Wireguard between Ubiquiti Cloud Gateway (UCG-Ultra) and RUTX50 as client

I had very hard time setting up a wireguard tunnel between these two devices, hence I thought I should write up this guide which might be helpful to anyone else having the same need.

UCG-Ultra LAN: 192.168.177.0/24
UCG-Ultra WAN: Public IP, dynamically changing.

RUTX50 LAN: 192.168.13.1
RUTX50 WAN: Private IP, Dynamically Changing

Because RUTX50 is using its mobile interface for its Internet connection, it is not getting a Public IP address but a Private one. Therefore, it cannot operate as a server but only as a client towards the UCG-Ultra which runs the wireguard server.

  1. Go to UCG-Ultra settings, VPN, VPN server and click on Create New

Select type of VPN “Wireguard”, give it a name, select the WAN interface to be listing for new connections, and click on “Use Alternate Address for Clients” if you have a dynamic Public IP. At the textbox you should provide a dynamic dns name that you have previously set up (not part of this guide) to overcome the dynamic IP of your ISP.

  1. make a note of the UCG-Ultra Public Key, it will be required on a later stage.

  2. Go to the RUTX50 menu, Services>VPN>Wireguard. At the Add new instance section, set a name and press Add.

  3. At the next screen, set the switch to enabled, and make a note of RUTX50 Public Key.

  4. Go back at Ubiquiti menu and click Add Client
    At the next screen do the following:

  • Paste the RUTX50 Public key into the relevant box you got at step4.
  • Give it a name
  • Write down the Interface IP address, it will be used for a configuration at RUTX50
  • Check on Remote Client Networks, and add RUTX50 LAN subnet(s).
  • Click Save
  1. Go back to the RUTX50 menu, at the Wireguard server, General settings, IP address, fill up the address you got in the previous step (for me it was 192.168.9.3/24). Click Save & Apply, to store changes.

  2. Right below, at Add new peer instance, give a name of your preference and click add

in the Public key section, you should fill UCG’s public key you noted at step 2. End Point Host should be either Ubiquiti router static WAN IP or if you are using a dynamic DNS , your FQDN (i.e. yourname.noip.com). Allowed IPs: the Interface IP you noted at step 5 plus any other network which is valid at Ubiquiti’s side (i.e. Ubiquiti LANs). In case you are using a different port on your server than default (51820), then go to next page and fill the correct port. You may also try Persistent Keep Alive values to keep the connection open.

  1. Finally, in the QR code section, set as Tunnel IP the same address you got from step 5 (for me it was 192.168.9.3) in the peer Allowed IPs drowdown, I selected my RUTX LAN subnet and diselected the 0.0.0.0 as I didn’t want to route all my internet through the tunnel (not sure if this was correct or not). Click apply & save as long as needed to exit and a site to site VPN between the two devices should be already up and running.
1 Like

My only issue, and here is my turn to ask for some help, is that the tunnel doesn’t stay on.
If the server changes IP, or maybe after some time, the tunnel goes off permantly. It needs me to go at rutx50 and play with some settings to cause a new connection attempt at the server.

Also this QR setting screen seems to be buggy. Meaning, whenever I try to save settings, they always return to original settings after saving.

Assuming you are using a FQDN DDNS as the endpoint for the Ubiquiti peer, and the Ubiquiti kit updates its DDNS frequently enough …

As your RUTX has a private IP, then the RUTX HAS TO ALWAYS initiate the connection, and this includes a reconnection.

You could try using the WireGuard Watchdog to see if that makes a difference but it doesn’t cover all eventualities.

@flebourse has a greater insight than I, when it comes to this script and what it can / cannot do.

I can’t halp with the QR screen, as I always set up my connections manually.

My FQDN DDNS wors ok, I have other OpenVPN clients connecting to my Ubiquiti server without issues.
I will check your script and provide feedback.

The QR screen is more about the Teltonika team to try and fix the bug. It doesn’t cause any issue to me.

The corner case in wireguard_watchdog I am aware of is related to the dns servers, if they are restricted to the tunnel itself the resolutions will fail if the tunnel goes down, the simplest fix is to replace

  wg set ${iface} peer ${public_key} endpoint "${endpoint_host}:${endpoint_port}"                                              

by

  ubus call network.interface.${iface} down
  ubus call network.interface.${iface} up
1 Like

Thanks as this applies to some tunnels I have!

If you are interested, you can also look at this topic. wireguard.sh has somewhat changed since however the logic stays the same.

I will certainly have a peer, and from another of your posts, I increased the timeout on the wireguard_watchdog by 10 seconds as we have a particular device in the mountains that gets very poor service, with the variable atmospherics.

I followd this guide , and the RUTX50 reconnected to my server, I am a bit puzzled why this behavior is not the default.

Many thanks Mike!

1 Like

If you are routing all traffic through the tunnel, then you may well benefit from implementing the solution above. Even if you aren’t, the end-result of ‘re-establishing’ the tunnel is the same if not better, as it’s more of a ‘catch-all’.

The amended /usr/bin/wireguard_watchdog will read as follows …


For a ‘belt & braces’ approach, you MIGHT want to turn on Ping/Wget Reboot, where action = reboot modem (not device)

This also applies if you route all the dns traffic and one or more internal networks through the tunnel, the rest going through the native interface. I use that for adblocking.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.