Wireguard setup + firewall rules via CLI?

Hello!

Is it possible to set up Wireguard and necessary firewall rules via CLI?

If yes, where can I find more details about it?

Thank you!

Hello,

There are a few ways on how to approach this configuration via SSH/CLI:

• Using RutOS API
• Using UCI

If you’d like to automate Wireguard configuration deployment, I’d suggest using RutOS API, as it greatly simplifies the configuration. It will automatically create the necessary firewall zones.
RutOS API documentation can be found here: https://developers.teltonika-networks.com/

The API can be used in SSH/CLI without HTTP or authentication:

root@RUTX50:~# api -h
        This script allows calling api endpoint locally without using HTTP

        Usage: /sbin/api <http_method> <request_path> [<request_body>...]
        Example: /sbin/api PUT /interfaces/config '{"data":[{"id":"lan","netmask":"255.255.255.0"}]}'

To start, I’d suggest generating new keys using /wireguard/actions/generate_keys endpoint. Then these keys should be stored into a variable, and later used to create a new WireGuard instance with /wireguard/config. After that, new peers can be added with /wireguard/{id}/peers/config endpoint.

If you’re unsure about a certain argument, you can always use the developer tools on Chrome (also available on other browsers), and check what call is made when configuring certain sections of the WebUI:

image1919×910 84.9 KB

To configure using UCI, please refer to our Wiki article about UCI: https://wiki.teltonika-networks.com/view/UCI_command_usage
Keep in mind, that you’ll also have to manually create a firewall zone and assign WireGuard interface to it.

Let me know if any additional information is needed!

Best regards,

That is interesting - and also a bit overwhelming for me.

How about using an ash script? I just want to have a script that I can execute locally (via CLI) on my RUTX11. The script should ask me a few questions, e.g.:

read -p "Enter the local WireGuard interface name (e.g. wg0): " interface_name
read -p "Enter the local private IP address (e.g. 192.168.1.1/24): " local_ip
read -p "Enter the peer public address of the FritzBox (e.g. hfhfjd84ggh3pgl7.myfritz.net): " peer_ip
read -p "Enter the peer WireGuard port (default 51820): " peer_port
read -p "Enter the public key of the FritzBox WireGuard peer: " peer_pubkey
read -p "Enter the local WireGuard port (default 51820): " local_port
read -p "Enter the WireGuard listen address (default 192.168.100.1:51820): " listen_addr

Something like this?

Then the script should set up the WG interface on the RUTX11 and the peer and should at the end show what I need to insert on the other side, i.e. the Fritzbox, as peer keys etc.

Do I really need the API or other complex things for such an “easy” task?

This is not for deployment to many peers, but I have difficulties - without some guidance - to set up a peer-to-peer WG network between my RUTX11 and my Fritzbox 7590AX, also because of things getting complicated (for me) with regard to necessary firewall rules.

Some years ago I had a simple WG tunnel running between both routers, but after a necessary switch to another Fritzbox and firmware updates on the RUTX11 side, things no longer seem to be so easy/out-of-the-box to use.

I am very willing to learn and would like to create and further expand on such a script to take into consideration also other users’ use cases, e.g. do they want to tunnel everthing, also DNS, or just several devices, etc. But I am really at the beginning and would be happy to get some help on this.

Thanks to all - both Teltonika people and other users - for your help!

PS: I already had lengthy ChatGPT sessions to help me with the script, but that led me to not being able connecting to my RUTX11 anymore. So I had to reset, upload a backup, and now I am back at square zero.

Maybe somebody can explain what I need to do here? Years ago (when WG was still functioning for my setup), I never had to bother or change anything with regard to firewall rules - it just worked. Now I am redirected there:

grafik1017×386 27.6 KB

.
.
… when I go to the QR code tab (which is also new to me) in the WG peers settings:

.
.

grafik926×712 41.5 KB

I have no idea what to do.

