Reaching an RUTX subnet remotely wireguarded through a second RUTX, from a subnet on a third RUTX!

Kevsticle · October 26, 2023, 4:34pm

Our offices are out in the sticks and I am having trouble getting two subnets to talk to each other (I am ok with really basic networking but I get stumped when things like this don’t work as I expected). As the 4th subnet that is connected via pfsense is working fine, I have proved that it is possible so just need to know where I am going wrong with the RUTX09 configuration.

AWS (wireguard 10.100.10.1) used to bridge networks together as its the only point with a fixed IP.
Teltonika RUTX50 in main office 10.10.10.1 (Wireguard 10.100.10.100).
Teltonixa RUTX11 in remote office 10.11.10.1 (Wireguard 10.100.10.101).
Teltonika RUTX09 near main office 10.30.10.1 port 3 set to 10.10.10.5 and connected to main office LAN.
PFSense near main office 10.20.1.1 port X set to 10.10.10.4 and connected to main office LAN.

10.10.10.X can talk to 10.11.10.X.
10.20.10.X can talk to 10.11.10.X (10.10.10.1 has a static route 10.11.10.0 to 10.10.10.0).
10.30.10.X will not talk to 10.11.10.X.

10.20.10.X can talk to 10.10.10.X.
10.30.10.X can talk to 10.10.10.X.

I have tried adding a static route for 10.11.10.X to gateway 10.10.10.1 like pfsense has (I did this), on the RUTX09.
I noticed that pfsense has an entry in NAT that it has made automatically for 10.11.10.1.
I don’t see any way of adding NAT to a subnet that isn’t associated to a LAN interface on the Teltonika units and suspect that is the problem.

I have gotten around it by also setting up wireguard on the RUTX09 but I would prefer it to work through the one link like 10.30.10.X does on pfsense.

Can anyone help me with this please?

Thanks!

Kev.

flebourse · October 26, 2023, 5:23pm

Hello,
There should be no need to use static routes (nor NAT either) everything should be done via the Allowed IPs lists:

on the RUTX11, set Allowed IPs to 10.100.10.0/24 + 10.10.10.0/24 + 10.20.10.0/24 + 10.30.10.0/24
on the AWS server
for the RUTX11 peer set Allowed IPs to 10.100.10.101/32 + 10.11.10.0/24
for the RUTX50 peer set Allowed IPs to 10.100.10.100/32 + 10.10.10.0/24 + 10.20.1.0/24 + 10.30.10.0/24
on the RUTX50 set Allowed IPs to 10.100.10.0/24 + 10.11.10.0/24
No need to NAT anymore.
Regards,

flebourse · October 26, 2023, 9:42pm

Oops of course you need static routes on the RUTX50 in order to reach the RUTX09 and the pFsense, but this is not a wireguard issue.
You can create them with:

ip -4 route add 10.30.10.0/24 via 10.10.10.5 metric 1
ip -4 route add 10.20.1.0/24 via 10.10.10.4 metric 1

or the equivalent menu in Network->Routing/Static IPv4 routes.

Kevsticle · October 27, 2023, 8:34am

Hi Flebourse - thanks very much for your response!

I got the IP ranges wrong in my haste so I have changed them for my sanity:

I am concerned about trying this as I am pretty sure some of these settings locked me out of the routers before when I first tested wireguard on the Teltonika units… basically I found that I had to use the LAN from the opposite end of the connection in each case. So these are the settings that I currently have:

RUTX50: IP Addresses 10.10.100.100/24
RUTX50 Peer: Allowed IPs 10.10.100.100/24, 10.11.10.0/24

RUTX11: IP Addresses 10.10.100.101/24
RUTX11 Peer: Allowed IPs 10.10.100.101/24, 10.10.10.0/24 10.30.10.0/24*

*only added since I have temporarily connected RUTX09 via its own wireguard connection.

With the existing settings above I can connect from 10.10.10.X to 10.11.10.X, I can connect from 10.20.10.X to 10.11.10.X and I can connect from 10.11.10.X to 10.10.10.X (but not 10.20.10.X which is fine and preferred at the moment).

When I got locked out, came to the conclusion that allowing the IP of the local subnet was actually causing any connection to the router to be routed across wireguard and so I could no longer log into the web UI!

You have suggested that I set allowed IPs in a non-peer menu as well, but the only other options I get in the menu before the peer menu is “IP Addresses”.

I would really appreciate it if you can clear up my confusion over which LAN range to put where, where the other lists of “Allowed IPs” are, and maybe explain how the subnet works in the context of a wireguard link please?

(note understood about the static routes, I was confused last night when you said that they where not needed as I couldn’t understand how those two networks would ever route to RUTX50, so at least I understand that bit!)

Thanks for your time, this is really helpful.

Kev.

flebourse · October 27, 2023, 12:51pm

In Allowed IPs you declare the hosts/net you want to reach via the wg tunnel, for example on the RUTX11 that would be all the wg network itself (10.100.10.0/24) plus the all the lans on the RUTX50’s side (10.10.10.0/24 + 10.30.10.0/24 + 10.20.10.0/24). How the RUTX50 will route packets for 10.30.10.0/24 is not a concern at the RUTX11’s side.

The same applies at the RUTX50’s side, both the wg network and the RUTX11’s lan have to be reachable so Allowed IPs would be 10.100.10.0/24 + 10.11.10.0/24.

On the AWS side, you have to be very careful you have two peers so for each peer you need to specify the lans (10.x.10.0/24) plus the wg host (not lan) that would be 10.100.10.101/32 (not /24) and 10.100.10.100/32.

As the wg network is most of the time a management network only I prefer to have it in a separate address space I use a 172.[16…31].x.y for this purpose the configuration is much easier to read and maintain.

Kevsticle · October 27, 2023, 3:57pm

Thankyou very much.

That all makes sense. I will play with it a bit more when I can put some more time to it - I cant see any reason why it shouldn’t work with this guidance!

Thanks again,

Kev.

system · November 10, 2023, 4:34pm

This topic was automatically closed after 15 days. New replies are no longer allowed.