RUTX11 - WireGuard - Fritz!Box - Internet Routing Issues (0.0.0.0/0)

Teltonika Networks
1

Hi guys,

I want to establish a WireGuard VPN connection between my RUTX11, which is on the road and my Fritz!Box at home and face some serious problems like many others here in the community.

All Devices connected to the LAN/WLAN side of the RUTX11 should connect devices at my home network and access the internet only through the tunnel (0.0.0.0/0) an have the external IP from Fritz!Box.

I already use WireGuard from several Mobile Phones and Tablets to establish a VPN connection. to the Firtz!Box. I can access all devices at home as well as the internet traffic is tunneled through the VPN connection; like expected.

Even if I connect my Mobile Phone via WLAN with my RUTX11 and the RUTX11 is connected to Mobile Internet (LTE), I can establish a WireGuard VPN Tunnel from my Phone and access all devices at home and the internet through the tunnel

Now it becomes serious:

When I use the RUTX11 as a VPN Client (Peer) for the Fritz!Box and I enter ONLY the internal IPs from my home network the VPN connection is established and I can connect all devices at home. The VPN then is split tunnel, so that all internet connections are directly routed via RUTX11 to the internet.

When I enter any combination of 0.0.0.0/0 or 0.0.0.0/1, 128.0.0.0/1 in the allowed IP of the peer, the VPN connection is only partially established. There is no handshake and routing does not work!

I tried fiddeling around with firewall settings and routing on the RUTX11, but really nothing works.

Here you find a picture of the environment with the different test cases. ANY IDEAS are highly appreciated.

Thanks

image
image1920Γ—1080 192 KB

  1. Mobile A (LTE Connection) with installed WireGuard Client
    β€”> Allowed IPs 192.168.25.0/24, 0.0.0.0/0
    β€”> WireGuard Tunnel established between Mobile A and Fritz!Box
    β€”> Mobile A can access Server A in LAN (192.168.5.0/24)
    β€”> Mobile A can access Internet (tunneled, external IP is Fritz!Box)

  2. Mobile A (WLAN Connection) with installed WireGuard Client
    β€”> Allowed IPs 192.168.25.0/24, 0.0.0.0/0
    β€”> WireGuard Tunnel established between Mobile A and Fritz!Box
    β€”> Mobile A can access Server A in LAN (192.168.5.0/24)
    β€”> Mobile A can access Internet (tunneled, external IP is Fritz!Box)

  3. RUTX11 (LTE Connection) with WireGuard
    β€”> Allowed IPs 192.168.25.0/24, 192.168.5.0/0
    β€”> WireGuard Tunnel established between RUTX11 and Fritz!Box
    β€”> RUTX11 can access Server A in LAN (192.168.5.0/24)
    β€”> RUTX11 can access Fritz!Box in DMZ (192.168.25.0/24)
    β€”> Computer A (WLAN with RUTX11) can access Server A in LAN (192.168.5.0/24)
    β€”> Computer A (WLAN with RUTX11) can access Fritz!Box in DMZ (192.168.25.0/24)
    β€”> Computer A (WLAN with RUTX11) can access Internet (no tunneling! external IP is RUTX11)
    β€”> Mobile A (WLAN with RUTX11) can access Server A in LAN (192.168.5.0/24)
    β€”> Mobile A (WLAN with RUTX11) can access Fritz!Box in DMZ (192.168.25.0/24)
    β€”> Mobile A (WLAN with RUTX11) can access Internet (no tunneling! external IP is RUTX11)

  4. RUTX11 (LTE Connection) with WireGuard (different Allowed IPs)
    β€”> Allowed IPs 192.168.25.0/24, 192.168.5.0/0, 0.0.0.0/0 β€”> tunnel partial established, no handshake!, no routing!
    β€”> Allowed IPs 192.168.25.0/24, 192.168.5.0/0, 0.0.0.0/1, 128.0.0.0/1 β€”> tunnel partial established, no handshake!, no routing!
    β€”> Allowed IPs 0.0.0.0/0 β€”> tunnel partial established, no handshake!, no routing!
    β€”> Allowed IPs 0.0.0.0/1, 128.0.0.0/1 β€”> tunnel partial established, no handshake!, no routing!

2

Hello,
If you set Allowed IPs to 0.0.0.0/0 (or 0.0.0.0/1 + 128.0.0.0/1) the wg packets are routed via the wg interface and lost there.

What you need is a higher priority static route to the Fritzbox, add it from Network->Routing->Static IPv4 Routes (or IPv6) with interface=qmimux0 (or wwan0, depends on fw version) and metric 1 or 2. You can use dns names there.

Then you can have Allowed IPs set to 0.0.0.0/1 + 128.0.0.0/1 there is no need to add 192.168.25.0/24 or the like.

Another way is to change the metric of the default route, set it to 1 via System->Custom scripts.

Regards

1 Like
3

Hi @flebourse,

Thanks, It worked with the additional static route but I had to use the IP instread of the DNS name.

Interesting, because normally the route with the lowest metric is used…

But can you please explain how you managed to do static IPv4 routes with DNS names?

Thanks.

4

I don’t remember maybe it was with an old version or I did set it via a custom or /etc/mwan3.user script.

This case (0.0.0.0/1 + 128.0.0.0/1) is full of pitfalls if the IP address of the wg server at the other end is a dynamic one handled with a dyndns.

If the IP changes the tunnel fails so will the DNS resolution and it will be necessary to stop it, make the necessary adjustment and restart.

I have a script (not wireguard_watchdog) that checks the dns name of the wg servers at the other end and restart the tunnels if required, it can be adapted to also check the special high priority route. But this can become tricky.

5

This topic was automatically closed after 15 days. New replies are no longer allowed.