Rut955 wireguard peer to Ubuntu wireguard server

Hi, I’m having some issues trying to setup a wireguard tunnel between a rut955 and a wireguard instance on an server.

I used the following script for a quick and dirty lab setup:

and i could connect my laptop via wireguard to the server. i created a new peer on the server, and got the following settings from the script:

[Interface]
Address = 10.0.0.3/8,fd00:00:00::3/8
DNS = 10.0.0.1,fd00:00:00::1
ListenPort = 7959
MTU = 1280
PrivateKey = PrivateKey
[Peer]
AllowedIPs = 0.0.0.0/0,::/0]
Endpoint = wg.example.com:51820
PersistentKeepalive = 25
PresharedKey = PresharedKey
PublicKey = PublicKey

(actual keys replaced with placeholders)

I tested and put in these values in the wireguard settings menu on the rut955. And i got a handshake but i could not ping the the server from the rut955, and not the rut955 from the server. I think it has to do with the keys, and I might need to add keys to the server?

Any ideas?

Hello,
You have the default route assigned to the wg interface:

This is possible but tricky, you must create a route to the wg server itself with a higher priority (ie a lower metric).
Set the metric of the wg interface (in Advanced Settings to 3) and create a static route (in Network->Routing->Static routes) with metric 2.

Regards,

Ok, I will explain our planned setup, so that you might suggest some changes.

We have about 30 teltonika rut955 in varies locations that currently are connecting by openvpn to a centralized server at our main office.

Connected to the rut955 are mainly process equipment such as plc, hmi, and other hardware that have their own webservers.

so at the moment I connect to the centralized server and can access all the different equipment, via the ip-adress of the webservers.

Our plan is to move the centralized server and run it as a vps on the microsoft azure platform. And as a result of this we are thinking of using wireguard as the vpn-solution instead.

So I’m open to any suggestions, and since we are only trying this out as a PoC, I can make any changes in both the servers and the rut955

Network topology:

Looks good, wireguard offers excellent performances.
Two remarks however:

  • be careful with the use of 10.x addresses, you may fall in conflict with some ISP. They should use 100.64.0.0/10 but several don’t,
  • if the address of the wg server is not guaranteed to be immutable you should check the state of the wg tunnel periodically. Take a look at this post for more information.

Your (work-)live will be much easier, when having a central server (small VPS) with FIXED IP. I am running a 100+ node network of RUT955s this (your) way and can sleep very well :slight_smile:

Will be setting up a fixed ip solution for testing this week. But i’m having a hard time seeing if this is the reason why i can’t get the teltonika modem to work the same way as my other wireguard peers. I have two mobile phones and two laptops, which i exported config-files for or generated the qr-codes for, and they work from the start. But with the teltonika i get one handshake, when i run “wg” on the teltonika CLI, but no response from the ubuntu server…

This is my current setup:
Ubuntu server:

Server

[Interface]
PrivateKey = SNmXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.8.0.1/24
ListenPort = 51820
PreUp =
PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
PreDown =
PostDown =

Client: rut955 (82f8d25d-7a7b-4c52-97ee-4292319d72c3)

[Peer]
PublicKey = cCVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
PresharedKey = AiJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 10.8.0.2/32

AND The exported CONF-file for RUT955 looks like this:
The thing I’m curious about is which keys, i should put where in the teltonika modem setup

[Interface]
PrivateKey = sOSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.8.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = mGRXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
PresharedKey = AiJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = example.duckdns.org:51820

The thing I’m curious about, is the public/private key differences, i see one public key for the rut955 in the server setup, and another one in the exported configuration file (which i normally use with wg-quick if there is a laptop)

So in the tunnel config:
I currently have:
Private key: sOSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Public key: cCVXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

And for the peer i have:
Public key: mGRXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Preshared key: AiJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=

Can you see any obvious errors i have made? Or could you maybe show some snippets of your setup, so I might grasp the concept easier…

I tried by making a static ipv4 route and now it seems to work…
So i changed the Wireguard to have a metric of 3. And used the following settings in the static route:

Interface: mob1s1a1 (most often we use the 3g/4g modem, instead of the Wan-port)
Target: ip-address of server
Metric: 2
Route type: Unicast
The other settings I left empty.

This the correct way to proceed. The special route to the wg server directly through the mob1s?a1 is absolutely required if you want to pass all “user” frames via the tunnel.
About Allowed IPs in your case: it is strongly recommanded to use 0.0.0.0/ 1 + 128.0.0.0/1 instead of 0.0.0.0/0, it will not interfere with the default route and be easier to debug. Idem for ::/0, use ::/1 + 8000::/1 for IPv6.
The keys: each entity must know its private key, and export its public key. The logic is:

  • the sender of a frame encrypts it with the public key of the peer
  • the receiver (peer) need the private key to decrypt it.
    This works both ways with different key pairs.
    Of course it is possible to add another layer of encryption via the pre-shared key but this one is symmetric.

This topic was automatically closed after 15 days. New replies are no longer allowed.