Cannot get Wireguard to work

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Cannot get Wireguard to work

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Cannot get Wireguard to work
Cannot get Wireguard to work
2023-02-24 04:04:19 - last edited 2023-02-24 04:06:56
Tags: #wireguard
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 5.8.4

I use the software-based Omada Controller with a 605 router, a TL-SG3210XHP-M2 v2.0 switch and two APs.

I'm trying to get Wireguard working, and while everything appears to be set up correctly, I cannot access anything on the internal network.  I have the android app installed on my phone and testing over 5g. The controller shows my phone is connected on the dashboard widget and displays my external IP, and my phone says its IP is a local IP, as expected. But, despite all that, I cannot access other IPs on the network like I can when connected using WIF. I also don't see that IP listed in my client list. Shouldn't I?

I feel very blind when trying to debug issues like this as, unlike other routers I have used, like OPNSense, I have ZERO logs I can look at regarding firewall traffic to see if I'm getting blocked somewhere. Nothing to indicate what is going on. Just a repeat of the same, somewhat useless graphs everywhere.

- Do I need to set up an ACL?

- Should there be a new interface under LAN?

- Is there documentation somewhere I am missing?
- Does anyone have Wireguard working through the controller?


I have to say I feel like I'm beta-testing an incomplete product, rather than having purchased a retail finished product.

  0      
  0      
#1
Options
8 Reply
Re:Cannot get Wireguard to work
2023-02-24 13:42:15

  @jaymac1 

 

What's the default gateway assigned on your phone when connected to Wireguard and can you ping it?

If you have the Omada client installed on the phone, can you access the controller locally (not over the cloud)?

Have you previously assigned ACLs elsewhere on your network that may have a default block rule affecting this new Wireguard subnet?

What does your Wireguard config look like (xxx out any critical stuff)?

 

BTW Linux was pretty rough in the late 90's and look where it is now.  It takes a village ... if you don't want to pay C*sco prices.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Cannot get Wireguard to work
2023-02-24 15:08:39
I believe firmware supporting wireguard has not been released yet. only the controller part of it.
  0  
  0  
#3
Options
Re:Cannot get Wireguard to work
2023-02-24 15:12:26 - last edited 2023-02-24 15:13:19

Some devices now support it with the latest firmware like ER605 (V2 only right now) and ER7206.

 

If the device doesn't support it, the Controller won't show it (I'm running Controller 5.8.4 with an ER605V1 and I cannot see any Wireguard settings)

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Cannot get Wireguard to work
2023-02-25 01:39:56 - last edited 2023-02-25 01:40:41

@d0ugmac1

 

What's the default gateway assigned on your phone when connected to Wireguard and can you ping it?

 

- The VPN connection does not have a gateway, I don't believe it should.

 

If you have the Omada client installed on the phone, can you access the controller locally (not over the cloud)?

 

- Nope. Only if I switch to wifi.

 

Have you previously assigned ACLs elsewhere on your network that may have a default block rule affecting this new Wireguard subnet?

 

- I don't believe so. There's nothing there now, for sure.

 

What does your Wireguard config look like (xxx out any critical stuff)?

 

 

[Interface]
PrivateKey = ############################################
ListenPort = 51820
Address = 10.0.0.11/24
DNS = 10.0.0.254

[Peer]
PublicKey =############################################
AllowedIPs = 10.0.0.0/24
Endpoint = myurl:51820

 

  0  
  0  
#5
Options
Re:Cannot get Wireguard to work
2023-02-25 12:44:55

  @jaymac1 

 

I think you accidentally painted yourself into a corner...  At the very least you should allow your local subnets.

 

paint

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options
Re:Cannot get Wireguard to work
2023-02-25 16:28:22 - last edited 2023-02-25 17:41:28

Hmm, this is very different from how I would usually do it. I only want the traffic destined for the local network IPs to go through Wireguard. Otherwise, I'm limited to my home upload speed for everything.

 

Where is the 192.168.2.2 coming from? In the past, this was always the IP assigned to the peer on the Router side, which in my case, is 10.0.0.11.

 

Anyway, thanks for the tip. I'll give the 192 address a shot.

EDIT: Nope, no combination of the above works. I give up. I think I'll return the 605 and go back to OPNSense. Thanks for trying to help.

  0  
  0  
#7
Options
Re:Cannot get Wireguard to work
2023-02-25 18:41:39

  @jaymac1 

 

Sorry for the confusion, the 192.168.2.2 was simply the example used in part of the web article I pasted.  I also apologize because as I patiently wait for the ER605 1.2.3 load, I am running Wireguard on my NAS which is a bit non-standard to say the least...and may lead to some of my misunderstanding in translation.

 

I think the issue is you are trying to use the same subnet for the wg0 adapter as you are using for eth0 or whatever on the ER605.  It's been my experience that VPN clients are typically on a subnet other than what is running locally.  So for instance, if your home network is running 10.0.0.0/24, then typically you'd configure a subnet like 10.8.0.0/24 to provide a pool of VPN addresses for clients and the router would take care of allowing access between them.  So the same as adding a second ethernet port to a server, then to me a new interface like the wg0 ?should? also require a new subnet?  With tplink this is certainly true of both L2TP and OpenVPN type connections and probably is also expected for Wireguard.

 

Before you give up, can you configure a new LAN interface (say 10.8.0.0/24) or create a pool of IPs in the same subnet, for Wireguard, and try that?  That's how my Wireguard setup is running, client gets an address in 10.8.0.0/24 and is able to access 10.0.0.0 via the tunnel.  I *DO* force all traffic via the home connection in my case for what it's worth.

 

 

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#8
Options
Re:Cannot get Wireguard to work
2023-02-25 18:53:03 - last edited 2023-02-25 18:53:55

  @jaymac1 

 

FWIW, here's my working client config for a very similar setup to you:

 

[Interface]
PrivateKey = XXX=
Address = 10.8.0.4/24
<--this no doubt comes from a setting on the WG server, each new WG client gets a new IP, ie .5, .6 and so on as I add them
DNS = 1.1.1.1


[Peer]
PublicKey = YYY=
PresharedKey = ZZZ=
AllowedIPs = 0.0.0.0/0, ::/0
<-- you would narrow this down obviously to just your 10.0.0.0/24 subnet, and drop the IPv6 bit
PersistentKeepalive = 0
Endpoint = my.server:port

<< Paying it forward, one juicy problem at a time... >>
  2  
  2  
#9
Options