ER605 v2.0 Wireguard setup
ER605 v2.0 Wireguard setup
Hello,
I am trying to setup a wireguard VPN, but so far failed to do so.
My ER605 WAN port is connected to the LAN port of my ISP modem, and the modem is setup so that the ER605 is fully exposed to the internet. Between the modem and the router, the IPs are respectively 192.168.0.1 and 192.168.0.2
On internet side, I have a static IP address and the DMZ for the ER605 works pretty well - I have ports 80 and 443 forwarded from the 605 to a reverse proxy, and several services that just work.
I use the local controller (no standalone mode), and I have set up a wireguard interface that listens on the default port, and the local IP address is 192.168.0.2. I have then set up a single client - I am using 10.101.0.0/24 for wireguard, and this client is set up as 10.101.0.2/32. All private/public keys are there, and other options at default
Now, from my client, the handshake is successfull, and I have internet access through the tunnel, but I can only ping 192.168.0.1, which is my ISP modem. I cannot ping 192.168.0.2, which is quite odd, but most importantly I cannot ping any address in the 10.0.0.0/16 range, which is my LAN.
I suspect that my particular topology is confusing the ER605, which thinks that the LAN is 192.168.0.0/something.
On LAN side, the ER605 is 10.0.0.1, but if I use this address as the local IP address in the wireguard interface, the handshake fails altogether.
I am sure I am missing some pretty obvious thing here - can anyone help on this topic? Another very, very odd thing is that normally a "server" should have an IP in the wireguard range, so in my case in 10.101.0.0/24 - and then you just setup ip forwarding. I feel that some of this stuff is happening behind the scenes, which makes the whole process a lot more difficult to debug, and, quite frankly, frustrating.
Thanks for your help and support.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I've been struggling forever to get wireguard to work on my ER605v2, but I finally just got things working...
The thing that seemed to get things working for me was setting the wireguard local ip to an IP/subnet that doesn't exist (do not create a "wired network" for your vpn subnet)
I set mine to a non-existent subnet 192.168.99.2
I then created a peer in the same non-existent subnet (ex: 192.168.99.10/32) - I also turned the peer keepalive to 0 (not sure if this had an effect though)
I toggled the wireguard interface off and on and gave it some time to propogate and now I can see my internal hosts over the vpn!
My guess is that the wireguard plugin is setting up some (invisible to us) internal routes + subnet and conflicts with networks that already exist in the wireguard ip range. It must also set up some kind of ACL / NAT rules automatically - I wish there was more visibility into whats happening with this though...
- Copy Link
- Report Inappropriate Content
@wilcomir90 Apologies if my post is confusing! No fake peers required, you need to have the wireguard interface in a network range that you havent defined.
In my case my main LAN is 192.168.10.1/24 and I also have an IOT network on 192.168.107.1/24
I picked a local IP for my wireguard interface that doesn't live in either of those network ranges (ie: 192.168.99.2)
Your wireguard peer "Allow Address" should reside in the same theoretical range as your wireguard interface IP, in my case I just chose another free /32 ip in the 192.168.99.1/24 range.
You can define additional peers as normal
My wireguard client config for my peers look something like this:
[Interface]
PrivateKey = ABCDEFG=
Address = 192.168.99.10/24
DNS = [internal-dns-ip]
[Peer]
PublicKey = HIJKLMNOP=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [fqdn/public-ip]:51820
- Copy Link
- Report Inappropriate Content
1. is it really necessary to put the er605 behind a NAT?
2. what makes you set the local IP to 192.168.0.2? isn't this the IP of your er605's WAN? This local IP should be one that falls into 10.0.0.1/16.
3.
I use the local controller (no standalone mode), and I have set up a wireguard interface that listens on the default port, and the local IP address is 192.168.0.2. I have then set up a single client - I am using 10.101.0.0/24 for wireguard, and this client is set up as 10.101.0.2/32. All private/public keys are there, and other options at default
are you referring that you have set up the interface IP address on the client to be 10.101.0.2/32?
if so, what is your "allowed address" on your peer settings under the er605?
- Copy Link
- Report Inappropriate Content
@Tedd404 Hello Tedd, thanks for your help.
