ERxxxxx as Wireguard client
ERxxxxx as Wireguard client
I have finally managed to set up Wireguard as a client on a ER706W against unifi and wireguard server, it is a complicated task to make this work if you are not an expert in Wireguard. but anyway, there are two problems i want to talk to you about..
1. it is only possible to get traffic in the tunnel by using the 0.0.0.0/0 route
2. when the router is adopted via wan to a remote controller, it will not adopt after a restart when the wg tunnel has 0.0.0.0/0 (go in disconect state). it seems that wan also goes through the tunnel, I have to do a factory reset and readopt the router again, when that's done I can activate the tunnel again and all traffic goes via wg until the router restarts again.
i saw the light when i read this post but the OP has the same problem i have with 0.0.0.0/0 it's all or nothing
https://community.tp-link.com/en/business/forum/topic/637148?replyId=1307142
I don't know if this is a known problem for you in TP-Link?
Wireguard against another TP-Link router does not have the same problem. I can enter all the routing I need. it only applies to connection to unifi and wireguard server on ubuntu. I haven't tested against anything other than that.
I have tested with an ER706W but I think this applies to all routers.
if these two problems can be solved, then the router can actually be used as a client against a server with a fixed IP. I hope, like everyone else, that there will be an opportunity to use hostname soon.
and at the end I can remove a very expensive router in my network that do some wireguard and OpenVPN task for me today. I will convert all over to Wireguard very soon and if my ER8411 can do Wireguarding as client i dont need OpenVPN anymore,
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @MR.S
Here's the test result. It can work with the UBNT WireGuard. However, it requires the UBNT to set up the Client IP to match what IP you have in the Peer.
ER605:
In conclusion, if you are using the UBNT, and you want to have a client in ER605 to access UBNT, you first need to have an IP address in 192.168.10.0/24 which is listed on the UBNT. And you have to add the IP address in the Clients on UBNT server.
About what you said you have to use 0.0.0.0/0 to get traffic working, this means NAT mode. Well, if you set the Allowed IPs to some subnets, that's routing mode.
It does not matter on our end. The key is to set the IP a device gets in ER605 LAN to the Clients in UBNT.
Peer setting on ER605.
Another conclusion from this, you might set up wrong on the UBNT which you did not correctly set up the Peer/Allowed IP in UBNT causing ER605 to be 0.0.0.0/0. Nothing wrong with the peer and WG settings on ER605. But your UBNT settings.
So, next time, if you have an issue, I would only follow up if the necessary information is provided.
- Copy Link
- Report Inappropriate Content
Hi @MR.S
Thanks for posting in our business forum.
I don't think so only 0.0.0.0/0 would make it work.
In my previous config guide test and my own personal experience with my cloud server, I can use other stuff to make it work instead of 0.0.0.0/0.
In allowed-ips, if you set it to be 0.0.0.0/0, you are using the WG as proxy mode.
If possible, post your config and I'll help you check. In the CG I wrote, the tunnel is not set to 0.0.0.0/0. And many guides I wrote, it is not 0.0.0.0/0. So I am pretty confident that this is not a known problem to me at least.
Show me the config, I'll try to do something similar in my network.
P.S. it took me about 2-3 days to get a grip on how and what to do in WireGuard and get things working by reading articles, and WG official guides, and repeating the config over and over again on Linux and Omada. It looks easy but takes some time to digest and if you know it, it would be pretty easy to figure it out.
- Copy Link
- Report Inappropriate Content
OK , if you have succeeded, there is hope, but have you tried against a wireguard server or have you only connected to other TP-Link routers? I have experienced that it works against other routers from TP-Link but not against, for example, a pure wireguard server.
you have gained some experience with pivpn as I know :-) , if you install a wireguard server and try to connect a router to it from the auto-generated file from wireguard server, do you will then be able to route only the remote network.
installation of Wireguard on pivpn takes about 5 minutes so it's a quick test for you
i only get traffic when i route 0.0.0.0/0 i have tried ablolut everything.
the actual authentication to the server goes well after I realized how I could solve the interface public key on TP-Link. so I'm one step ahead.
this is an modyfied example from a autogenerated file.
[Interface]
PrivateKey = +xxxxx=
Address = 10.74.198.15/24
DNS = 1.1.1.1, 1.0.0.1
[Peer]
PublicKey = vvvvv=
PresharedKey = rbbbb=
Endpoint = xx.xx.xx.x:1195
AllowedIPs = 0.0.0.0/0, 192.168.52.0/24
- Copy Link
- Report Inappropriate Content
Hi @MR.S
MR.S wrote
OK , if you have succeeded, there is hope, but have you tried against a wireguard server or have you only connected to other TP-Link routers? I have experienced that it works against other routers from TP-Link but not against, for example, a pure wireguard server.
you have gained some experience with pivpn as I know :-) , if you install a wireguard server and try to connect a router to it from the auto-generated file from wireguard server, do you will then be able to route only the remote network.
installation of Wireguard on pivpn takes about 5 minutes so it's a quick test for you
i only get traffic when i route 0.0.0.0/0 i have tried ablolut everything.
the actual authentication to the server goes well after I realized how I could solve the interface public key on TP-Link. so I'm one step ahead.
this is an modyfied example from a autogenerated file.
[Interface]
PrivateKey = +xxxxx=
Address = 10.74.198.15/24
DNS = 1.1.1.1, 1.0.0.1[Peer]
PublicKey = vvvvv=
PresharedKey = rbbbb=
Endpoint = xx.xx.xx.x:1195
AllowedIPs = 0.0.0.0/0, 192.168.52.0/24
So what if there is a config issue on the PiVPN? On the PiVPN, linux, you only have the interfaces of the NIC and the WG. So, nothing else. Do you set up a route on the Linux so that anything routes to the WG interface will be redirected to the GW IP?
