WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Configure Mullvad's WireGuard on RUTX08

0 votes
924 views 8 comments
by anonymous

Okay, so I decided to open a new thread for this because I feel like I made some progress since my last post, but my RUTX08 is still not connecting to Mullvad's WireGuard. 

I thought describing the steps I take after a clean install (reset factory settings) would maybe help someone more knowledgeable to spot where I might be going wrong or what I am missing. Perhaps flebourse who has been helping me to diagnose what the problem is.

Here are my device's details:

After the factory reset, I log in, change the password and set the router's IP address to 192.168.20.1 so it looks like this:

I go to Services / VPN / WireGuard and under "Add new instance" I enter "mullvad" as the configuration name and click the "Add" button.

In the popup that appears I get a private key. I import this private key to Mullvad's WireGuard configuration file generator:

Then download the config file which contains the following (I deliberately left the private key unobscured, once I find a solution I will just re-generate them anyway):

[Interface]
PrivateKey = qJeLvVzauTKdrLEezjTW1bPc3FTMuD9BsfA97yztC3s=
Address = 10.64.66.63/32,fc00:bbbb:bbbb:bb01::1:423e/128
DNS = 10.64.0.1

[Peer]
PublicKey = m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 193.138.218.130:51820

From this info I take the interface address and enter it in the "IP Addresses" field so now it looks like this:

Under "Peers" and "Add new instance" I enter "mvpeer" and click the "Add" button.

I fill out the peer info the following way:


And then click "Save & apply". I click "Save & apply" again in the interface popup. And click "Save & apply" again in the WireGuard configuration page.

At this point I still have internet connection in the router but the WireGuard configuration is still "off".

I click "on" and "Save & apply". Connection is lost.

I reboot the router. Still no connection. I SSH into the router and run the wg command, the output:

root@Teltonika-RUTX08:~# wg
interface: mullvad
  public key: nE81/+Y2d03rdI3mj63NrTTld613rQlsdXtjsiV2skk=
  private key: (hidden)
  listening port: 51820

peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 296 B sent

I haven't added the DNS from Mullvad anywhere yet. So I go to Network / DNS and enter "10.64.0.1" under "DNS forwardings" and click "Save & apply":

Reboot the router again. Still no connection. 

I go to Network / Firewall / General settings / Zones. I turn on "MSS clamping" for all the zones that are there, so it looks like this:

I click "Save & apply".

What else do you recommend to set? Should I change something specific in the Firewall settings? (I've tried playing with the settings there, but nothing helped...) Or is there something that should be changed under Network / Interfaces (LAN, WAN, or WAN6)?

1 Answer

0 votes
by anonymous
Hello,

First step: replace 0.0.0.0/0 by 0.0.0.0/1 + 128.0.0.0/1 in the Allowed IPs field, else the default route may be lost and the server become unreachable.

Regards,
by anonymous

Okay, this is done:

Rebooted, no connection yet.

by anonymous

I have tried with the values given above except for the default rule replaced by 87.248.100.216/32 and the listening port replaced by 51830:

1- wg

interface: mullvad
  public key: nE81/+Y2d03rdI3mj63NrTTld613rQlsdXtjsiV2skk=
  private key: (hidden)
  listening port: 51830

peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 87.248.100.216/32
  latest handshake: 1 minute, 37 seconds ago
  transfer: 220 B received, 404 B sent
  persistent keepalive: every 25 seconds

2 - ping

​​​​​​​root@lgrrutx:~# ping -c 1 87.248.100.216
PING 87.248.100.216 (87.248.100.216): 56 data bytes
64 bytes from 87.248.100.216: seq=0 ttl=52 time=239.105 ms

--- 87.248.100.216 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 239.105/239.105/239.105 ms

3 - wg again

interface: mullvad
  public key: nE81/+Y2d03rdI3mj63NrTTld613rQlsdXtjsiV2skk=
  private key: (hidden)
  listening port: 51830

peer: m4jnogFbACz7LByjo++8z5+1WV0BuR1T7E1OWA+n8h0=
  endpoint: 193.138.218.130:51820
  allowed ips: 87.248.100.216/32
  latest handshake: 42 seconds ago
  transfer: 660 B received, 1.25 KiB sent
  persistent keepalive: every 25 seconds


The wg tunnel appears to be fully functional the number of bytes exchanged increases as expected.

Firewall: lan=>wireguard and wireguard=>lan set to accept/accept/accept masquerading off mss clamping on.

In Wireguard Interface->Mullvad->General Setup could you try with the private key only (clear the public key field) ?

  

by anonymous

Well, I can reproduce what you wrote, yes, same output, but if I change the Allowed IPs to 87.248.100.216/32 then my router's traffic doesn't seem to be routed through the VPN... 

And if I change it back to 0.0.0.0/0 then connection is lost again.

I also did the Firewall setting like this:

- but it didn't make any difference. 

I've also cleared the public key from the interface as well, no change.

by anonymous

Well, I can reproduce what you wrote, yes, same output

So your tunnel works fine.

And if I change it back to 0.0.0.0/0 then connection is lost again.

Yes, the router must have a way to access the MV server itself without going through the tunnel. Instead of 0.0.0.0/0 use 0.0.0.0/1 + 128.0.0.0/1 or set a higher priority route for 193.138.218.130 : ip -4 route add 193.138.218.130 dev eth1 metric 1

by anonymous

Instead of 0.0.0.0/0 use 0.0.0.0/1 + 128.0.0.0/1

I've done this again now, no change unfortunately...

or set a higher priority route for 193.138.218.130 : ip -4 route add 193.138.218.130 dev eth1 metric 1

Any chance you could help me find how to do this? This is a tad more advanced than I can figure out on my own... :)

by anonymous
Enter the command directly on a ssh console for testing. If it works add it in System->Custom scripts.

Could you post the output of ip -4 route show
by anonymous

This one doesn't seem to go through:

root@Teltonika-RUTX08:~# ip -4 route add 193.138.218.130 dev eth1 metric 1
RTNETLINK answers: File exists

Could you post the output of ip -4 route show

root@Teltonika-RUTX08:~# ip -4 route show
default dev mullvad proto static scope link
default via 192.168.8.1 dev eth1 proto static src 192.168.8.127 metric 1
192.168.8.0/24 dev eth1 proto static scope link metric 1
192.168.20.0/24 dev br-lan proto kernel scope link src 192.168.20.1
193.138.218.130 dev eth1 scope link metric 1
by anonymous
Could you disconnect from the wg server I'll check myself ? Or send me another config file by PM.