ERxxxxx as Wireguard client

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

ERxxxxx as Wireguard client

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ERxxxxx as Wireguard client
ERxxxxx as Wireguard client
2024-01-17 18:25:09 - last edited 2024-01-30 06:45:57
Tags: #VPN
Model: ER706W  
Hardware Version: V1
Firmware Version:

@Clive_A 

 

 

I have finally managed to set up Wireguard as a client on a ER706W against unifi and wireguard server, it is a complicated task to make this work if you are not an expert in Wireguard. but anyway, there are two problems i want to talk to you about..

 

1. it is only possible to get traffic in the tunnel by using the 0.0.0.0/0 route
2. when the router is adopted via wan to a remote controller, it will not adopt after a restart when the wg tunnel has 0.0.0.0/0 (go in disconect state). it seems that wan also goes through the tunnel, I have to do a factory reset and readopt the router again, when that's done I can activate the tunnel again and all traffic goes via wg until the router restarts again.

 

i saw the light when i read this post but the OP has the same problem i have with 0.0.0.0/0 it's all or nothing

https://community.tp-link.com/en/business/forum/topic/637148?replyId=1307142

 

I don't know if this is a known problem for you in TP-Link?

 

Wireguard against another TP-Link router does not have the same problem. I can enter all the routing I need. it only applies to connection to unifi and wireguard server on ubuntu. I haven't tested against anything other than that.

 

I have tested with an ER706W but I think this applies to all routers.

 

if these two problems can be solved, then the router can actually be used as a client against a server with a fixed IP. I hope, like everyone else, that there will be an opportunity to use hostname soon.smiley

 

and at the end I can remove a very expensive router in my network that do some wireguard and OpenVPN task for me today. I will convert all over to Wireguard very soon and if my ER8411 can do Wireguarding as client i dont need OpenVPN anymore,

 

 

 

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:ERxxxxx as Wireguard client-Solution
2024-01-30 06:43:28 - last edited 2024-01-30 06:48:07

Hi @MR.S 

Here's the test result. It can work with the UBNT WireGuard. However, it requires the UBNT to set up the Client IP to match what IP you have in the Peer.

 

ER605:

 

In conclusion, if you are using the UBNT, and you want to have a client in ER605 to access UBNT, you first need to have an IP address in 192.168.10.0/24 which is listed on the UBNT. And you have to add the IP address in the Clients on UBNT server.

 

About what you said you have to use 0.0.0.0/0 to get traffic working, this means NAT mode. Well, if you set the Allowed IPs to some subnets, that's routing mode.

It does not matter on our end. The key is to set the IP a device gets in ER605 LAN to the Clients in UBNT.

 

Peer setting on ER605.

 

Another conclusion from this, you might set up wrong on the UBNT which you did not correctly set up the Peer/Allowed IP in UBNT causing ER605 to be 0.0.0.0/0. Nothing wrong with the peer and WG settings on ER605. But your UBNT settings.

So, next time, if you have an issue, I would only follow up if the necessary information is provided.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
14 Reply
Re:ERxxxxx as Wireguard client
2024-01-22 02:03:23

Hi @MR.S 

Thanks for posting in our business forum.

I don't think so only 0.0.0.0/0 would make it work.

In my previous config guide test and my own personal experience with my cloud server, I can use other stuff to make it work instead of 0.0.0.0/0.

 

In allowed-ips, if you set it to be 0.0.0.0/0, you are using the WG as proxy mode.

 

If possible, post your config and I'll help you check. In the CG I wrote, the tunnel is not set to 0.0.0.0/0. And many guides I wrote, it is not 0.0.0.0/0. So I am pretty confident that this is not a known problem to me at least.

 

Show me the config, I'll try to do something similar in my network.

 

P.S. it took me about 2-3 days to get a grip on how and what to do in WireGuard and get things working by reading articles, and WG official guides, and repeating the config over and over again on Linux and Omada. It looks easy but takes some time to digest and if you know it, it would be pretty easy to figure it out.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:ERxxxxx as Wireguard client
2024-01-22 05:55:18

  @Clive_A 

 

OK , if you have succeeded, there is hope,  smiley but have you tried against a wireguard server or have you only connected to other TP-Link routers? I have experienced that it works against other routers from TP-Link but not against, for example, a pure wireguard server.

 

 

you have gained some experience with pivpn as I know :-) , if you install a wireguard server and try to connect a router to it from the auto-generated file from wireguard server, do you will then be able to route only the remote network.

