Is there a way to get a notification from a RUXT11 in case its site-2-site WireGuard connection to WireGuard server (e.g. an AVM FritzBox 7490) is down?
I only realised it because of some unexpected behaviour in my network, but it took me a while until I found out about it. By chance, I saw in the FritzBox WireGuard tab that the connection was no longer active; why, I don’t know. After manually starting it again, everything seems ok again.
Now it would be helpful, if the RUTX11 (or any other Teltonika router) could provide a note. If you have a hint, e.g. some script snippets I could try, or any other RUTX11 tools that might work, it would be great.
Thank you so much for sharing your thoughts!
PS:
Now that I further think about it, maybe some error in the system log could help. As I forward all RUTX11’s system log messages to my syslog server (a Synology NAS), the Synology mobile app would through an error message with an alert of a failed WireGuard connection. Is it possible that the RUTX11 creates such an error (or warning) in its system log? What would I have to do to make it happen?
Did you restart it at the Fritzbox side or the RUTX side ?
Do you have a static public address at the FB side ? Or a dynamic one ?
If it changes the RUTX will see nothing and will remain stuck, this post gives a hint to a workaround.
I restarted it on the Fritzbox side, which has a dynamic but rather stable public IP (but yes, it can change, though rarely).
Unfortunately, I cannot check or judge whether the disrupted WireGuard connection has a temporal or even causal relationship with a public IP change of my Fritzbox, but it could be.
Thanks for referring to you other post and for your solution. I might give it a try.
It seems that Teltonika’s developers will address this problem. I read about some kind of watchdog, which seems a good solution for this problem.
BTW, do you enforce RUT DNS if the WireGuard master server also has DNS?
PS:
I thought that my RUTX11 connects not to my Fritzbox public IP but to its static myfritz address. Therefore, I now have some doubts if this caused my problem at all.
Could you clarify your question ? If the RUT uses the DNS server provided by the wg server exclusively and the tunnel fails for some reason the DNS will also fail …
Use the wg command at both ends, look at the counters and the “latest handshake” fields.
It is a good idea to enable the “Persistent keep alive” option at both ends.
I use DNS on both routers and saw an option on the RUT to enforce use of its own DNS, even when another DNS (i.e. the Fritzbox WG master) is running. I’m not sure if I should enable or disable it.
Background info:
My Fritzbox is at home and is my gateway. To make things a bit complicated ( ), I have a Pi-hole with unbound running as DNS on a virtual machine (Synology NAS). The Fritzbox is set up to use Pi-Hole upstream and downstream, i.e. all my clients learn from my Fritzbox (that still is the DHCP server) that they get their IP resolves from the Pi-hole (not from the Fritzbox).
My RUTX11 is in my mobile home and connected to my Fritzbox via WG (physically via WiFi at home when near enough, else via GSM/LTE or public WiFi).
So I have two different IP ranges (Fritzbox: 192.168.178.0/24, RUTX11: 192.168.11.0/24).
When at home, all clients are on the Fritzbox network (except a Raspberry Pi 4 that is connected on the car via LAN to the RUTX11).
However, when on the road, at least our mobile phones and tablets connect to the RUTX11 as its SIM has the better data plan.
Sometimes, I get a bit confused about the different IPs the devices get (abroud vs. home), but that’s ok.
But I’m really lost about many settings the RUTX11 offers, e.g. about DNS, hence my question.
I have entered the most important clients (mobiles and tablets also on my RUTX11, so they get their IPs dynamically (but always the same) from the RUTX11’s DHCP IP range.
E.g., my phone gets 192.168.178.22, when on the Fritzbox network; and 192.168.11.22, when on the RUTX11 network.
Yes, I have a somewhat similar configuration. The RUTX talks to three wg servers running dd-wrt (2) and Openwrt (1). The wg servers each have an Adguardhome DNS in order to get rid of advertisements (I suppose your Pi-hole is there for the same purpose).
Each wg tunnel has the DNS set to the endpoint’s IP address at the other end, the trick is to get rid of the defauls DNS servers provided by the mobile operator once at least one tunnel is established.
What is the content of the “Allowed IPs” field on your RUTX ?
And to which server ? If you are on mobile or external wifi you can force the DNS to your FB (you pi-hole in fact).
Yes, I use Pi-hole to get rid of ads, spam, and other undesired sites. If I see it right, this works also on the road with my RUTX11, as long as its WG connection to my FB at home is up and running.
Maybe I posted below too many details, so I kindly ask to accept my apologies, also for my many questions. If you have one or two hints for me about beneficial or necessary changes, please lt me know. Thank you so much for your patience and advice, which I highly appreciate!
