Question

I have a RUTX08 router that I'm trying to set up as a client to connect to a WireGuard VPN server (Mullvad).

The device arrived with a very old firmware that I successfully upgraded to the latest one: RUTX_R_00.07.02.7

(Worth noting that I could only update it by uploading the firmware file as it wouldn't download it directly from the server and after the update I had to factory reset the router because it wouldn't let me log in: forever spinning wheel, even after multiple reboots. Anyway, now it's online again.)

I opened Services / VPN / WireGuard, entered a name in the "New configuration name" field and clicked "Add".

A popup appears with the details, the section "WireGuard interface" is filled, but there are no fields where I could enter any Endpoint or DNS or interface address.

What am I missing?

Answer 1

Hello,

You need to add at least one peer to your Wireguard configuration look at "ADD NEW INSTANCE" at the end of the popup.

Regards,

Comments

Thanks, but there still aren't any fields where I could enter some of the VPN server's details that I want to connect to...

These are the details the VPN provider gives me:

• [Interface] PrivateKey, Address, DNS
• [Peer] PublicKey, AllowedIPs, Endpoint

And these are the details that I can enter on RUTX08's system (under VPN / WireGuard):

• Interface: Private Key, Public Key, Listen Port
• Peer: Public Key, Allowed IPs

It's confusing, because 

1. what should I enter under "Public Key" on the RUTX08, and 
2. where can I enter the "Address" and "DNS" of the interface and the "Endpoint" of the Peer?

---

From what the provider gave you:

• Interface/private key is the value to be set in Services->VPN->Wireguard use the pen to go to General setup->Private Key,
• Peer/Public key and Peer/Allowed IPs values are to be set in the peer's submenu.
• The DNS value has to be set in Network->Interface->Lan->General Setup (use the pen to edit)

> what should I enter under "Public Key" on the RUTX08, and 

To follow your terminology: [Peer] PublicKey

> where can I enter the "Address" of the interface and the "Endpoint" of the Peer?

 The fields are in the peer's Advances Settings submenu, Endpoint host and Endpoint port respectively.

 

---

 The fields are in the peer's Advances Settings submenu, Endpoint host and Endpoint port respectively.

I guess this is where I'm confused. There is no "advanced settings" menu under Peer. See below a screenshot. Latest firmware.

Is this a bug or am I just still too blind to find what I'm looking for..?

---

You have the UI set in BASIC mode, set it to Advanced at the top of the page or in System->Setup Wizard->General->Webui Settings.

Then all fields will appear.

---

You have the UI set in BASIC mode, set it to Advanced at the top of the page or in System->Setup Wizard->General->Webui Settings. 
Then all fields will appear.

Thank you! This indeed did the trick.

I still can't get it to work though, but I guess that's up to me to figure out. 

If anyone has any tips on where I could find a good guide on how to install Mullvad WireGuard on RUTOS I would be forever grateful. I've been trying to follow this guide but it's for OpenWRT and RUTOS is different in jut enough places to make it really hard to figure out a simple solution. :(

---

Configuring Wireguard for Mullvad should't be very different than for others providers.

What is the output of the wg command (from CLI or ssh) ?

---

What is the output of the wg command (from CLI or ssh) ?

Pretty standard I believe:

root@Teltonika-RUTX08:~# wg
interface: mullvad
  public key: 06LoJsUQgid1qVsK7hQ3OEQp7QsGiuPkuyb+mhVIaxg=
  private key: (hidden)
  listening port: 51820
peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 7.23 KiB sent

Those 7.23 KiB are my pings that all timed out.

It feels like I'd have to change something else in the settings as well. But whatever I do, there's no connection. As soon as I turn off WireGuard, the connection is restored.

---

For testing restrict the Allowed IPs range, 87.248.100.216 will do and try to ping just this one. What is the result ? The new wg output ?

---

root@Teltonika-RUTX08:~# wg
interface: mullvad
  public key: 06LoJsUQgid1qVsK7hQ3OEQp7QsGiuPkuyb+mhVIaxg=
  private key: (hidden)
  listening port: 51820
peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 87.248.100.216/32

(I didn't add /32)

---

And ping 87.248.100.216 ? ping 87.248.100.215 ?

---

root@Teltonika-RUTX08:~# ping -c 3 87.248.100.216
PING 87.248.100.216 (87.248.100.216): 56 data bytes
^C
--- 87.248.100.216 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

root@Teltonika-RUTX08:~# ping -c 3 87.248.100.215
PING 87.248.100.215 (87.248.100.215): 56 data bytes
64 bytes from 87.248.100.215: seq=0 ttl=34 time=287.245 ms
64 bytes from 87.248.100.215: seq=1 ttl=34 time=285.486 ms
64 bytes from 87.248.100.215: seq=2 ttl=34 time=285.834 ms
--- 87.248.100.215 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 285.486/286.188/287.245 ms

---

So the tunnel is inoperant. wg output ?

---

root@Teltonika-RUTX08:~# ping -c 3 87.248.100.216
PING 87.248.100.216 (87.248.100.216): 56 data bytes
^C
--- 87.248.100.216 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@Teltonika-RUTX08:~# ping -c 3 87.248.100.215
PING 87.248.100.215 (87.248.100.215): 56 data bytes
64 bytes from 87.248.100.215: seq=0 ttl=36 time=300.231 ms
64 bytes from 87.248.100.215: seq=1 ttl=36 time=299.335 ms
64 bytes from 87.248.100.215: seq=2 ttl=36 time=300.232 ms
--- 87.248.100.215 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 299.335/299.932/300.232 ms
root@Teltonika-RUTX08:~# wg
interface: mullvad
  public key: 06LoJsUQgid1qVsK7hQ3OEQp7QsGiuPkuyb+mhVIaxg=
  private key: (hidden)
  listening port: 51820
peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 87.248.100.216/32
  latest handshake: 19 seconds ago
  transfer: 124 B received, 532 B sent

This is the full thing...

