WireGuard setup for site2site

Hi!

I have seen many topic about configure WireGuard, but it is crazy how simple should be, but there is no really good info how to setup to connect to Teltonika to a WireGuard server.

wg0.conf (on ubuntu server)

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <server_privatekey>

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# User1 connected with normal wireGuard Client from macbook
[Peer]
PublicKey = <user_public_key>
AllowedIPs = 10.0.0.3/32

# Site1
[Peer]
PublicKey = <teltonika_public_key>
AllowedIPs = 10.0.0.2/32, 10.254.39.0/24 # teltonika lan ip is  10.254.39.1

======

This is the config for the user for the wireGuard client which connects to the wireguard server:

[Interface]
PrivateKey = <macbook_privatekey>
Address = 10.0.0.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server_publickey>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = server_public_ip:51820

======

For teltonika please find attached.

What am I missing?

Thanks!

Hello,

What is the output of the wg command on the Teltonika ?

Regards,

Hello,

Thank you for your reply.

I have checked now. Strange. Now somehow at least the router connects to the WireGuard server.


However I am not sure from how to reach the devices from client/and from server.
If I ping from server, I can not reach nor the teltonika router nor I can not ping the device connected to the router.

Can you please help me, with the ip setup?

Thanks!

The cause might be a restrictive firewall.
Go to Network->Firewall->general settings, set wireguard->lan to Accept / Accept / Accept and retest.
And limit the MTU to 1280 bytes at both ends else https will probably fail.

Thanks for your input.

I kind of solved it with the help of chatgpt.

At least I can reach from user1 all devices connected to site1 (teltonika router).

If anybody needs it, find attached the setting.
For sure some other settings need to make it more secure, but it is a good start.