My WireGuard (WG) config:
Fritzbox (FB = WG master, IP 192.168.178.1):
IP addresses: 192.168.11.0/24
Advanced - Metric: 3
Advanced - MTU: 1300 [I intentionally set this after reading some recommendation here in the Teltonika Networks forum posts that lowering it to this value might be beneficial.]
Advanced - DNS servers: 192.168.178.1 [I thought I could have the FB’s IP here, because in the FB settings - both upstream and downstream - I have entered the Pi-Hole’s IP, which is 192.168.178.21. It seems to work like this, but I don’t know if this is optimal, or if I should better enter here the IP of my Pi-hole instead of the IP of my FB. Does it make a difference?]
RUTX11 (RUT = WG peer, IP 192.168.11.1):
Allowed IPs: 192.168.178.0/24
Description: RUTX11
Route allowed IPs: enabled [It says it’s optional to and to create routes for Allowed IPs for this peer. I’m not sure what this means but since it’s enabled and the connection seems ok, I assume I should keep it like this, right?]
Advanced - …
Advanced - Persistent keep alive: 25
Advanced - Routing table: (empty)
My RUTX11 Network Interfaces config:
LAN:
Protocol: Static
IPv4 address: 192.168.11.1
IPv4 netmask: 255.255.255.0
IPv4 gateway: 192.168.178.1
IPv4 broadcast: (empty) [But there is a greyed-out value of 192.168.11.255. Do I need this?]
DNS servers: 192.168.178.21 [Here, in contrast to my aforementioned WG DNS setting, I explicitly set the DNS server IP to the one of my Pi-Hole. So here again, I wonder if it makes a difference to setting the FB’s IP (which has set the Pi-Hole’s IP as DNS). I’m glad for advice about this, too.]
Advanced - Use gateway metric: 1
Advanced - IPv6 assignment length: 60 [I never set it and assume it was preset like this. I don’t use IPv6, though; should I set it to `Disabled`? Interestingly, the current value of `60` seems to be custom, as the other standard value would be `64`. I would be happy to be able leaving IPv6 alone, i.e. not using it.]
Advanced - the other Advanced settings show greyed-out values
Physical settings - Bridge interfaces: enabled
Physical settings - Enable STP: disabled
Physical settings - Interface: eth0
Firewall settings - Create / Assign firewall-zone: lan: lan
LAN / DHCP Server tab:
Enable DHCP: enabled
Start IP: 192.168.11.2
End IP: 192.168.11.200
Lease time: 24 hours
Advanced - Dynamic DHCP: enabled
Advanced - Force: enabled [I’m not sure if this is correct for my setup. Is it?]
Advanced - IPv4-Netmask: (empty) [There is a greyed-out value of 255.255.255.0. I assume that I can leave it empty, or should I populate it with this subnet mask?]
Advanced - DHCP-Options: (empty) / (empty) [There are greyed-out values of 6 / 192.168.2.1, but I assume I can leave them empty - or not? The 192.168.2.1 would not fit to my IP ranges, though, and I’m unsure for what exactly this is needed.]
Advanced - Force DHCP options: disabled [Again, I`m not sure if I should enable this in my setup.]
IPv6 Settings: all disabled or left empty
DNS Configuration:
Log queries: disabled
DNS forwardings: (empty) [There’s a greyed-out value of /example.org/10.1.2.3. Can I leave it empty?]
Rebind protection: disabled
Local service only: disabled
Listen interfaces: (empty)
Exclude interfaces: (empty)
Advanced - Filter private: disabled
Advanced - Localise queries: disabled
Advanced - Additional servers file: No file selected
Your configuration look correct. A few remarks / answers anyway:
While at it set it to 1280 in case your provider (either of the FB or RUTX) adds IPv6 in the path.
Using the IP of the FB will be easier to maintain, if you replace the pi-hole or change its address you will have only one location to update that is the FB itself. It is less optimal as it adds a step in the address resolution but the performance difference should be negligible.
Of course, this must be enabled.
Set the metric to 3 also there, and set the MTU to 1280
This is correct, but the value won’t need to to change if you use 192.168.178.1 and the pi-hole is modified.
Option 6 is the dns-server, set it to 192.168.11.1 just in case.
Enabling the force option is not normally required, let it as it is.
I use my cable modem in bridge mode. My Fritzbox sits behind it and serves as gateway. I have native IPv4 (no Dual Stack or DS-Lite). So I hope that the MTU setting to 1280 in the two locations will not (too much) diminish the IPv4 performance.
), I have a Pi-hole with unbound running as DNS on a virtual machine (Synology NAS). The Fritzbox is set up to use Pi-Hole upstream and downstream, i.e. all my clients learn from my Fritzbox (that still is the DHCP server) that they get their IP resolves from the Pi-hole (not from the Fritzbox).
If I see it right, this works also on the road with my RUTX11, as long as its WG connection to my FB at home is up and running.