I’m in trouble to configure the Wireguard service to work with Cloudflare WARP VPN.
Well, I went to Services->VPN->Wireguard, where I added a new instance and edited it.
1 - In the General setup tab, I set Private key to the value coming from the WARP wg config file, then set addresses to the values from the wg conf file and set listen port to 51820. Eventually I enabled the instance itsekf.
In the Advanced settings tab I set DNS servers to the values coming from the config file and then I set MTU to 1280 as advised.
2 - After all I added a new peer instance.
In the General settings tab I set PublicKey and Allowed IPs as specified in the WARP wg config file and enable “Route Allowed IPs”.
In the Advanced settings tab I set Endpoint host and Endpoint port to the values from the file and eventually I set “persistent keepalive” to “20”.
3 - I saved and applied all the config and then I rebooted the router just to be safe.
Done that… no Internet connection at all, I mean, I cannot surf behind the router NAT with any client (wired or wireless) and also the router’ internal speedtest failed to perform nslookup.
Obviously just disabling the wireguard instance solve this issue.
So, what went wrong? This is my Cloudflare WARP wg config file
With AllowedIPs set to 0.0.0.0/1 + 128.0.0.0/1 all packets are forwarded through the wg interface and have no way to go out, what you need is to add a higher priority route to engage.cloudflareclient.com
This one should do:
ip -4 route add engage.cloudflareclient.com de mob1s1a1 metric 0
Replace mob1s1a1 by the real outpout interface.
Of course you need to set the metric of the wg interface itself to a higher value, 3 will work.
Once you are satisfied, go to Network->Routing->Static Routes and add it there.
Regards,
root@teltonika129:~# ip -4 route add engage.cloudflareclient.com dev mob1s2a1 metric 0
Error: inet prefix is expected rather than "engage.cloudflareclient.com".
root@teltonika129:~#
So:
ip -4 route add 162.159.192.1/32 dev mob1s1a1 metric 0
An do the the same ip -6 route add 2606:4700:d0::a29f:c001/128 dev mob1s1a1 metric 0 for the IPv6 address if you have Ipv6 configured on the mobile interface.
Thank you flebourse but I give it up: it’s too much of a hassle for me to just have a banal wireguard client running: these Teltonika routers are just ill-designed for such a basic task.
Try a last thing before giving up:
ip -4 route add 162.159.192.1 dev qmimux0 metric 0
and set the metric of the wireguard interface to 2 or 3 in Advanced settings.