Business Community > Routers > Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
< Routers

Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!

12

Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!

Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Thursday - last edited Friday
Tags: #VPN #Firmware Update #WireGuard
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.2

So the other night I upgraded my er707-m2 router from firmware version 1.2.2 to 1.2.3. Once this upgrade was complete the next day wireguard clients would no longer connect successfully to the server. I did see a couple of posts of people saying they had to delete and recreate the wireguard configurations in order for the clients to be able to connect again which leades to the below.

 

~While the er707 was on firmware ver 1.2.3

I deleted and recreated all the wireguard server and clients entries under the vpn tab .

I also deleted any acl that had reference to the wireguard network range that I use.

Once that was done the clients successfully handshake once or twice and vpn works. 

However after that one or two times of being successfully connected and disconnected the clients no longer connect. 

 

Wireguard Log on client when handshake fails.

Sending handshake initiation.... Handshake did not complete after 5 seconds, retryng.

 

 

~With the er707 downgraded and back on firmware ver 1.2.2

I deleted and recreated all the wireguard server and clients entries under the vpn tab again.

Once again with that done the clients successfully handshake once or twice and vpn works. 

Then after that one or two times of being successfully connected and disconnected the clients no longer connect. 

 

Also once again Wireguard Log on client when handshake fails.

Sending handshake initiation.... Handshake did not complete after 5 seconds, retryng.

 

~Should be noted I also downgraded the er707 back to firmware ver 1.2.1 with the same results and no Wireguard ACL's were recreated.

 

With the sporadic successfull connections I have gotten and being able to replicate the issue consistently I am not 100% whether this is router or wireguard configuration related. With that in mind my wireguard configuration on the server and clients worked for the last year with no problems or hiccups and I have double and triple checked the config for it multiple times.

 

~Wiregaurd VPN

Omada Server Config

MTU: 1420

Listen Port: 51820

Local IP Address: 192.168.192.1

Private Key: Redacted

 

~Omada Peer Config

Interface: Wireguard VPN

Endpoint192.168.192.3

Endpoint Port: 51820

Allow Address: 192.168.192.3/32, local lan range/24

Persistent Keepalive: 25

Public Key: Redacted 

Preshared Key: Redacted

 

~iOS Mobile Device Config

Interface

Private Key: Redacted

Public Key: Redacted

Addresses: 192.168.192.3/32

Listen Port: 51820

MTU: 1420

DNS Servers: 1.1.1.1, 1.0.0.1

 

Peer

Public Key: Redacted

Preshared Key: Redacted

Endpoint: Redacted:51820

Allowed IP's: 0.0.0.0/0, 192.168.192.0/32, local lan range/24

Exclude Private IP's: None

Persistent Keepalive: 25

 

 

"Desperate times call for desperate desperateness."
  0      
 
  0      
 
#1
Options
14 Reply
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

Hi @Daggett 

Thanks for posting in our business forum.

Daggett wrote

 

~iOS Mobile Device Config

Interface

Private Key: Redacted

Public Key: Redacted

Addresses: 192.168.192.3/32

Listen Port: 51820

MTU: 1420

DNS Servers: 1.1.1.1, 1.0.0.1

 

Peer

Public Key: Redacted

Preshared Key: Redacted

Endpoint: Redacted:51820

Allowed IP's: 0.0.0.0/0, 192.168.192.0/32, local lan range/24

Exclude Private IP's: None

Persistent Keepalive: 25

 

 

What is this subnet? This is a misconfig that should be fixed before I look further into the issue described.

 

I don't recall there are issues except for the interface misconfig which may cause a reboot issue on the new releases. So, what are the posts(links) of a similar case like yours? 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday - last edited Friday

  @Clive_A 

So what you have highlighted in red is the ip range I chose to use for wireguard (it is not the actual range but one I chose to put in the post). At the time I implemented wireguard without that entry in my peer config on omada and in the wireguard app the connection would not function/connect be it iOS device or laptop. So if your saying that is a misconfiguration I must have been lucky for the past year it even worked. So should the 192.168.192.0/32 you highlighted in red be removed from both the omada peer and client configurations?

 

As for the post links I will try to find them unfortunately it was late at night when i found them last night. So they very well could have been on the tplink omada sub reddit as well.

"Desperate times call for desperate desperateness."
  0  
  0  
#3
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday - last edited Friday

  @Daggett 

 

I looked through your setup and have modified it the way I think it should be.

