FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
1,363 views 8 comments
by anonymous
Hi there,

I am trying to set up a Wireguard connection to my own server. But I can't get the clients to use the vpn connection. I have tried every solution I can find here, but to no avail. If I use Wireguard on a Windows client behind the RUT950, it works right away. Also the connection on the router is build up (i checked via CLI>wg).

 Can anyone tell me how to get this to work?

Router: RUT950

FW: RUT9_R_00.07.04

4 Answers

0 votes
by anonymous
Hi,

Since the WireGuard tunnel is established, what are the allowed IPs? Also, have you enabled the devices to route allowed IPs? What are the routes on your RT955 ('route -n' command)?

Can you please share the configurations of both WireGuard peers?

Kind Regards,

Andzej
0 votes
by anonymous

Hi,

Sorry i forgot to give the info. Also it is a RUT950.

Here are some screenshots (I want to route all traffic through the tunnel):

 

by anonymous
Hi,

It seems that the packets are being sent over the tunnel (2.18 MiB), but the there is only 92 b received. Could you please share the configuration of the other peer?

Kind Regards,

Andzej
0 votes
by anonymous

The packets that are send are only from the router itself, not the clients.

The other peer is my wireguard 'warpspeed' vm, I don't have a specific config for that. As I wrote, I can use the same config on a Windows wireguard client, and it instantly works. Even if the client sits behind my RUT950. So i assume the problem is the routing or firewall of the router.

Here is a screenshot of the managment gui:

by anonymous

Hi,

Could you please attach a troubleshoot file? Troubleshoot file can be downloaded from System -> Administration -> Troubleshoot.

Attach it by editing your question.

Kind Regards,

Andzej

by anonymous

Hi,

It seems your wireguard firewall zone is set to reject. Could you please navigate to Network -> Firewall and change LAN => Wireguard and Wireguard => LAN zones inputs/outputs/forwards to accept? Depending on your setup, you may want to enable or disable masquerading as well.

Kind Regards,

Andzej

by anonymous
Hi,

What is the LAN network of your Wireguard server? Does it have a different LAN than the other peer? If you have added 192.168.1.0/24 to allowed IPs and after that, it does not let you connect to your device, it may be because it routes the LAN packets via the tunnel.

Also, if you have 0.0.0.0/0 as allowed IPs on the server, could you set the allowed IPs to be only the LAN network of the peer, i.e. 192.168.1.0/24? Without 0.0.0.0/0 on the server.

Kind Regards,

Andzej
by anonymous

Hi and thank you for your consistent help.

Here are the IP settings of my server:

I

If I understand this correctly, I could assign the clients of my RUT950 an IP in the range 10.99.0.0/16 and it should work?

This is not the way I thought a router works. Isn't it supposed to "route" traffic from the local LAN to the VPN? Maybe the solution is not in the firewall or allowed ips, but in the routing table?

Unfortunately I have no access to the device today, but I will test it next week.

by anonymous
Hi,

In WireGuard, the address pool is used by the clients to obtain an IP address on the VPN subnet, so basically, it is used by the tunnel. To enable routing between LAN networks, you need to specify the LAN networks in the AllowedIPs field. This means that any IP address that matches the AllowedIPs will be routed through the VPN tunnel.

For example, suppose you have a server with LAN IP of 192.168.1.0/24 and a client with LAN IP of 192.168.10.0/24.

The server has added AllowedIP of 192.168.10.0/24 (LAN of the client). The client has added AllowedIP of 192.168.1.0/24 (LAN of the server).

When the server needs to send packets to 192.168.10.1, it will first check its routing table to determine if the destination IP address belongs to a directly connected network. If not, it will then check if the destination IP address matches any of the AllowedIPs on its WireGuard side. and if so, it will route the packet through the VPN tunnel to the client. The 192.168.10.1 matches and is sent to the client over VPN.

When the client receives the packet, he decapsulates and decrypts it. Then he will check the source IP address (IP address of the server matches the address pool/ Allowed IPs) and if it matches on its side, it will accept the packet. Otherwise, it will drop the packet.

if you want to route all traffic from client to the server via VPN, you need to add allowed IPs of 0.0.0.0/0 or 0.0.0.0/1 + 128.0.0.0/1 on the client side.

Kind Regards,

Andzej
0 votes
by anonymous
Thanks for your reply, I configured the firewall as you descriped. But still no connection for the clients. Maybe I should switch to an OpenVPN solution, as wireguard seems to be broken on RUT950. I even tried the "old-style" firmware, with the same problem.
by anonymous
You need to add the lan network of the RUT (192.168.1.0/24) to the Allowed IPs list on the wireguard at the other end else the server won't know how to route the reply packets.
by anonymous
I did this, with the result that I couldn't access the router anymore. Also, no connection to the vpn.