Any pointers on what else should I change in the settings to make the tunnel work..? 

---

 latest handshake: 19 seconds ago
 transfer: 124 B received, 532 B sent

So the tunnel itself is fine. What is the content of Allowed IPs at the other end ?

In Network->Firewall->General Settings have you set Lan=>Wireguard and Wireguard=>Lan to Accept/Accept/Accept ? Is Masquerading set ?

 

---

That part looks like this:

There are lots of other settings behind the Pencil icon of course. What are the most important settings there?

---

It won't hurt to set MSS Clamping everywhere, and Masquerading only on Wan=>REJECT.

What about Allowed IPs at the Mullvad side ? What is the output of ifconfig br-lan ?

---

root@Teltonika-RUTX08:~# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr 00:1D:42:24:CD:05
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fd70:bbfe:6bb6::1/60 Scope:Global
          inet6 addr: fe80::21e:42ff:fe23:cd04/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:113190 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109637 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12517939 (11.9 MiB)  TX bytes:130037326 (124.0 MiB)

/For the record, I am super grateful for your patience :) /

---

What are the parameters at the Mullvad side ? Masquerading, Allowed IPs, IP address?

What are the outputs if ifconfig mullwad and ifconfig wwan0 ?

---

What are the parameters at the Mullvad side ? Masquerading, Allowed IPs, IP address?

I'm a little confused, where can I see this info in RUTOS? In any case, this is the config info I get from Mullvad:

[Interface]
PrivateKey = ***
Address = 10.64.173.27/32
DNS = 100.64.0.3
[Peer]
PublicKey = m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
AllowedIPs = 0.0.0.0/0
Endpoint = 193.138.218.130:51820

What are the outputs if ifconfig mullwad and ifconfig wwan0 ?

No wwan0. Here's the full output of ifconfig:

root@Teltonika-RUTX08:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:1D:42:24:CD:05
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fd70:bbfe:6bb6::1/60 Scope:Global
          inet6 addr: fe80::21e:42ff:fe23:cd04/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:128642 errors:0 dropped:0 overruns:0 frame:0
          TX packets:123911 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:14865066 (14.1 MiB)  TX bytes:139721136 (133.2 MiB)
eth0      Link encap:Ethernet  HWaddr 00:1D:42:24:CD:05
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:129867 errors:0 dropped:0 overruns:0 frame:0
          TX packets:123895 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16746794 (15.9 MiB)  TX bytes:139710883 (133.2 MiB)
eth1      Link encap:Ethernet  HWaddr 00:1D:42:24:CD:06
          inet addr:192.168.8.127  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fd2b:2b73:daf3:44e0:21e:42ff:fe23:cd05/64 Scope:Global
          inet6 addr: fe80::21e:42ff:fe23:cd05/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:124371 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86357 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:135712684 (129.4 MiB)  TX bytes:11655620 (11.1 MiB)
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:76154 (74.3 KiB)  TX bytes:76154 (74.3 KiB)
mullvad   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.64.173.27  P-t-P:10.64.173.27  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:9 errors:5 dropped:0 overruns:0 frame:5
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:528 (528.0 B)  TX bytes:2608 (2.5 KiB)

---

Ah yes it is a RUTX08 outside access go through eth1 not wwan0.

          RX packets:9 errors:5 dropped:0 overruns:0 frame:5

Something is still wrong within the tunnel. Do the following:

ifconfig mullvad
ping -c 3 87.248.100.216
ifconfig mullvad

and post the full result (both ifconfigs) it seems that the rutx cannot decrypt the incoming packets.

---

root@Teltonika-RUTX08:~# ifconfig mullvad
mullvad   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.64.173.27  P-t-P:10.64.173.27  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:15 errors:5 dropped:0 overruns:0 frame:5
          TX packets:72 errors:5 dropped:5 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:900 (900.0 B)  TX bytes:9648 (9.4 KiB)
root@Teltonika-RUTX08:~# ping -c 3 87.248.100.216
PING 87.248.100.216 (87.248.100.216): 56 data bytes
--- 87.248.100.216 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@Teltonika-RUTX08:~# ifconfig mullvad
mullvad   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.64.173.27  P-t-P:10.64.173.27  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:16 errors:5 dropped:0 overruns:0 frame:5
          TX packets:75 errors:5 dropped:5 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:932 (932.0 B)  TX bytes:10032 (9.7 KiB)

---

Please reboot the router to be sure to clear the counters and redo the previous test the errors may be due to older operations.

---

Sure. This is right after reboot:

root@Teltonika-RUTX08:~# ifconfig mullvad
mullvad   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.64.173.27  P-t-P:10.64.173.27  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@Teltonika-RUTX08:~# ping -c 3 87.248.100.216
PING 87.248.100.216 (87.248.100.216): 56 data bytes
--- 87.248.100.216 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@Teltonika-RUTX08:~# ifconfig mullvad
mullvad   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.64.173.27  P-t-P:10.64.173.27  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:444 (444.0 B)

---

Good the errors above were from previous tests there is no obvious decryption issues in the descending direction. However that doesn't tell why the replies are lost. Can you access statistics on the Mullvad side ? Could you enable Masquerading again and redo the test ?

---

I decided to start afresh and did a factory reset. I've posted my steps here. Still not working. Any help appreciated.