RUT955 doesn't accept Wireguard

NETWORKING SOLUTIONS
1

Hi,
I’ve been trying to setup the Wireguard between two Teltonikas, Remote RUT240 and server RUT955. No luck, lots of things tried.

  1. I setup the Wireguard on both devices as in Wiki
    image
    image1886×1046 115 KB

image
image1850×803 94.1 KB

  1. Added port forwarding rule to server:

image
image1129×428 30.3 KB

  1. Check current status with CLI / WG on both devices. Service up, port correct, ping OK - but no handshake:

image
image1836×683 216 KB

  1. Traceroute with port 51820 OK

image
image1831×359 71.2 KB

  1. With NC, remote cannot reach server, no traffic on TCPdump:

image
image1237×223 23.4 KB

  1. From local Raspberry, I can NC the RUT955, traffic on TCPDump:

image
image1128×630 92.5 KB

  1. Web “canyouseeme.org” doesn’t see open port (because TCP?), but some traffic on TCPdump:

image
image1381×830 95.5 KB

  1. RUT955 firewall rules as default, made by Wireguard I think:

image
image1384×1044 89.8 KB

I have Finnish Telia 4G mobile connection with public IP (APN: Opengate). There shouldn’t be any port restrictions, besides 25 out is closed. Public IP is in correct address space = working.

Any ideas?

2

You’re Firewall settings are OK.

We’re going to start simple, and as I can’t understand why you are port forwarding, when we are establishing a VPN, delete the Port Forward(s).

The example below assumes that you have a public IP on both devices. If so, I’d highly recommend you setup a ddns for both devices, because Public IP’s can change, and use the fqdn’s in the Endpoint Host fields (1).

This example also allows any device on your Home network 192.168.2.0/24 to access your Remote LAN (2), assuming the firewall settings are Ok for the Remote LAN.

You need to enable ‘Route allowed IP’s’ (3).

You will notice that the tunnel IP has also changed to an explicit /32 address (4).

We also enable a persistent keepalive (5) - this example assumes both routers use a SIM as their WAN connection. If you haven’t, then you only need to set this on the device with the SIM in it.

Set an MTU of 1280, as for me personally, I’ve found in my use cases, it gives the most resilient connection (6). You can incrementally increase it’s value later, if you wish. If you are unfamiliar with MTU increments, then I suggest you read up on the subject.

As your question doesn’t state exacly what you want to achieve i.e. what devices at Home need to communicate with what Remote devices or vice-versa, the example is minimalist.

image
image1420×908 52.6 KB

3

Hi @Mike and thank you for instructions. My remote went offline for other reasons, it takes a day for me to reach it again.

I’m trying to build site-to-site VPN between my locations for:

  • “Remote” IoT devices to transmit MQTT data to “home” MQTT broker
  • “home” PC to connect ESPHome + other devices on remote LAN

Port forwarding because there has to be a way for “remote” RUT240 to reach “home” RUT955. Without port forwarding, I don’t see how it works?

I have public IP only at “home”. “Remote” doesn’t have public IP, behind cellular NAT.

I’ve tried with MTU ~1280, but no difference.

I’ll let you know later how it goes, thanks.

4

I didn’t say before, but it is IMPORTANT that the LAN IP range is different at each site, so if your Home LAN is 192.168.2.0/24 then the Remote LAN cannot be the same IP range. Change it to something like 192.168.5.0/24, if that’s not used - this is to stop IP overlap between the two locations.

You said … “Port forwarding because there has to be a way for “remote” RUT240 to reach “home” RUT955” … no need for port forwarding, this is mostly controlled through the “Allowed IPs” on the Peer settings, giving access to the MQTT broker IP from the remote IoT device IP’s.

OK, as another example, here are some settings that I use, on some use cases, for site-2-site. It allows access from any IP (v4) at the Home location to the Remote LAN, if your Home and Remote firewall allows it (1). You will also find that, as far as the outside world is concerned, your Remote Public IP will appear to be the same Public IP as your Home location, whilst the Wireguard tunnel is active.

The settings also take into account that the Remote device does not have a Public IP (2).and that you have a wired WAN connection at Home (3)

As the only public IP is on your Home device, then the Wireguard tunnel has to be initiated from the Remote device. You can force the Remote device to initiate a connection by sending it an SMS, and I’ll deal with that in a separate post.

The settings below are for IPv4 addresses only. It also assumes your Remote IoT devices are sitting on your Remote LAN, hence the instruction of [insert your Remote LAN IP xxx.xxx.xxx.0/24]. If not, you could also add the relevant entry to the Allowed IPs.

I should add, I’m no Wireguard expert but it works with my RUTX, remote with no Public IP, communicating with a Home, non Teltonika device with a Public IP

image
image1370×877 36.1 KB

.

5

I talked earlier about being able to initiate the Wireguard tunnel from the Remote location by sending it an SMS. This can be done by a Custom SMS command using either uci OR ubus commands. Although ubus doesn’t require a commit/restart, for simplicity of explanation, the example below uses uci and assumes your Wireguard tunnel name is PAATTI2HOME and we are creating two rules:

  • PAATTION to turn the wireguard tunnel ON from the Remote site
  • PAATTIOFF to turn the wireguard tunnel OFF

The menu selections are for a RUTX device - as I am unfamiliar with your Teltonika models, I am assuming that the firmware has the same / similar menu structure on the UI and has something similar to SMS Utilities.

These instructions are for your Remote device.

For PAATTION …

Go to SERVICES > MOBILE UTILITIES > SMS UTILITIES > SMS RULES and ‘ADD RULE’ where SMS text = PAATION and Action = Execute custom script … settings are below

image
image1419×684 34.4 KB

image
image1438×268 12.1 KB

FOR PAATIOFF …

Go to SERVICES > MOBILE UTILITIES > SMS UTILITIES > SMS RULES and ‘ADD RULE’ where SMS text = PAATIOFF and Action = Execute custom script … settings are below

image
image1420×684 34.2 KB

image
image1438×268 12.1 KB

So to turn on the tunnel you can execute the script via SMS. Send the remote router an SMS with the text …

yourrouterpassword PAATTION

and to turn it off …

yourrouterpassword PAATTIOFF

6

OK, all my posts above are are about setting up the VPN so your two sites can communicate between devices and should allow both your scenarios.

I’ve never had to implement an ‘ALLWAYS ON’ Wireguard tunnel, so am unsure how it re-establishes after a loss of LTE connectivity for a lengthy period of time. Maybe others can comment here but I suspect that, if it does require something extra, then Watchdog/Cron may well be involved but this is just a wild guess. This should be the subject of a separate post if required.

No doubt, you can send remote MQTT data OUTSIDE of the tunnel but this is not within the scope of my posts so far. It probably would require port forwarding setup but this is not secure, hence the VPN.

7

This topic was automatically closed after 15 days. New replies are no longer allowed.