 

installation of Wireguard on pivpn takes about 5 minutes so it's a quick test for you smiley

i only get traffic when i route 0.0.0.0/0 i have tried ablolut everything.

 

the actual authentication to the server goes well after I realized how I could solve the interface public key on TP-Link. so I'm one step ahead.

 

 

this is an modyfied example from a autogenerated file.

 

[Interface]
PrivateKey = +xxxxx=
Address = 10.74.198.15/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = vvvvv=
PresharedKey = rbbbb=
Endpoint = xx.xx.xx.x:1195
AllowedIPs = 0.0.0.0/0, 192.168.52.0/24

 

 

 

 

 

 

 

 

  0  
  0  
#3
Options
Re:ERxxxxx as Wireguard client
2024-01-22 06:52:23

Hi @MR.S 

MR.S wrote

  @Clive_A 

 

OK , if you have succeeded, there is hope,  smiley but have you tried against a wireguard server or have you only connected to other TP-Link routers? I have experienced that it works against other routers from TP-Link but not against, for example, a pure wireguard server.

 

 

you have gained some experience with pivpn as I know :-) , if you install a wireguard server and try to connect a router to it from the auto-generated file from wireguard server, do you will then be able to route only the remote network.

 

installation of Wireguard on pivpn takes about 5 minutes so it's a quick test for you smiley

i only get traffic when i route 0.0.0.0/0 i have tried ablolut everything.

 

the actual authentication to the server goes well after I realized how I could solve the interface public key on TP-Link. so I'm one step ahead.

 

 

this is an modyfied example from a autogenerated file.

 

[Interface]
PrivateKey = +xxxxx=
Address = 10.74.198.15/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = vvvvv=
PresharedKey = rbbbb=
Endpoint = xx.xx.xx.x:1195
AllowedIPs = 0.0.0.0/0, 192.168.52.0/24

 

 

 

 

 

 

 

 

So what if there is a config issue on the PiVPN? On the PiVPN, linux, you only have the interfaces of the NIC and the WG. So, nothing else. Do you set up a route on the Linux so that anything routes to the WG interface will be redirected to the GW IP?

 

Give this a try to verify, you mean only 0.0.0.0/0 would work, right? Get a list of the NIC and WG interface and put them in the peer > allowed-ips on the client. So that is not 0.0.0.0/0 and try if you can access the NIC or WG interface somehow? If you can access the NIC of the Linux you have, that means a successful connection. And the comment that only 0.0.0.0/0 would work is inaccurate.

 

The only way that you cannot make it work is because of the improper setup on the Linux which fails to route the traffic sent over to the WG interface on the Linux.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:ERxxxxx as Wireguard client
2024-01-22 07:06:49 - last edited 2024-01-22 07:18:51

  @Clive_A 

 

Yes, it is possible that there is an error on the wg server, but then this error is only against TP-Link routers. I have a connection to the wg server from mobile phones, PCs and unifi routers with no issue. pretty mutch plug and play on this device. but TP-Link have no access. there is also no access to any of the wg server interface until I enter 0.0.0.0/0 I have tried to route the entire rfc1918 rang but it is completely dead.

 

I think I've tried most things that can be tried to get routing to work.

 

And there is no rush for me to get this working, I have a working solution of openvpn and wireguard running on a unifi router, but it's stupid to use a router from unifi to get the job done when I have so much fancy TP-Link equipment smiley

 

 

 

 

 

 

  0  
  0  
#5
Options
Re:ERxxxxx as Wireguard client
2024-01-22 08:04:48

Hi @MR.S 

Thanks for posting in our business forum.

MR.S wrote

  @Clive_A 

 

Yes, it is possible that there is an error on the wg server, but then this error is only against TP-Link routers. I have a connection to the wg server from mobile phones, PCs and unifi routers with no issue. pretty mutch plug and play on this device. but TP-Link have no access. there is also no access to any of the wg server interface until I enter 0.0.0.0/0 I have tried to route the entire rfc1918 rang but it is completely dead.

 

I think I've tried most things that can be tried to get routing to work.

 

And there is no rush for me to get this working, I have a working solution of openvpn and wireguard running on a unifi router, but it's stupid to use a router from unifi to get the job done when I have so much fancy TP-Link equipment smiley

 

 

 

 

 

 

Will ask the test team and check if they have any inventory of a different brand router and give it a go.