I understand that the RUTX11 is no router for beginners, and I am really willing to read, try and learn, but the learning curve is now very steep for me. Wondering, how I was able to get it running back then, but I cannot retrieve the (working) settings from back then, as they are gone for good.

Any support is very much appreciated!

Hi,

Just to clarify - API is the easiest way to configure this, and it does not require making any CURL requests or authenticating. Here’s an example:
Generate private and public keys:

root@RUTX50:~# api post /wireguard/actions/generate_keys
{"http_body":{"success":true,"data":{"private":"2FjixsnJd3cUmPgRh6EoVxN6fBNZcUiumqC5swHeK00=","public":"cTeY3+w2F6qcorhyYmVsxiV1lyYDv0UV3qfzv6iq7Uo="}},"http_code":200}

Then place the keys in their respective variables:

KEYS_JSON=$(api post /wireguard/actions/generate_keys)
PRIVATE=$(echo "$KEYS_JSON" | jsonfilter -e @.http_body.data.private)
PUBLIC=$(echo "$KEYS_JSON" | jsonfilter -e @.http_body.data.public)

Then after user input for other values, send the request to create a WireGuard instance:

root@RUTX50:~# api post /wireguard/config "{\"data\":{\"enabled\":\"1\",\"private_key\":\"$PRIVATE\",\"public_key\":\"$PUBLIC\",\"id\":\"123456\"}}"
{"http_body":{"success":true,"data":{"enabled":"1","private_key":"2FjixsnJd3cUmPgRh6EoVxN6fBNZcUiumqC5swHeK00=","id":"123456",".type":"interface","listen_port":"51820","public_key":"cTeY3+w2F6qcorhyYmVsxiV1lyYDv0UV3qfzv6iq7Uo="}},"http_code":201}

It should be noted, that not all values in API call must be filled. Technically the only mandatory value is private_key.

While it might seem difficult at first, it’s actually much easier than using UCI. Of course, the easiest configuration is always via the WebUI.

As for your firewall - everything looks correct, you may just need to change the Intra zone forward setting to Accept.
If it still doesn’t work, could you share screenshots of your configuration on both RUT and FritzBox side?

Best regards,

Thank you so much! I will try and show screenshots if I need some more help.

Just out of curiosity: Instead of using the API, why not creating the keys etc. like shown below? Not tested yet:

#!/bin/sh

echo "Welcome to the WireGuard setup script!"

# Ask user for WireGuard configuration details
echo "Enter the local WireGuard interface name (e.g., wg0):"
read interface_name
echo "Enter the local private IP address (e.g. 192.168.10.1/24):"
read local_ip
echo "Enter the peer public IP of the FritzBox (e.g. abcdefgh12345678.myfritz.net):"
read peer_ip
echo "Enter the peer WireGuard port (default 51820):"
read peer_port
peer_port=${peer_port:-51820}  # Default to 51820 if not provided
echo "Enter the public key of the FritzBox WireGuard peer:"
read peer_public_key
echo "Enter the local WireGuard port (default 51820):"
read local_port
local_port=${local_port:-51820}  # Default to 51820 if not provided
echo "Enter the WireGuard listen address (leave empty for default):"
read listen_address
listen_address=${listen_address:-"0.0.0.0:$local_port"}  # Default listen address if empty

# Generate WireGuard keys
echo "Generating WireGuard keys..."
wg genkey | tee privatekey | wg pubkey > publickey

# Read the generated keys into variables
local_private_key=$(cat privatekey)
local_public_key=$(cat publickey)

# Output the keys to the user
echo "Local private key: $local_private_key"
echo "Local public key: $local_public_key"

# Create the WireGuard interface configuration
echo "Setting up WireGuard interface..."
cat <<EOL > /etc/config/network
config interface '$interface_name'
    option proto 'wireguard'
    option private_key '$local_private_key'
    option listen_port '$local_port'
    list addresses '$local_ip'

config wireguard_$interface_name
    option public_key '$peer_public_key'
    option endpoint_host '$peer_ip'
    option endpoint_port '$peer_port'
    list allowed_ips '0.0.0.0/0'
    option persistent_keepalive '25'
EOL

# Output WireGuard interface configuration
echo "WireGuard configuration created at /etc/config/network"

# Optionally restart network or WireGuard service
echo "Restarting WireGuard interface..."
/etc/init.d/network restart
echo "WireGuard interface setup completed!"