Give this a try to verify, you mean only 0.0.0.0/0 would work, right? Get a list of the NIC and WG interface and put them in the peer > allowed-ips on the client. So that is not 0.0.0.0/0 and try if you can access the NIC or WG interface somehow? If you can access the NIC of the Linux you have, that means a successful connection. And the comment that only 0.0.0.0/0 would work is inaccurate.
The only way that you cannot make it work is because of the improper setup on the Linux which fails to route the traffic sent over to the WG interface on the Linux.
- Copy Link
- Report Inappropriate Content
Yes, it is possible that there is an error on the wg server, but then this error is only against TP-Link routers. I have a connection to the wg server from mobile phones, PCs and unifi routers with no issue. pretty mutch plug and play on this device. but TP-Link have no access. there is also no access to any of the wg server interface until I enter 0.0.0.0/0 I have tried to route the entire rfc1918 rang but it is completely dead.
I think I've tried most things that can be tried to get routing to work.
And there is no rush for me to get this working, I have a working solution of openvpn and wireguard running on a unifi router, but it's stupid to use a router from unifi to get the job done when I have so much fancy TP-Link equipment
- Copy Link
- Report Inappropriate Content
Hi @MR.S
Thanks for posting in our business forum.
MR.S wrote
Yes, it is possible that there is an error on the wg server, but then this error is only against TP-Link routers. I have a connection to the wg server from mobile phones, PCs and unifi routers with no issue. pretty mutch plug and play on this device. but TP-Link have no access. there is also no access to any of the wg server interface until I enter 0.0.0.0/0 I have tried to route the entire rfc1918 rang but it is completely dead.
I think I've tried most things that can be tried to get routing to work.
And there is no rush for me to get this working, I have a working solution of openvpn and wireguard running on a unifi router, but it's stupid to use a router from unifi to get the job done when I have so much fancy TP-Link equipment
Will ask the test team and check if they have any inventory of a different brand router and give it a go.
So, most of the issues you reported are (potential) compatibility issues with the third-party routers... I'll update you once they have a result (at least in this week).
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @MR.S
Here's the test result. It can work with the UBNT WireGuard. However, it requires the UBNT to set up the Client IP to match what IP you have in the Peer.
ER605:
In conclusion, if you are using the UBNT, and you want to have a client in ER605 to access UBNT, you first need to have an IP address in 192.168.10.0/24 which is listed on the UBNT. And you have to add the IP address in the Clients on UBNT server.
About what you said you have to use 0.0.0.0/0 to get traffic working, this means NAT mode. Well, if you set the Allowed IPs to some subnets, that's routing mode.
It does not matter on our end. The key is to set the IP a device gets in ER605 LAN to the Clients in UBNT.
Peer setting on ER605.
Another conclusion from this, you might set up wrong on the UBNT which you did not correctly set up the Peer/Allowed IP in UBNT causing ER605 to be 0.0.0.0/0. Nothing wrong with the peer and WG settings on ER605. But your UBNT settings.
So, next time, if you have an issue, I would only follow up if the necessary information is provided.
- Copy Link
- Report Inappropriate Content
Ok, thanks.
yes I have made it work with UBNT but in a different way. I have used UBNT as a client against TP-Link, that way I have managed to get site to site with wireguard between tp-link and unifi routers.(communication goes both ways. so that's good)
But that's half the problem, the biggest problem is connecting wireguard to a pure wireguard server. the connection itself goes well, but it is not possible to route anything other than 0.0.0.0/0 with this routing, there are only problems, when the router restarts it does not connect to the controller afterwards when adopted from wan, (Remote controller), in stand alone it is a little better then I get access to router management and can disable wireguard and then enable it again to get wireguard to work after a reboot of router.
i don't know if policy routing will solve this problem when it ever comes, unifi uses policy routing so maybe that's what we have to wait for.
- Copy Link
- Report Inappropriate Content
Hi @MR.S
Thanks for posting in our business forum.
MR.S wrote
Ok, thanks.
yes I have made it work with UBNT but in a different way. I have used UBNT as a client against TP-Link, that way I have managed to get site to site with wireguard between tp-link and unifi routers.(communication goes both ways. so that's good)
But that's half the problem, the biggest problem is connecting wireguard to a pure wireguard server. the connection itself goes well, but it is not possible to route anything other than 0.0.0.0/0 with this routing, there are only problems, when the router restarts it does not connect to the controller afterwards when adopted from wan, (Remote controller), in stand alone it is a little better then I get access to router management and can disable wireguard and then enable it again to get wireguard to work after a reboot of router.
i don't know if policy routing will solve this problem when it ever comes, unifi uses policy routing so maybe that's what we have to wait for.
In WG, there is actually no pure server or client. They are all called peers and their settings are identical regardless if they are actually working as clients in your opinion.
I think are in a loop again. We now prove the ER can work with the proper allowed IPs instead of 0.0.0.0/0.
If the 0.0.0.0/0 issue has been resolved, you should be able to adopt it from the WAN.
What is your test result with the reply I gave earlier? If it does not work, what does your config look like?
- Copy Link
- Report Inappropriate Content
There is no doubt that it is a very special way to get tp-link routers to be clients :-)
I haven't had time to look at it yet, I need some time to understand how tp-link's logic is when it comes to wireguard.
but as it seems to me, (if it works) this setup will work against a wireguard server as well. so I'll test tonight when I get home from work to a wireguard server.
It seems a bit special that you have to create a separate vlan interface with the same ip as the vpn tunnel to make this work.
but I will make an attempt,
I really hope their engineers can simplify this process in the future.
I'll test tonight, first in stand alone then whether it works in controller mode.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1955
Replies: 14
Voters 0
No one has voted for it yet.