 

So, most of the issues you reported are (potential) compatibility issues with the third-party routers... I'll update you once they have a result (at least in this week).

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:ERxxxxx as Wireguard client
2024-01-22 08:09:50

  @Clive_A 

yes

  0  
  0  
#7
Options
Re:ERxxxxx as Wireguard client-Solution
2024-01-30 06:43:28 - last edited 2024-01-30 06:48:07

Hi @MR.S 

Here's the test result. It can work with the UBNT WireGuard. However, it requires the UBNT to set up the Client IP to match what IP you have in the Peer.

 

ER605:

 

In conclusion, if you are using the UBNT, and you want to have a client in ER605 to access UBNT, you first need to have an IP address in 192.168.10.0/24 which is listed on the UBNT. And you have to add the IP address in the Clients on UBNT server.

 

About what you said you have to use 0.0.0.0/0 to get traffic working, this means NAT mode. Well, if you set the Allowed IPs to some subnets, that's routing mode.

It does not matter on our end. The key is to set the IP a device gets in ER605 LAN to the Clients in UBNT.

 

Peer setting on ER605.

 

Another conclusion from this, you might set up wrong on the UBNT which you did not correctly set up the Peer/Allowed IP in UBNT causing ER605 to be 0.0.0.0/0. Nothing wrong with the peer and WG settings on ER605. But your UBNT settings.

So, next time, if you have an issue, I would only follow up if the necessary information is provided.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
Re:ERxxxxx as Wireguard client
2024-01-30 07:03:29

  @Clive_A 

 

Ok, thanks.

yes I have made it work with UBNT but in a different way. I have used UBNT as a client against TP-Link, that way I have managed to get site to site with wireguard between tp-link and unifi routers.(communication goes both ways. so that's good)

 

But that's half the problem, the biggest problem is connecting wireguard to a pure wireguard server. the connection itself goes well, but it is not possible to route anything other than 0.0.0.0/0 with this routing, there are only problems, when the router restarts it does not connect to the controller afterwards when adopted from wan, (Remote controller), in stand alone it is a little better then I get access to router management and can disable wireguard and then enable it again to get wireguard to work after a reboot of router.

 

i don't know if policy routing will solve this problem when it ever comes, unifi uses policy routing so maybe that's what we have to wait for.smiley

 

 

  0  
  0  
#9
Options
Re:ERxxxxx as Wireguard client
2024-01-30 07:13:41

Hi @MR.S 

Thanks for posting in our business forum.

MR.S wrote

  @Clive_A 

 

Ok, thanks.

yes I have made it work with UBNT but in a different way. I have used UBNT as a client against TP-Link, that way I have managed to get site to site with wireguard between tp-link and unifi routers.(communication goes both ways. so that's good)

 

But that's half the problem, the biggest problem is connecting wireguard to a pure wireguard server. the connection itself goes well, but it is not possible to route anything other than 0.0.0.0/0 with this routing, there are only problems, when the router restarts it does not connect to the controller afterwards when adopted from wan, (Remote controller), in stand alone it is a little better then I get access to router management and can disable wireguard and then enable it again to get wireguard to work after a reboot of router.

 

i don't know if policy routing will solve this problem when it ever comes, unifi uses policy routing so maybe that's what we have to wait for.smiley

 

 

In WG, there is actually no pure server or client. They are all called peers and their settings are identical regardless if they are actually working as clients in your opinion.

 

I think are in a loop again. We now prove the ER can work with the proper allowed IPs instead of 0.0.0.0/0.

If the 0.0.0.0/0 issue has been resolved, you should be able to adopt it from the WAN.

What is your test result with the reply I gave earlier? If it does not work, what does your config look like?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#10
Options
Re:ERxxxxx as Wireguard client
2024-01-30 08:25:28

  @Clive_A 

 

There is no doubt that it is a very special way to get tp-link routers to be clients :-)

 

I haven't had time to look at it yet, I need some time to understand how tp-link's logic is when it comes to wireguard.

but as it seems to me, (if it works) this setup will work against a wireguard server as well. so I'll test tonight when I get home from work to a wireguard server.

 

It seems a bit special that you have to create a separate vlan interface with the same ip as the vpn tunnel to make this work.

but I will make an attempt,

 

I really hope their engineers can simplify this process in the future.

I'll test tonight, first in stand alone then whether it works in controller mode.

 

 

 

  0  
  0  
#11
Options