FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
572 views 4 comments
by anonymous

I have a Rutx11 mode running with firmware version: RUTX_R_00.07.03.1

I have configured my wirguard client on the RUTX11 to my wireguard (pivpn) server.  Everything seems to be ruuning fine.  I am able to access lan devices connected to the RUTX11 remotely.  The deivces connected to the RuTX11 behind the firewall are able to access public resources via http just fine.  Unfortunaly when I try to access anything via https I am unsuccessful.  

Other devices  (pc, iphone) connected to my vpn server don't have issues accessing pubic resource via of https.  Only the devices connected to RUTX11. Seems weird that I can access devices via http but not https and I'm not sure what I'm doing wrong. I feel very close but I just haven't been able to understand why it's not working. 

BTW - if I disable the wireguard client it does work.

Thanks for your help!

Supporting documentation:

by anonymous
Okay after working with Teltonika support I had to make an adjustment to the solution in my previous comment.  In my case, I have piVpn (with wireguard) server running at my house and a teltonika RUTX11 with a raspberry pi connected to it 200 miles away.  The final solution was to reset the eth0 value back to 1500 on my raspberry pi connected to the RUTX11.  Next, I set the MTU to 1348 on my piVpn wireguard server in the /etc/wireguard/wg0.conf file, and then set the RUTX11 Services -> VPN -> Wireguard -> Advanced Settings MTU value to 1348.

1 Answer

0 votes
by anonymous
Hello,

The most probable cause is a MTU too high on the wireguard interface. Check the MTU of the wwan0 (or eth1 if you use wan) interface and set the wg interface MTU to this value minus 80 at most. Depending on the network peculiarities (IPv4 transport in IPv6 ...) you may still need to assign a lower value, for example from Europe to the US for the device to work reliably you can't go over 1360 for a base MTU of 1500.

 Regards,
by anonymous
Thanks very much for the solution.  I struggled with this for so long.  

I would encourage you to add this to a FAQ for a wireguard client setup.  Lastly, I had to make an adustment to Raspberry Pi eth0 interface with the same mtu as set on the RUTX router.  (sudo ifconfig eth0 mtu 1348) and then editing  the /etc/dhclient.conf (adding "mtu 1348" under the "line interface eth0").

settings for RUTX11:

loggined into CLI:

> ifconfig

grabbed MTU for wwan interface: 1428 (1428 - 80 = 1348) and set my wireguard MTU to 1348.
by anonymous
I don't understand the MTU=1348 requirement on the pi's eth0 interface. As it is the wg server its wg interface MTU should be set to 1348 and the eth0's one left at 1500. Could you make a simple drawing of your network ?

The reason why http was working fine but https failed was because TLS packets were fragmented and the establishment didn't complete successfully. Maybe something to look at here.

It should be possible to add a warning in the logs if the bearer MTU - 80 rule is not respected, it will not be completely foolproof however.

And for the FAQ good point (@teltonika).
by anonymous
After a few exchanges by PM: the wg interface at the other had a MTU of 1500 bytes. Setting it a the same 1348 bytes fixed all the remaining issues.