If I set 0.0.0.0/0 (or 0.0.0.0/1 + 128.0.0.0/1) then the WireGuard client on RTUX11 won't connect to my WG server.

It looks like the external IP address (myWgServer.example.domain) is not accessible when allowed IP's is set to 0.0.0.0/0.

Question: does anyone know how to fix it? on GL.Inet there is an option to exclude domain names (myWgServer.example.domain) from VPN routing.

Question 2: any ideas how to realise kill switch functionality on the RUTX?

thanks for any hints!

Lukas
by anonymous

Just an update.

I have managed to setup following:

1. WiFi network (magnet-vpn) where all clients are routed over my wireguard VPN (using this Network I'm always at home).

2. Guest WiFi network (magnet-guest) where all clients are routed over WAN and have no access to my home network / vpn.

To setup it, you have to login into shell and execute:

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
while uci -q delete vpn-policy-routing.@policy[0]; do :; done
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].name="Ignore_wireguard_VPN"
uci set vpn-policy-routing.@policy[-1].dest_addr="my.wireguard.hostname.com"
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].name="Ignore_Guest"
uci set vpn-policy-routing.@policy[-1].src_addr="192.168.46.1/24"
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].name="AllWireguard"
uci set vpn-policy-routing.@policy[-1].src_addr="0.0.0.0/0"
uci set vpn-policy-routing.@policy[-1].interface="magnets"
uci commit
/etc/init.d/vpn-policy-routing restart

2. create guest network as described here: https://wiki.teltonika-networks.com/view/How_to_set_up_a_guest_WiFi_network_on_RUTX

Please note: I'm using my own subclass: 192.168.46.1. 

3. Important: in wireguard Settings define Allowed IP's as: 0.0.0.0/0 BUT do not enable:Route Allowed IPs option (the vpn-policy-routing Plugin will create these routing entries)

So far I'm happy. will try to setup killswitch today.

 

1 Answer

0 votes
by anonymous

Hello,

For the killswitch, you could create a hotplug script that would do the killswitching by yourself, the path to the folder would be: /etc/hotplug.d/iface/18-wireguard

On the exclusion of domain names, you could try referring to this article: https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389
by anonymous
Hi

Thanks for your feedback.

The solution/setup seems to be time consuming.

With Gl.Inet I can setup: dedicated WiFi with Wireguard VPN (to be always "at home") + KillSwitch, dedicated Guest WiFi (for Kidds usage) - all within 5 Minutes.

I'm thinking to send the RTUX12 back and by another GL.Inet with external antennas (GL.iNet GL-X750 Version 2) - it's much user friendly, especially for road (camping) use cases.

Best Regards

Lukas