Explanation from ChatGPT:

1. Key Generation:

The script generates the local private and public keys using wg genkey and wg pubkey, then reads them into variables local_private_key and local_public_key.

These keys are properly quoted when being used in the configuration to prevent errors from special characters.

2. Dynamic Configuration File:

The script creates a WireGuard interface configuration using cat <<EOL … EOL and includes the user input (IP address, port, keys, etc.).

The local interface name ($interface_name) and other parameters are inserted dynamically.

3. Restart Network:

The script includes a command to restart the network service and apply the new WireGuard configuration (/etc/init.d/network restart), which can be adjusted depending on how your system is set up.

What to Do:

1. Save this script on your RUTX11 router as setup_wireguard.sh.

2. Make sure the script is executable:

chmod +x setup_wireguard.sh

3. Run the script:

./setup_wireguard.sh

Does this make sense?

Is I am still unable to get it working, please see screenshots from my RUTX11 below. Thanks a lot for your patience!

.
WG Interface:

.

grafik1292×811 29.7 KB

.

grafik917×418 14.3 KB

.
Peers:
.

grafik930×487 20.2 KB

.

grafik867×517 34.3 KB

.
WIFI1 (102.168.178.64) as Server IP in the screenshot below is the Wifi interface of my RUTX11 as it is connected as client to my Fritzbox at home. The Fritzbox DHCP assigns in its home network this IP to the RUTX11 (which itself has a fixed IP 192.168.11.1). Is this ok?

grafik604×620 29.6 KB

.
See screenshot below with Server IP field expanded:

grafik608×301 14.8 KB

Am I correct assuming the following?

The Server IP should be WIFI1, when my RUTX11 is connected to my Fritzbox at home via Wifi (=WIFI1), as they are connected now for testing purposes. But it should be MOB1S1A1, when the RUTX11 is in my car away from home and conneted to the Internet via mobile (and via WG with my Fritzbox).

But what if my RUTX11 is in my car awy from home and connected to the Internet via public Wifi? I do not want to manually toggle the WG settings depending on whether the RUTX11 is connected to mobile or to public Wifi. What can I do about this? Is there a “one-fits-all” setting?

.
And I do not know if the Tunnel address (10.10.10.2/32) is correct (no extra screenshot shown)

.
Same with the Peer allowed IPs (see screenshot below):
I have only selected “All IPv4”. I do not use IPv6 anywhere, but I am not sure what the 3rd entry is for: LAN (192.168.11.0/24) - This is the local network of my RUTX11? Must this be selected or not?

grafik535×207 10 KB

.
Furthermore, on this screen, do I only have to click “Save & Apply”, or do I have to also click before “Generate” (QR code)? Well I tried it. After I generated the QR code and scanned it with my mobile phone, it recognized a configuration, but I am unsure how to apply it on the Fritzbox - some of the below config is redacted. The PrivateKey and the PublicKey now start with different letters. Maybe these keys on some screenshots look therefore differently.

[Interface]
PrivateKey = YHM----------------------------------------=
Address = 10.10.10.2/32
DNS = 10.10.10.0
[Peer]
PublicKey = zdQ----------------------------------------=
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 192.168.178.64:51820
PersistentKeepalive = 25
PresharedKey = -------------------------------------------=

Finally, on this screen, there is this note (and link) about firewall/zone settings, which brings me back to my previous post and the question if the setting is correct. I updated it based on your recent reply. Is it now as you meant?

grafik963×272 18.5 KB

I will show screenshots from my Fritzbox in a separate post.