 

~Wiregaurd VPN

Omada Server Config

MTU: 1420

Listen Port: 51820

Local IP Address: 192.168.192.1

Private Key: Redacted

 

~Omada Peer Config

Interface: Wireguard VPN

Endpoint (removed endpoint is the same as allowed address)

Endpoint Port: (removed)

Allow Address: 192.168.192.3/32, (removed you cant use local lan, this is for remote lan if you have any, in your case is only your wg client allowed)

Persistent Keepalive: 25

Public Key: Redacted 

Preshared Key: Redacted

 

~iOS Mobile Device Config

Interface

Private Key: Redacted

Public Key: Redacted

Addresses: 192.168.192.3/32

(removed)

(Removed)

DNS Servers: 1.1.1.1, 1.0.0.1

 

Peer

Public Key: Redacted

Preshared Key: Redacted

Endpoint: Redacted:51820

Allowed IP's: 0.0.0.0/0 (removed)

(removed)

(removed)

 

 

  0  
  0  
#4
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @MR.S 
Thank you for looking at my config and your suggestions on what I should try changing. When I tried your changes to my settings for the peers this is what I ended up with below and initially again had success connecting. The first three tests or so my peer was able to connect to the wireguard server and traverse the internal network to our nvr, ping the gateway, and ping 8.8.8.8. However now I am back to the handshake not completing after five seconds, retrying. I think I may try regenerating new key pairs again but even with the hokeyness of my prior config and the cleaned up simplified one you suggested I don't think key pairs are the problem seeing how they are showing the same behavior. I should also mention I have verified my dns record is correct and pointing to the right ip address before and after testing. Seems strange to me my prior wireguard server/peer configuration worked for over a year with the hokeyness in the configuration with no problems and than when I updated the router to Firmware 1.2.3 it no longer does.

 

~Omada Peer Config

Interface: Wireguard VPN

Endpoint (removed as suggested)

Endpoint Port: (removed as suggested)

Allow Address: 192.168.192.3/32

Persistent Keepalive: 25

Public Key: Redacted 

Preshared Key: Redacted

 

~iOS Mobile Device Config

Interface

Private Key: Redacted

Public Key: Redacted

Addresses: 192.168.192.3/32

Listen Port: 51820 (Did not remove)

MTU: 1420 (Did not remove)

DNS Servers: 1.1.1.1, 1.0.0.1

 

Peer

Public Key: Redacted

Preshared Key: Redacted

Endpoint: Redacted:51820

Allowed IP's: 0.0.0.0/0 (removed all but the one listed for full tunnel)

"Desperate times call for desperate desperateness."
  0  
  0  
#5
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @Daggett 

 

do you have many clients on wireguard? there are a couple of things that are important. all clients must be unique. you can't use the same wireguard config on two different devices, each client has a static ip, in your case 192.168.192.3/32, if you use the same ip on another client it will crash

 

The only thing you should use on all clients is the wireguard server public key, all other keys must be unique.

 

 

 

  0  
  0  
#6
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @Daggett 

 

I have created an example for you with two peers and one server. here I also show the keys, it's just a dummy setup so it's not online :-) but here you see how I've set up a small lab, it's not online so I haven't tested it live :-)

 

as you can see the Peer public key is the same on both files but the interface is unique with keys and ip

 

 

 

 

 

 

 

 

 

  0  
  0  
#7
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday - last edited Friday

  @MR.S 

Here is my configuration I only have three peers technically configured at this point. Other then my redacted keys I feel your sample and my setup are near identical unless I am missing something. 

 

Server

List of Peers

Single Peer

 

iPhone XS Configuration

"Desperate times call for desperate desperateness."
  0  
  0  
#8
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @Daggett 

 

I don't really see much, so I can't decide if there's something wrong or not with the config.
Do you have any networks that overlap with the ip addresses you use in wireguard?

And if it's otherwise like in my example there shouldn't be any problems. I have wireguard on an ER707-M2 myself and have never experienced the problems you have..

 

 

  0  
  0  
#9
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @MR.S 

Nah, there is nothing that overlaps IP-wise, unfortunately. I wish it was as simple as that since that would have made this an easy fix haha. My config matches your example minus the actual keys and network range you chose in the example. Like I said before, until I updated the router to firmware 1.2.3 from 1.2.2 wireguard worked even with my original screwy configuration that I was told was messed up and wrong. I even initially get a successful connection when launching the vpn after a setting change using all the current keys. I am thinking I hit my last resort option of a full factory reset on the router.

 

However, I know for a fact my wireguard vpn stopped working consistently and reliably when I updated the router's firmware. That was the only change to anything on my network when it quit working.

"Desperate times call for desperate desperateness."
  0  
  0  
#10
Options
Re:Upgraded ER707-M2 to Firmware 1.2.3 and Wireguard VPN went BOOM!
Friday

  @Daggett 

 

I see you're using Preshared Key, I don't use that, have you tried without it?

 

  0  
  0  
#11
Options
12

Information

Helpful: 0

Views: 280

Replies: 14

Tags

VPN Firmware Update WireGuard
Related Articles
ER707-M2 and AX55 Wireguard VPN issue
513 0
ER707-M2 v1.0: Latest update to 1.2.3 breaks OpenVPN server
278 0
ER707-M2 firmware 1.2.3
219 1
ER707-M2 Displaying incorrect version number
830 0
Er707-m2 CityFibre
2244 0
ER707-M2 Question
704 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.