How to set up a RUTX11 as a Wireguard client for Cloudflare WARP VPN

mark129 · September 19, 2023, 5:07pm

Hi all.

I’m in trouble to configure the Wireguard service to work with Cloudflare WARP VPN.

Well, I went to Services->VPN->Wireguard, where I added a new instance and edited it.

1 - In the General setup tab, I set Private key to the value coming from the WARP wg config file, then set addresses to the values from the wg conf file and set listen port to 51820. Eventually I enabled the instance itsekf.
In the Advanced settings tab I set DNS servers to the values coming from the config file and then I set MTU to 1280 as advised.

2 - After all I added a new peer instance.
In the General settings tab I set PublicKey and Allowed IPs as specified in the WARP wg config file and enable “Route Allowed IPs”.
In the Advanced settings tab I set Endpoint host and Endpoint port to the values from the file and eventually I set “persistent keepalive” to “20”.

3 - I saved and applied all the config and then I rebooted the router just to be safe.

Done that… no Internet connection at all, I mean, I cannot surf behind the router NAT with any client (wired or wireless) and also the router’ internal speedtest failed to perform nslookup.
Obviously just disabling the wireguard instance solve this issue.

So, what went wrong? This is my Cloudflare WARP wg config file

[Interface]
PrivateKey = ...snipped_out=
Address = 172.16.0.2/32
Address = 2606:4700:110:8a5b:4e72:b94c:46ee:a0c3/128
DNS = 1.1.1.1,1.0.0.1
MTU = 1280
[Peer]
PublicKey = ...snipped_out=
AllowedIPs = 0.0.0.0/1
AllowedIPs = 128.0.0.0/1
Endpoint = engage.cloudflareclient.com:2408

flebourse · September 19, 2023, 8:05pm

Hello,

With AllowedIPs set to 0.0.0.0/1 + 128.0.0.0/1 all packets are forwarded through the wg interface and have no way to go out, what you need is to add a higher priority route to engage.cloudflareclient.com
This one should do:

ip -4 route add engage.cloudflareclient.com de mob1s1a1 metric 0

Replace mob1s1a1 by the real outpout interface.
Of course you need to set the metric of the wg interface itself to a higher value, 3 will work.
Once you are satisfied, go to Network->Routing->Static Routes and add it there.
Regards,

mark129 · September 20, 2023, 9:11pm

root@teltonika129:~# ip -4 route add engage.cloudflareclient.com dev mob1s2a1 metric 0
Error: inet prefix is expected rather than "engage.cloudflareclient.com".
root@teltonika129:~#

flebourse · September 20, 2023, 9:16pm

Humm yes, use the IP address instead.

nslookup engage.cloudflareclient.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	engage.cloudflareclient.com
Address: 162.159.192.1
Name:	engage.cloudflareclient.com
Address: 2606:4700:d0::a29f:c001

So:
ip -4 route add 162.159.192.1/32 dev mob1s1a1 metric 0
An do the the same ip -6 route add 2606:4700:d0::a29f:c001/128 dev mob1s1a1 metric 0 for the IPv6 address if you have Ipv6 configured on the mobile interface.

mark129 · September 20, 2023, 10:26pm

root@teltonika129:~# ip -4 route add 162.159.192.1/32 dev mob1s2a1 metric 0
Cannot find device "mob1s2a1"
root@teltonika129:~#

flebourse · September 20, 2023, 10:29pm

The device is probably mob1s1a1 if you have only one sim.

mark129 · September 20, 2023, 10:31pm

flebourse · September 20, 2023, 10:35pm

Which firmware version do you use ?
Try to add the route via Network->Routing->Static Routes.

mark129 · September 20, 2023, 11:03pm

RUTX_R_00.07.04.5

I’m not sure how to add a dev route there (it requires an ipv4 gateway).

flebourse · September 20, 2023, 11:09pm

You don’t need an explicit gateway in this case, the target interface is enough.
After creating it, ip -4 route show will report:

162.159.192.1 dev qmimux0 proto static scope link

mark129 · September 21, 2023, 12:03am

I don’t think so: if i don’t fill the gateway field with a valid address, I cannot save any route (“some field are invalid” is the UI answer).

flebourse · September 21, 2023, 9:07am

Then add the following section at the end of /etc/config/network:

config route
        option table '254'
        option interface 'mob1s2a1_4'          
        option target '162.159.192.1'
        option netmask '255.255.255.255'
        option metric '0'

and restart it:

/etc/init.d/network restart

mark129 · September 21, 2023, 5:20pm

Thank you flebourse but I give it up: it’s too much of a hassle for me to just have a banal wireguard client running: these Teltonika routers are just ill-designed for such a basic task.

flebourse · September 21, 2023, 5:24pm

Try a last thing before giving up:
ip -4 route add 162.159.192.1 dev qmimux0 metric 0
and set the metric of the wireguard interface to 2 or 3 in Advanced settings.