How to setup dial-in VPN using WireGuard server

NETWORKING SOLUTIONS
1

Hello all,

I am not new to networking and routing but I am struggling with this.

I would like to setup a “dial-in” VPN server using built in WireGuard in my TRB500. Then connect from any windows client computer to it from the internet.

It would be nice using username, password and some sort of keys for extra security.

I cant find any help in the manuals for achieving this, only site-site examples.
Have tried search internet for any help as well.

Anyone managed to do this?

I need help with server setup and the client setup.

Firmware right now is 7.09

2

Standard setup/procedure. Simplest is to use tailscale, which is based on wireguard. Tailscale runs own “wireguard-server” as relay. In case, you do not trust a 3rd party, you need to set up a VPS (with public IP) yourself, as relay. In few words, your TRB establishes wg-tunnel to VPS, which works as a router (relay) for your Windows, which also connects to it using wireguard.

3

Not familiar with tailscale but it sounds like VPS is a service/server elsewhere that you use? You have to buy some sort of service to use it?

Im asking to use only the teltonika itself here without buying another service. The site-to-site ipsec works perfectly.

If it is not possible to use the built in services I will put it in bridge mode, then connect it to a pfsense-router, then I can setup it using several different vpns.

4

… The site-to-site ipsec works perfectly. … Never used ipsec. So: How does it work behind simple NAT, or behind CGNAT in cell networks ?
tailscale usage is free for small amounts of clients, non-commercial. Connection via their own public server.

5

Does this mean that your Teltonika device already has a Public IP?

6

Yes I have a public IP. Here in Sweden you can request it from your ISP if you want it.

The problem I have is how to setup the wireguard server and client. I thought I was clear in my first post but english is not my native language.

7

IPsec only works with public ip, best to my knowledge. But with openvpn site-to-site or wireguard, you only need to have it on one end.

8

Yes it is possible with just Wireguard … I’ll dig out a couple of pages of our documentation and post back … probably within the hour.

9

Here it is, I’m no Wireguard expert but this works for me.

image
image1452×964 52.4 KB

image
image1436×924 44.4 KB

image
image698×963 89.2 KB

If an additional layer of security is required, then a pre-shared key can be added, which is a 44 character key string that always ends in ‘=’ e.g. /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=

This adds a layer of symmetric-key cryptography to the traffic between specific peers – note that both sides need to have the same PresharedKey in their respective [Peer] sections.

You can add this to the Teltonika HOME SERVER in the Peer > Advanced Settings under ‘Preshared key =’.

For a windows client, running the Wireguard App, then edit the tunnel and add a line at the end of the [Peer] section, to read (using the example key above), PreSharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=

Use a different Pre Shard Key for each client.

Good luck,

Mike

2 Likes
10

Worked perfectly! Thanks Mike! :grinning: :grinning:

Used remote lan as allowed ip, then I could access stuff on remote network.
I Suppose its like “split tunneling” then

11

Good to see, it all worked out fine.

I guess the behaviour is like split tunneling, whether Wireguard ‘purists’ would agree, I’m not sure.

Enjoy,

Mike

12

This topic was automatically closed after 15 days. New replies are no longer allowed.