Here are the WG-related settings on my Fritzbox:

.

grafik1489×495 31.2 KB

.

grafik921×961 36.3 KB

.

grafik1167×1092 37 KB

.
Complete config (also redacted):

[Interface]
PrivateKey = -------------------------------------------=
ListenPort = -----
Address = 192.168.178.1/24
DNS = 192.168.178.1
DNS = fritz.box

[Peer]
PublicKey = UF0----------------------------------------=
PresharedKey = -------------------------------------------=
AllowedIPs = 192.168.178.191/32
PersistentKeepalive = 25

This config seem to be read-only, i.e. the Fritzbox sets them when (first time?) creating a WG setting. The “AllowedIPs” value of 192.168.178.191/32 is because the Fritzbox assigns IPs for (any) VPN (incl. WG) starting with the next free IP that follows the IP range that is already occupied by the Fritzbox’s DHCP. I meantion it for completeness, and this cannot be changed.

If there is anything else that I should mention, please let me know.

I am really sorry to bother you or other readers about this topic which might be easy to resolve for pros/experts.

If I manage to set this up correctly and better understand how things work together, like exchanging the key pairs between the devices, setting up the firewall zones (I cannot do this on the Fritzbox’s side, by the way, i.e. firewall rules on the Fritzbox are set automatically, I assume), then I shall further investigate how this can be supported by some script.

This might help future users to set up a WG connection between their Teltonika router and their Fritzbox router with less problems - hopefully.

I wanted to access the thread “RUT950-Wireguard-with-Fritzbox”.

As this old forum was closed a while ago, I wonder if somebody from Teltonika could maybe copy that old thread into the new forum. It seems that it was useful. Here is a cashed version:

It is referred to in this post:

(Wireguard S2S VPN to Fritzbox - #5 by Mav63)

Till now, it has not yet helped me, though, to get it right, so I am still experimenting.

This thread is somewhat long, here are a few remarks:

will unconditionally erase the contents of /etc/config/network and add the wg config after that. Use >> instead of >.

As Daumantas mentioned, in the firewall section set wireguard=>lan to Accept/Accept/Accept and disable masquerading except if you have a good reason not to do so. Masquerading is just good for hiding bad Allowed IPs issues.

This is clearly wrong, if you want to route all traffic through the tunnel use 0.0.0.0/1 + 128.0.0.0/1 + ::/1 + 8000::/1.

Don’t care about the tunnel address there it is wrong (10.10.10.2/24 might be correct) the RUT is the initiator the QR code if generated has very little interest except for copying the keys, and they should be assigned at the FB side anyway.

Do nothing. The wg tunnel should work “as is” packets will be send using the current wan interface because it is the interface supporting the default route.

Extract the pubkey from this value, insert it in the FB UI of the peer.

No, /24. Check /etc/config/network.

Check that this is the pubkey of the wg interface of the FB.

No, set it to the fritz.box ddns entry instead of 192.168.178.64. This way if you are outside the FB will be reached via the mob interface, and internally routed to the wan interface of the FB if you are inside.

It seems that you have mixed the wg network (10.10.10.0/24) and the lan one (192.168.178.0/24) in the FB config.

This cannot be correct, or I will eat my hat.

I have several configs (initiator: RUTX11, server: vanilla Openwrt) if you are interested.

Finally, I got it working again.

