Cannot get Wireguard to work
I use the software-based Omada Controller with a 605 router, a TL-SG3210XHP-M2 v2.0 switch and two APs.
I'm trying to get Wireguard working, and while everything appears to be set up correctly, I cannot access anything on the internal network. I have the android app installed on my phone and testing over 5g. The controller shows my phone is connected on the dashboard widget and displays my external IP, and my phone says its IP is a local IP, as expected. But, despite all that, I cannot access other IPs on the network like I can when connected using WIF. I also don't see that IP listed in my client list. Shouldn't I?
I feel very blind when trying to debug issues like this as, unlike other routers I have used, like OPNSense, I have ZERO logs I can look at regarding firewall traffic to see if I'm getting blocked somewhere. Nothing to indicate what is going on. Just a repeat of the same, somewhat useless graphs everywhere.
- Do I need to set up an ACL?
- Should there be a new interface under LAN?
- Is there documentation somewhere I am missing?
- Does anyone have Wireguard working through the controller?
I have to say I feel like I'm beta-testing an incomplete product, rather than having purchased a retail finished product.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
What's the default gateway assigned on your phone when connected to Wireguard and can you ping it?
If you have the Omada client installed on the phone, can you access the controller locally (not over the cloud)?
Have you previously assigned ACLs elsewhere on your network that may have a default block rule affecting this new Wireguard subnet?
What does your Wireguard config look like (xxx out any critical stuff)?
BTW Linux was pretty rough in the late 90's and look where it is now. It takes a village ... if you don't want to pay C*sco prices.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Some devices now support it with the latest firmware like ER605 (V2 only right now) and ER7206.
If the device doesn't support it, the Controller won't show it (I'm running Controller 5.8.4 with an ER605V1 and I cannot see any Wireguard settings)
- Copy Link
- Report Inappropriate Content
What's the default gateway assigned on your phone when connected to Wireguard and can you ping it?
- The VPN connection does not have a gateway, I don't believe it should.
If you have the Omada client installed on the phone, can you access the controller locally (not over the cloud)?
- Nope. Only if I switch to wifi.
Have you previously assigned ACLs elsewhere on your network that may have a default block rule affecting this new Wireguard subnet?
- I don't believe so. There's nothing there now, for sure.
What does your Wireguard config look like (xxx out any critical stuff)?
[Interface]
PrivateKey = ############################################
ListenPort = 51820
Address = 10.0.0.11/24
DNS = 10.0.0.254
[Peer]
PublicKey =############################################
AllowedIPs = 10.0.0.0/24
Endpoint = myurl:51820
- Copy Link
- Report Inappropriate Content
I think you accidentally painted yourself into a corner... At the very least you should allow your local subnets.
- Copy Link
- Report Inappropriate Content
Hmm, this is very different from how I would usually do it. I only want the traffic destined for the local network IPs to go through Wireguard. Otherwise, I'm limited to my home upload speed for everything.
Where is the 192.168.2.2 coming from? In the past, this was always the IP assigned to the peer on the Router side, which in my case, is 10.0.0.11.
Anyway, thanks for the tip. I'll give the 192 address a shot.
EDIT: Nope, no combination of the above works. I give up. I think I'll return the 605 and go back to OPNSense. Thanks for trying to help.
- Copy Link
- Report Inappropriate Content
Sorry for the confusion, the 192.168.2.2 was simply the example used in part of the web article I pasted. I also apologize because as I patiently wait for the ER605 1.2.3 load, I am running Wireguard on my NAS which is a bit non-standard to say the least...and may lead to some of my misunderstanding in translation.
I think the issue is you are trying to use the same subnet for the wg0 adapter as you are using for eth0 or whatever on the ER605. It's been my experience that VPN clients are typically on a subnet other than what is running locally. So for instance, if your home network is running 10.0.0.0/24, then typically you'd configure a subnet like 10.8.0.0/24 to provide a pool of VPN addresses for clients and the router would take care of allowing access between them. So the same as adding a second ethernet port to a server, then to me a new interface like the wg0 ?should? also require a new subnet? With tplink this is certainly true of both L2TP and OpenVPN type connections and probably is also expected for Wireguard.
Before you give up, can you configure a new LAN interface (say 10.8.0.0/24) or create a pool of IPs in the same subnet, for Wireguard, and try that? That's how my Wireguard setup is running, client gets an address in 10.8.0.0/24 and is able to access 10.0.0.0 via the tunnel. I *DO* force all traffic via the home connection in my case for what it's worth.
- Copy Link
- Report Inappropriate Content
FWIW, here's my working client config for a very similar setup to you:
[Interface]
PrivateKey = XXX=
Address = 10.8.0.4/24 <--this no doubt comes from a setting on the WG server, each new WG client gets a new IP, ie .5, .6 and so on as I add them
DNS = 1.1.1.1
[Peer]
PublicKey = YYY=
PresharedKey = ZZZ=
AllowedIPs = 0.0.0.0/0, ::/0 <-- you would narrow this down obviously to just your 10.0.0.0/24 subnet, and drop the IPv6 bit
PersistentKeepalive = 0
Endpoint = my.server:port
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2189
Replies: 8
Voters 0
No one has voted for it yet.