Need help setting wireguard

Hi guys, I don’t understand how configure wireguard…
I was using OpenVpn to connect several Teltonika devices, now I would like to test wireguard.
On OpenVpn server I create certificates, assign static IP to Teltonika devices, connecting to clients and connecting among clients.
On Teltonika side I just load OpenVpn configuration files, setting NAT on firewall.

Now I am creating certificates using Wireguard-UI:

Server

  • address 10.252.1.0/24
  • private key “Server_PrivateKey”
  • public key “Server_PublicKey”

I get following configuration files for my clients:

Client1
[Interface]
Address = 10.252.1.11/32
PrivateKey = Client1_PrivateKey
DNS = 8.8.8.8,1.1.1.1,10.252.1.0
MTU = 1450

[Peer]
PublicKey = Server_PublicKey
PresharedKey =Client1_PresharedKey
AllowedIPs = 0.0.0.0/0
Endpoint = 8.8.1.1:51820
PersistentKeepalive = 15

Client2
[Interface]
Address = 10.252.1.11/32
PrivateKey = Client2_PrivateKey
DNS = 8.8.8.8,1.1.1.1,10.252.1.0
MTU = 1450

[Peer]
PublicKey = Server_PublicKey
PresharedKey =Client2_PresharedKey
AllowedIPs = 0.0.0.0/0
Endpoint = 8.8.1.1:51820
PersistentKeepalive = 15

On Teltonika side
New wireguard instance (let’s say Client1),
Private key = Client1_PrivateKey
PublicKey = empty
Listen port = 51820
IP Adresses = 0.0.0.0/0

New peer:
Public key = Server_PublicKey
Allowes IPs: 10.252.1.11
Preshared Key = Client1_PresharedKey
Endpoint Host = 8.8.1.1

New wireguard instance (let’s say Client2),
Private key = Client2_PrivateKey
PublicKey = empty
Listen port = 51820
IP Adresses = 0.0.0.0/0

New peer:
Public key = Server_PublicKey
Allowes IPs: 10.252.1.12
Preshared Key = Client2_PresharedKey
Endpoint Host = 8.8.1.1

Is this correct?
Server’s interface tells me clients are connected, but I get no IP address on Teltonika, I am confused…

wg command tells me:
root@GRDI:~# wg
interface: wg
public key: MN7/5RGxJMO-xyz= (different from any public key)
private key: (hidden)
listening port: 51820

peer: Server_PublicKey
preshared key: (hidden)
endpoint: 213.199.63.232:51820
allowed ips: 10.252.1.111/32
latest handshake: 40 seconds ago
transfer: 628 B received, 860 B sent
persistent keepalive: every 15 seconds

Is there something I am missing?
Thanks.

Ok, after several “try and try again” I solved:

Here template file for client “grdi” made using Wireguard-UI where I set for my client IP 10.252.1.69:

[Interface]
Address = 10.252.1.69/32
PrivateKey = gMMzScFwFxYIAbaWv/hyHRGB94C1kCVOjqRtt6xAi4Y=
DNS = 8.8.8.8,1.1.1.1,10.252.1.0
MTU = 1450

[Peer]
PublicKey = 3zb4f5k8IH/GgISE2X6MberUxnHdZOUFi8tdq2hO5G8=
PresharedKey = w5V8hZXXsC9C/bB+ktvjF8Qfkm5rWUtL6lDQJCHGCWw=
AllowedIPs = 10.252.1.0/24
Endpoint = 2.7.9.14:51820
PersistentKeepalive = 15

On Teltonika client:

  • new Wireguard interface called “grdi”

  • on grdi → general setup:

    Enable = on
    Private Key = gMMzScFwFxYIAbaWv/hyHRGB94C1kCVOjqRtt6xAi4Y=
    Public Key = leave blank, it works
    Listen Port = 51820 (the same for endpoint)
    IP Addresses = 10.252.1.69/32

  • create new peer called “wg”

  • on Wireguard peer “wg” → general setup:
    Public Key = 3zb4f5k8IH/GgISE2X6MberUxnHdZOUFi8tdq2hO5G8=
    Allowed IPs = 10.252.1.0/24

  • on Wireguard peer “wg” → advanced settings:
    Preshared Key = w5V8hZXXsC9C/bB+ktvjF8Qfkm5rWUtL6lDQJCHGCWw=
    Route Allowed IPs = on (if you need to connect to deviced behind your Teltonika)
    Endpoint Port = 51820
    Persistent Keep Alive = 15

It will automatically create new firewall rule to accept all inconimg traffic on port 51820, keep in mind to place this rule on the top, avoiding this rule below any “DROP ALL”.

On Teltonika I can see new “grdi” interface:

root@GRDI:~# ifconfig
br-lan Link encap:Ethernet HWaddr 00:1E:42:42:05:65

grdi Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.252.1.69 P-t-P:10.252.1.69 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1804 (1.7 KiB) TX bytes:2404 (2.3 KiB)

Then I can ping other client (such 10.252.1.120) and from 10.252.1.120 (wireguard client installed on my android smartphone) I can access to Teltonika webpage (10.252.1.69) and devices behind Teltonika (10.252.1.69:50000), obviously after set specific nat rule:

config redirect
option dest_port ‘50000’
option name ‘TCP_50000_WG’
option src_dport ‘5000’
option target ‘DNAT’
option dest_ip ‘192.168.1.2’
option proto ‘tcp udp’
option dest ‘lan’
option reflection ‘0’
option src ‘wireguard’

Hello,

I strongly recommend referring to our wiki pages while setting up WireGuard:

I hope this helps you!

Best Regards,

This topic was automatically closed after 15 days. New replies are no longer allowed.