Set up WG on Fritzbox:

1. Connect networks or establish special connections
2. Has this WireGuard® connection already been set up at the remote connection? => select: No
3. Should the new WireGuard® connection be used used concurrently with an existing connection on the remote site? => select: No
4. Is the connection to be made with a single device (laptop, smartphone, tablet), or a router that supports WireGuard® (such as a FRITZ!Box)? => select: Router with WireGuard® support
5. Name of the WireGuard® connection => enter: RUTX11 (or some other name)
6. Remote IPv4 network => enter: 192.168.11.0
7. Subnet mask => enter: 255.255.255.0
8. DNS domains => enter: fritz.box (this was pre-filled in my case)
9. Send all IPv4 network traffic via the VPN connection => untick
10. Allow NetBIOS over this connection => tick
11. Only certain devices in the home network are to be accessible over this WireGuard® connection => untick
12. This resulted in a wg_config.conf file that I downloaded - content anonymized:

[Interface]
PrivateKey = -------------------------------------------=
Address = 192.168.11.1/24
DNS = 192.168.178.21,192.168.178.1
DNS = fritz.box

[Peer]
PublicKey = -------------------------------------------=
PresharedKey = -------------------------------------------=
AllowedIPs = 192.168.178.0/24
Endpoint = ----------------.myfritz.net:-----
PersistentKeepalive = 25

Set up WG on RUTX11:

1. Add new instance - New configuration name => enter: Home (or some other instance name)
2. General settings - Enable => tick
3. Private key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_PrivateKey>
4. Public key => enter: nothing (really - leave this empty!)
5. IP addresses => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_Address> but replace last number of IP by 0 (zero), e.g.: 192.168.11.1/24 from wg_config.conf file translates to: 192.168.11.0/24 (when I left the 1, it did not let me save)
6. Advanced settings - Metric => enter: 3
7. Listen port => enter: 51820
8. MTU => enter: 1280
9. DNS servers => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_DNS> (multiple rows possible): 192.168.178.1, fritz.box. As I do not want to use my Fritzbox DNS for the WG tunnel, I entered: 1.1.1.1 (=Cloudflare; 8.8.8.8=Google, etc.)
10. Add new peer instance - Add new instance => enter: FB7590AX (or some other peer name)
11. General settings - Public key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_PrivateKey>
12. Endpoint host => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_Endpoint> (e.g. 123456789abcdefg.myfritz.net, i.e. without the port, which comes later)
13. Allowed IPs => enter: (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_AllowedIPs> (e.g. 192.168.178.0/24 in my case)
14. Description => enter: Fritzbox 7590 AX ISDN (or some other description)
15. Route allowed IPs => tick (in my case, as I want automatic firewall rules set, so all clients connected to RUTX11 can use the WG tunnel and reach all devices behind Fritzbox at home)
16. Advanced settings - Tunnel source => select: Any
17. Pre-shared key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_PresharedKey>
18. Endpoint port => enter (from wg_config.conf file that you exported from Fritzbox): <port value of [Peer]_Endpoint> (only the port number)
19. Persistent keep alive => enter (from wg_config.conf file that you exported from Fritzbox): <port value of [Peer]_PersistentKeepalive> (e.g. 25)
20. Routing table => enter: nothing (i.e., leave empty)
21. QR settings - Server IP => select: WIFI1 (192.168.178.64) (in my case, as this is the interface and IP as RUTX11 appears in Fritzbox network when conneted via Wifi; another option could be: MOB1S1A1 (<some_IP>), which is IP of RUTX11 when connected to Internet via its mobile modem - I have not yet tested this; it is not possible to select both, i.e. one or the other)
22. Tunnel addresses => enter: 192.168.11.2/32 (in my case, as RUTX11 DHCP range starts from 192.168.11.2 - I hope my understanding is correct)
23. Peer allowed IPs => select: All IPv4 (0.0.0.0/0) and All IPv6 (::/0 ) (There is also LAN (192.168.11.0/24) in my case, but I do not know what this is for. When I also selected this, the WG tunnel was closed/did not work anymore, if I remember it correctly.)
24. QR code - Generate => do not click
25. Save & Apply
26. Save & Apply

Recap of my setup:

1. Fritzbox (at home), IP: 192.168.178.1 - with multiple clients
2. RUTX11 (in car), IP: 192.168.11.1 - with multiple clients
   Clients on both ends should be able to connect with clients on the other side. I know that I could restrict this, but as a first step, this is ok for me.

