Hi, I am trying to reach devices on the RUT’s LAN using wireguard VPN from my PC.

The RUT is on a mobile internet connection without public ip, so I utilize a third machine (a small VPS in a data center) with a public ip.

From my local PC (Windows 11), I want to reach devices connected to the RUT’s LAN. The RUT’s LAN port is setup to 192.168.0.50/24.

Devices on the RUT’s LAN are manually set to a static ip in the 192.168.0.0/24 range.

I have the wireguard setup up & running, I can ping the wireguard ip’s on net 10.0.98.0/24 back and forth.

I added 192.168.0.2/32 to the “Allowed IPs” in the wg.conf and the RUT and set the switch to enable routing.

But I just can’t get the routing going. No ping using an ip from the 192.168.0.0/24 range.

This is what I setup, I skipped the keys:

On “Sun” – machine with public ip, “wireguard-server”:

# Sun

[Interface]

Address = 10.0.98.1/24

ListenPort = 51826

# RUT

[Peer]

AllowedIPs = 10.0.98.2/32, 192.168.0.2/32

PersistentKeepalive = 25

# PC (Loewe)

[Peer]

AllowedIPs = 10.0.98.3/32, 192.168.0.2/32

PersistentKeepalive = 25

On “PC” – local Windows PC, wireguard-client 1 :

# PC (Loewe)

[Interface]

Address = 10.0.98.3/32

MTU = 1280

# Sun

[Peer]

Endpoint = <sun’s public ip>: 51826

AllowedIPs = 10.0.98.0/24, 192.168.0.2/32

PersistentKeepalive = 25

On “RUT241” , wireguard-client 2:

interface:

ip adress: = 10.0.98.2/32

Advanced:

Port 51826

peer Sun:

Endpoint = <sun’s public ip>

Allowed ip = 10.0.98.0/24, 192.168.0.2/32

Advanced:

Tunnel source: Any

Preshared key, Endpoint port 51826

Hello,

Please try to change the allowed IPs list to contain 192.168.0.0/24 instead of 0.2/32, so that’ll cover the entire subnet instead.

Next, please reach the RUT241, log in to the WebUI of the device & head to Network → Firewall → Zones (Or general settings, if on an older firmware), and enable “Masquerading” for the LAN => WAN zone:

image1176×179 9.75 KB

Next, please make sure that your firmware is upgraded to at least 7.17.5, as there were issues in earlier firmwares regarding WireGuard routes, which could also be the cause of your issue. The firmware download page can be found here: RUT241 Firmware Downloads - Teltonika Networks Wiki

The fixes, specifically, came out with 7.17, so anything above that firmware version will suffice.

Please re-test after these changes and let me know how it goes.

Regards,
M.

Thank you very much!

I am now able to ping the RUT from my PC using it’s LAN ip 192.168.0.50/24. But not the device 0.2

I tryed this from the RMS CLI:

root@RUT241:~# ip r
default via 192.168.99.1 dev wlan0-2 proto static src 192.168.99.73 metric 2 ← this my internet gateway - I am connected to it’s Wifi

default dev qmimux0 proto static scope link src 10.183.101.118 metric 3
10.0.98.0/24 dev plc proto static scope link
10.183.101.118 dev qmimux0 proto static scope link src 10.183.101.118 metric 3
via 192.168.99.1 dev wlan0-2 metric 2
dev qmimux0 scope link metric 3
192.168.0.0/24 dev plc proto static scope link
192.168.99.0/24 dev wlan0-2 proto static scope link src 192.168.99.73 metric 2
root@RUT241:~#

From the RMS CLI, I can ping the RUT’s LAN ip.
But not the device 0.2.

I have also configured the OpneVPN service, it’s not connected right now, but could it interfere?

…sorry there was something missing

root@RUT241:~# ip r
default via 192.168.99.1 dev wlan0-2 proto static src 192.168.99.73 metric 2
default dev qmimux0 proto static scope link src 10.183.101.118 metric 3
10.0.98.0/24 dev plc proto static scope link
10.183.101.118 dev qmimux0 proto static scope link src 10.183.101.118 metric 3

via 192.168.99.1 dev wlan0-2 metric 2
dev qmimux0 scope link metric 3

via 192.168.99.1 dev wlan0-2 metric 2
dev qmimux0 scope link metric 3
192.168.0.0/24 dev plc proto static scope link
192.168.99.0/24 dev wlan0-2 proto static scope link src 192.168.99.73 metric 2

…new try:

root@RUT241:~# ip r
default via 192.168.99.1 dev wlan0-2 proto static src 192.168.99.73 metric 2
default dev qmimux0 proto static scope link src 10.183.101.118 metric 3
10.0.98.0/24 dev plc proto static scope link
10.183.101.118 dev qmimux0 proto static scope link src 10.183.101.118 metric 3
##sun-ip## via 192.168.99.1 dev wlan0-2 metric 2
##sun-ip## dev qmimux0 scope link metric 3
192.168.0.0/24 dev plc proto static scope link
192.168.99.0/24 dev wlan0-2 proto static scope link src 192.168.99.73 metric 2
root@RUT241:~#

Hello,

Very well could! If it is not necessary at the moment, I would most definitely suggest deleting it entirely to avoid possible conflicts.

Regarding the pings still failing, could you try to ping your device locally? In the CLI, just enter ping -I br-lan 192.168.0.2 to see if it goes through. If it fails, it could be a faulty end device, or the LAN device (192.168.0.2) might have an incorrect subnet mask or gateway.

Regards,
M.

From the CLI, ping -I br-lan 192.168.0.2 is working! but not ping 192.168.0.2.

Im am unsure how to delete all the openvpn. You mean to swich off all the switches on the left hand side ?

openvpn21420×1051 102 KB

openvpn11465×1170 85.2 KB

right hand side

I also double-checked the device settings: 192.168.0.2/24 Gateway 192.168.0.50.

I had this before (with openvpn), in that case I had to add the gateway setting, but then, using masquarade, it also worked without.

Tryed something else:

root@RUT241:~# traceroute 192.168.0.2
traceroute to 192.168.0.2 (192.168.0.2), 30 hops max, 46 byte packets
1 10.0.98.1 (10.0.98.1) 39.943 ms 30.881 ms 28.320 ms
2 10.0.98.3 (10.0.98.3) 58.661 ms 59.679 ms 65.860 ms
3 *^C
root@RUT241:~#

It seems the RUT sends packets into the tunnel instead of into the local net?

It finaly worked after manually modifying the route on the RUT’s CLI:
ip route del 192.168.0.0/24 dev plc
ip route add 192.168.0.0/24 dev br-lan

But how to do it via the UI?