1. it is not strictly necessary to put the ER605 behind a NAT. I get ADSL service, so I need a modem, I cannot use the ER directly. In the modem, the ER605 is completely exposed, meaning that the only thing that is translated is the IP address; all ports are fully forwarded, and the ER is fully exposed to the internet. The only caveat is that the ER thinks that the WAN IP is 192.168.0.2, while in reality my public IP is different. Handshake works, so I believe we can exclude that the root cause of the issue lies here.
2. Setting the 192.168.0.2 is the only way to get a handshake. If I use 10.0.0.1, I do not even get an handshake.
3. Correct, my only client is set up as 10.101.0.2/32 both on the client itself and on the ER605 (allowed address). On client side, the allowed ips is set to 0.0.0.0/0, which should mean to route all traffic through the interface.
Thanks for the link, but that article is not very clear/useful. First of all, it refers to standalone mode, while I work in managed mode, and the options are different. The Windows section is not applicable, as currently my only client is iOS, and in general it does not explain fully well what happens under the hood.
I mostly refer to the arch linux wiki article for Wireguard, as it is thoroughly explained.
Most importantly, when you want to use wireguard as a VPN, and not a point-to-point tunnel, you need one of the peers - the "server" - to give all the other peers access to LAN. The way this is normally achieved is by setting allowed IPs to whatever you need, and setting up the routing table on the "server".
I believe that for some reason - perhaps bad configuration on my side - the routing table is being setup to route my client on the WAN side of the ER605, rater than the LAN side. There is no explicit option that I can see - in general I would expect to be able to "bridge" the wireguard interface to any LAN or WAN, but the choice seems not to be there.
- Copy Link
- Report Inappropriate Content
can you share the config screenshots? erase the sensitive parts. that would be straightforward.
you mentioned routing tables, did you create any?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
concludes your config, is it like this?
ER605 LAN = 10.0.0.1/16
ER605
[Interface]
PrivateKey = 123
Address = 192.168.0.2
DNS = e.g. 8.8.8.8
[Peer]
PublicKey = ABC
AllowedIPs = 0.0.0.0/0?
Endpoint = optional?
Client:
[Interface]
PrivateKey = 321
Address = 10.101.0.2/32
DNS = e.g. 8.8.8.8
[Peer]
PublicKey = ABC
AllowedIPs = 0.0.0.0/0?
Endpoint = static_wan_ip?
- Copy Link
- Report Inappropriate Content
ER605 LAN = 10.0.0.1/16
ER605
[Interface]
PrivateKey = 123
Address = 192.168.0.2
DNS = this setting is not part of the interface on the ER
[Peer]
PublicKey = ABC
AllowedIPs = 10.101.0.2/32
Endpoint = not set
Client:
[Interface]
PrivateKey = 321
Address = 10.101.0.2/32
DNS = 10.0.x.x (I have DNS in my LAN)
[Peer]
PublicKey = ABC
AllowedIPs = 0.0.0.0/0?
Endpoint = 217.x.x.x (my public facing IP)
No routing set up
- Copy Link
- Report Inappropriate Content
keep a backup of your current one.
i'd suggest
ER605
[Interface]
PrivateKey = 123
Address = 192.168.0.2
DNS = this setting is not part of the interface on the ER
[Peer]
PublicKey = ABC
AllowedIPs = 10.101.0.2/24
Endpoint = not set
Client:
[Interface]
PrivateKey = 321
Address = 10.101.0.2/24
DNS = 8.8.8.8 (try a public one before we rule out other variant)
[Peer]
PublicKey = ABC
AllowedIPs = 10.0.0.1/16
Endpoint = 217.x.x.x (my public facing IP)
No routing set up
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I've been struggling forever to get wireguard to work on my ER605v2, but I finally just got things working...
The thing that seemed to get things working for me was setting the wireguard local ip to an IP/subnet that doesn't exist (do not create a "wired network" for your vpn subnet)
I set mine to a non-existent subnet 192.168.99.2
I then created a peer in the same non-existent subnet (ex: 192.168.99.10/32) - I also turned the peer keepalive to 0 (not sure if this had an effect though)
I toggled the wireguard interface off and on and gave it some time to propogate and now I can see my internal hosts over the vpn!
My guess is that the wireguard plugin is setting up some (invisible to us) internal routes + subnet and conflicts with networks that already exist in the wireguard ip range. It must also set up some kind of ACL / NAT rules automatically - I wish there was more visibility into whats happening with this though...
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5511
Replies: 17
Voters 0
No one has voted for it yet.