Next steps for me will be to understand whether the aforementioned settings make sense to the experts here, if there is something I should change, and then eventually come up with some basic script that supports this process a bit via CLI, i.e. importing the wg_config.conf file from Fritzbox into RUTX11 and let its magic do the rest, so the user does not have to go through all these GUI menus. Ideally, the script will ask questions like “Do you want to allow all clients to use all clients on the other side” etc., in words that the less savvy user understands well enough to take a correct decision. Personally, I am definitely not yet at this stage.

So, thanks a lot for everybody’s comments and help - I very much appreciate it!

Good catch - thank you very much! I shall keep this in mind when trying to create a working script.

.

I still have wireguard => lan set up as follows, and it works:

Input: Accept
Output: Accept
Intra zone forward: Reject
Masquerading: On

Admittedly, I have no idea what this is for.

.

I have the following set up under WireGuard peer ‘FB7590AX’ - General settings - Allowed IPs, and it works:

192.168.178.0/24

Here, too, I have no idea why I need 0.0.0.0/1 + 128.0.0.0/1 + ::/1 + 8000::/1 here. The ::/1 is IPv6, right? I do not use IPv6 anywhere and - unless urgently required - I would leave it as is. And I am unsure about the other IP ranges you mention: The first one means “all”, right? The 127.0.0.1/1 is “local” to my understanding, but what exactly does it mean? And the last one (8000::/1) is again something about IPv6, is it? Then I do not need it (I guess). But what about my current set up 192.168.178.0/24? It seems to work, as far as I can see.

.

I had misspelled the WIFI1 IP in my post. It is 192.168.178.64 (if it matters at all).
Regarding the Tunnel addresses: Do you mean by “Don’t care about the tunnel address” that I should leave it empty (or at least put 10.10.10.2/24 there)?

My currently set up Tunnel addresses for the WG peer is as follows, and it seems to work, as far as I can see (but as said before, I am unsure and maybe have not yet tested every scenario, if it really works):

192.168.11.2/32

E.g. I wonder what happens, if my mobile phone connects to the RUTX11 and gets from the RUTX11’s DHCP the client IP 192.168.11.2? This is the same as the Tunnel addresses start. Will this work? If not, was that your reason to put here a completely different IP range such as 10.10.10.2/24 to avoid collisions?

.

But I have to select an entry from the Server IP drop-down menu, i.e. I cannot leave it empty. It is either WIFI1 (as it is named in my case) or MOB1S1A1, and there is even the possibility to add another one (I have not done this, though).

I have to take a break and might ask some more questions later - sorry!

.
PS: From /etc/config/network (just the last 2 entries):

config interface 'Home'
        option listen_port '51820'
        option proto 'wireguard'
        option private_key '-------------------------------------------='
        list dns '1.1.1.1'
        option mtu '1280'
        option metric '3'
        list addresses '192.168.11.0/24'
        option disabled '0'

config wireguard_Home 'FB7590AX'
        option force_tunlink '0'
        option tunlink 'any'
        option endpoint_port '-----'
        option description 'Fritzbox 7590 AX ISDN'
        list allowed_ips '192.168.178.0/24'
        option preshared_key '-------------------------------------------='
        option public_key '-------------------------------------------='
        option persistent_keepalive '25'
        option endpoint_host '----------------.myfritz.net'
        option route_allowed_ips '1'

This is in order to avoid collisions with the default routes (0.0.0.0/0 and ::/0) witch may have a different metric.
Probably not important in your case but may be required for complex configurations with several tunnels. This is a good habit anyway.
Note: there are other solutions for sending all the traffic through a wg tunnel.Maybe later.

I haven’t checked the thread is long, but make sure that PersitentKeepAlive is enabled on the RUT only, never ever enable it on the FB server.

