Question

TL;DR: Seems these Multi-WAN Wireguard issues were identified and fix was proposed, but currently not accepted by Wireguard (wireguard-can-only-successfully-be-used-via-one-wan-interface), and therefore also not fixed in OpenWRT and also not in latest version on RutOS: openwrt issues 9538 

Can Teltonika confirm if my conclusion makes sense?

====

This also in reference to my earlier post rutx11-with-working-wifi-client-mode-but-no-internet-access.

I have done more testing and it seems the Wireguard VPN connection to my pfSense VPS server only works with one (specific) WAN (mobile) connection. 

When I switch default SIM1 to SIM2 (and reboot just to be sure) in the GUI I see the connection is switched to SIM2 (now default) and data connection is active. When I perform ping from RUTX11 router all pings are succesfull. However when try to reach website (on mobile connected to wifi of RUTX11) no sites load (but ping also works).

This behaviour (no internet but can ping) also shows when using LAN cable (to WAN port on RUTX11), although I also see working data connection.

I thought this might be a DNS issue. Therefore checked all interfaces on RUTX11, but all show three reliable DNS servers (1.1.1.1 / 1.0.0.1 / 9.9.9.9) from Cloudflare and Quad9 (which I put there) and my mobile shows the 192.168.1.1 from RUTX11 is used for DNS resolution.

To make it even stranger: when I also enable a Wireguard connection (with internal pfSense IP DNS in mobile Wireguard settings which "uses" 1.1.1.1) from my mobile to the same Wireguard server (pfSense VPS) everything works over this same wifi to RUTX which uses the not working Wireguard connection....but using another Wireguard connection from commercial provider Mullvad (which has public IP DNS entry in the mobile Wireguard settings) connects but no website traffic is possible....

I also fysically switched SIM card from tray 2 to tray 1, also then the working Wireguard connection seems to "stick" and work only to one specific SIM (and also still not working over LAN cable to WAN).

Wireguard (in general) does have a DNS setting, however this field is not present in RUTX11. Can this be causing these problems? I lowered the MTU value in Wireguard settings, but maybe somehow they are not "accepted" on other interfaces, should the MTU values also be lowered on interface level?

(I have no overlapping IP ranges and MTU for Wireguard is on 1300, keep alive setting is 25 sec.)

Answer 1

Hello,

When you are referring to Multi - WAN, is the failover actually enabled and configured in your setup or you are simply switching between WAN interfaces as this might require a restart of the firewall and Wireguard? 

If you are using Wireguard to route all of your traffic, it is advisable to define allowed IP range with 0.0.0.0/1 & 128.0.0.0/1 instead of 0.0.0.0/0 due to possible metric and routing issues.

The suggested MTU value to reduce to is 1380 and it is suggested only for mobile or PPPoE interfaces. 

The devices being able to ping but not forward other traffic may be the result of firewall configuration. It can be suggested to check if in Network -> Firewall -> General Settings Zone Forwardings section, have you set both lan->wireguard and wireguard->lan to Accept/Accept/Accept.

Currently, Wireguard has the limitation of not allowing to specify DNS servers. Updates, regarding automated MTU calculation based on WAN interface used and possibility to add custom DNS servers should be included with 7.3 firmware release. 

The commercial Mullvad solution might require an MTU value set to at least 1500, as, for example, Nord VPN does. If you are using a mobile interface, the default value might be lower and needs to be overridden by changing mobile interface settings in Network -> Interfaces.

Best regards,