How to set up a RUTX11 as a Wireguard client for Cloudflare WARP VPN

Hi all.

I’m in trouble to configure the Wireguard service to work with Cloudflare WARP VPN.

Well, I went to Services->VPN->Wireguard, where I added a new instance and edited it.

1 - In the General setup tab, I set Private key to the value coming from the WARP wg config file, then set addresses to the values from the wg conf file and set listen port to 51820. Eventually I enabled the instance itsekf.
In the Advanced settings tab I set DNS servers to the values coming from the config file and then I set MTU to 1280 as advised.

2 - After all I added a new peer instance.
In the General settings tab I set PublicKey and Allowed IPs as specified in the WARP wg config file and enable “Route Allowed IPs”.
In the Advanced settings tab I set Endpoint host and Endpoint port to the values from the file and eventually I set “persistent keepalive” to “20”.

3 - I saved and applied all the config and then I rebooted the router just to be safe.

Done that… no Internet connection at all, I mean, I cannot surf behind the router NAT with any client (wired or wireless) and also the router’ internal speedtest failed to perform nslookup.
Obviously just disabling the wireguard instance solve this issue.

So, what went wrong? This is my Cloudflare WARP wg config file

PrivateKey = ...snipped_out=
Address =
Address = 2606:4700:110:8a5b:4e72:b94c:46ee:a0c3/128
DNS =,
MTU = 1280
PublicKey = ...snipped_out=
AllowedIPs =
AllowedIPs =
Endpoint =


With AllowedIPs set to + all packets are forwarded through the wg interface and have no way to go out, what you need is to add a higher priority route to
This one should do:

ip -4 route add de mob1s1a1 metric 0

Replace mob1s1a1 by the real outpout interface.
Of course you need to set the metric of the wg interface itself to a higher value, 3 will work.
Once you are satisfied, go to Network->Routing->Static Routes and add it there.

root@teltonika129:~# ip -4 route add dev mob1s2a1 metric 0
Error: inet prefix is expected rather than "".

Humm yes, use the IP address instead.


Non-authoritative answer:
Address: 2606:4700:d0::a29f:c001

ip -4 route add dev mob1s1a1 metric 0
An do the the same ip -6 route add 2606:4700:d0::a29f:c001/128 dev mob1s1a1 metric 0 for the IPv6 address if you have Ipv6 configured on the mobile interface.

root@teltonika129:~# ip -4 route add dev mob1s2a1 metric 0
Cannot find device "mob1s2a1"

The device is probably mob1s1a1 if you have only one sim.

Which firmware version do you use ?
Try to add the route via Network->Routing->Static Routes.


I’m not sure how to add a dev route there (it requires an ipv4 gateway).

You don’t need an explicit gateway in this case, the target interface is enough.
After creating it, ip -4 route show will report: dev qmimux0 proto static scope link

I don’t think so: if i don’t fill the gateway field with a valid address, I cannot save any route (“some field are invalid” is the UI answer).

Then add the following section at the end of /etc/config/network:

config route
        option table '254'
        option interface 'mob1s2a1_4'          
        option target ''
        option netmask ''
        option metric '0'   

and restart it:

/etc/init.d/network restart

Thank you flebourse but I give it up: it’s too much of a hassle for me to just have a banal wireguard client running: these Teltonika routers are just ill-designed for such a basic task.

Try a last thing before giving up:
ip -4 route add dev qmimux0 metric 0
and set the metric of the wireguard interface to 2 or 3 in Advanced settings.

This topic was automatically closed after 15 days. New replies are no longer allowed.