Sure it works, but you add one more layer of NAT and you cant see the original lan ip addresses in incoming packets from the lan side of the RUT.
If you have a large network you might be interested in knowind who ssh where for example.

You need three networks on the FB:

• the wan interface with a public address
• the lan interface with a private network (192.168.178.0/24)
• the wg interface with a different private network (192.168.11.0/24 will do) and address: 192.168.11.1/24
  Idem for the RUT:
• a wan interface, mob or wifi
• another private network for the local lan
• and a wg interface in the same network as the FB’s one but a different address: 192.168.11.2/24

I suggest you delete the “option listen_port ‘51820’” line from from the config interface section a random port is perfect for the initiator I have already been burned by a fixed value there. If you are interested I can explain this nasty corner case.

Last point, add 192.168.11.0/24 to the Allowed IPs list on the RUT and 192.168.11.2/32 on the FB for the RUT peer. A good idea would also be to add the lan network of the RUT to the Allowed IPs of the FB.

Should be …

Good catch sorry for the typo.

@7wells can you edit your posts replace 127.0.0.0/1 by 128.0.0.0/1 everywhere ?

I want that both my RUTX11 itself and clients connected to it, use the DNS that is configured on the RUTX11 (currently 1.1.1.1), because I think it makes no sense to route DNS-related traffic from RUTX11 clients via the WG tunnel to home, get DNS feedback from the Fritzbox’s DNS, traffic goes back to RUTX11 and then to its devices. While I have Pi-hole on my Fritzbox’s network, I have AdGuard on the RUTX11, so eventually I will replace the 1.1.1.1 (Cloudflare) DNS by ‘127.0.0.1’ (local DNS on RUTX11). Having this said, do I have to take any specific settings with regard to the WG tunnel addresses to avoid unnecessary DNS traffic?

In a second step, I plan to use Policy Based Routing (PBR) on the RUTX11, so only some of the clients connected to it go via the WG tunnel to the Fritzbox and back again, but before, I need to better understand the WG principles, of course.

The correct value is 128.0.0.0/1 time to go to bed.

No.

Thanks, I have corrected 127.0.0.0/1 to 128.0.0.0/1 in my previous posts (including quotations).

Sleep well!

Oh, only now I understand that all these settings below are only for the QC code generation (hence “QR setttings” ). Since I set up the keys on my Fritzbox side, I can ignore any of the settings here:

grafik608×487 24.9 KB

.
More important, you wrote that my previously set up Allowed IPs: 0.0.0.0/24 was clearly wrong, and if I want to route all traffic through the tunnel, I should use 0.0.0.0/1 + 128.0.0.0/1 + ::/1 + 8000::/1. I omitted the last 2 (as I do not use IPv6) and updated the peer settings as follows, hopefully correctly:

grafik963×532 22.2 KB

.
Furthermore, you mentioned that my Tunnel addresses (192.168.11.2/32) entry was wrong and that 10.10.10.2/24 might be correct. I do not understand where my entry was coming from, as I did not enter the value - it was there already.

.
In case it was derived from the WG interface settings, then do I have to correct this under the interface settings => IP addresses from 192.168.11.0/24 to 10.10.10.2/24? (admittedly, I have not fully understood the concept of 3 different networks that come into play with WG)

grafik923×481 17.5 KB

.
Moreover, you suggested that I shall make sure that PersitentKeepAlive is enabled on the RUT only, never ever enable it on the FB server. I cannot provide much on the Fritzbox, including PersitentKeepAlive, so I assume that there is no such setting on the Fritzbox.

.
Finally, the firewall zones now are set up as follows, i.e. 3x Accept and Masquerading: off for wireguard => lan.

grafik810×319 18.7 KB

Should I switch Masquerading off also for wan => Reject?

Thank you so much for your patience with me!

I shall update my description of how I set it up in my earlier post accordingly.