ER605 v2.0 Wireguard setup
ER605 v2.0 Wireguard setup
Hello,
I am trying to setup a wireguard VPN, but so far failed to do so.
My ER605 WAN port is connected to the LAN port of my ISP modem, and the modem is setup so that the ER605 is fully exposed to the internet. Between the modem and the router, the IPs are respectively 192.168.0.1 and 192.168.0.2
On internet side, I have a static IP address and the DMZ for the ER605 works pretty well - I have ports 80 and 443 forwarded from the 605 to a reverse proxy, and several services that just work.
I use the local controller (no standalone mode), and I have set up a wireguard interface that listens on the default port, and the local IP address is 192.168.0.2. I have then set up a single client - I am using 10.101.0.0/24 for wireguard, and this client is set up as 10.101.0.2/32. All private/public keys are there, and other options at default
Now, from my client, the handshake is successfull, and I have internet access through the tunnel, but I can only ping 192.168.0.1, which is my ISP modem. I cannot ping 192.168.0.2, which is quite odd, but most importantly I cannot ping any address in the 10.0.0.0/16 range, which is my LAN.
I suspect that my particular topology is confusing the ER605, which thinks that the LAN is 192.168.0.0/something.
On LAN side, the ER605 is 10.0.0.1, but if I use this address as the local IP address in the wireguard interface, the handshake fails altogether.
I am sure I am missing some pretty obvious thing here - can anyone help on this topic? Another very, very odd thing is that normally a "server" should have an IP in the wireguard range, so in my case in 10.101.0.0/24 - and then you just setup ip forwarding. I feel that some of this stuff is happening behind the scenes, which makes the whole process a lot more difficult to debug, and, quite frankly, frustrating.
Thanks for your help and support.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@wilcomir90 Apologies if my post is confusing! No fake peers required, you need to have the wireguard interface in a network range that you havent defined.
In my case my main LAN is 192.168.10.1/24 and I also have an IOT network on 192.168.107.1/24
I picked a local IP for my wireguard interface that doesn't live in either of those network ranges (ie: 192.168.99.2)
Your wireguard peer "Allow Address" should reside in the same theoretical range as your wireguard interface IP, in my case I just chose another free /32 ip in the 192.168.99.1/24 range.
You can define additional peers as normal
My wireguard client config for my peers look something like this:
[Interface]
PrivateKey = ABCDEFG=
Address = 192.168.99.10/24
DNS = [internal-dns-ip]
[Peer]
PublicKey = HIJKLMNOP=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [fqdn/public-ip]:51820
- Copy Link
- Report Inappropriate Content
@deeo Thanks for your thorough explanation.
I made some trials, also using a different client, and it seems I might be getting somewhere.
I believe my iOS client has some issues for some reason, my linux laptop did work for a brief moment, without DNS for some reason, but it did work. My original ip range for the overlay network was a 10.101.x.x therefore I am inclined to believe that all the issues I have been seeing up to now are iOS specific, and the DNS problem depends instead on the linux laptop.
I will further investigate, but I think that most definitely something is happening behind the scenes here, and it would be good to get an official word from tp-link on the inner workings.
I shall report back here with my findings.
Thanks again for your great help.
V
- Copy Link
- Report Inappropriate Content
@deeo This was super helpful.... got me up and running. Tried on three occasions over the last few months - for me it was setting the IPs right, toggling the wireguard inteface and waiting for a bit of propogation which took maybe 5mins. Thank you!!!!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Same issue here. Wireguard routing is not ok.
Ping from the Wireguard client until the ER605 ip is ok , but can't reach any other LAN clients. Ping not ok.
VPN with IPSec works like a charm ,but over there you HAVE to put an IP in the LAN range that you want to reach.
Problem is that aside from view the routing table on your Wireguard client computer ,there's nothing you can see of the wireguard config on the ER605.
- Copy Link
- Report Inappropriate Content
Hi @Mr_K
Thanks for posting in our business forum.
Mr_K wrote
Same issue here. Wireguard routing is not ok.
Ping from the Wireguard client until the ER605 ip is ok , but can't reach any other LAN clients. Ping not ok.
VPN with IPSec works like a charm ,but over there you HAVE to put an IP in the LAN range that you want to reach.
Problem is that aside from view the routing table on your Wireguard client computer ,there's nothing you can see of the wireguard config on the ER605.
Configuration Guide How to Configure WireGuard VPN on Omada Controller
Have you confirmed that your settings are 100% correct?
Ping to the ER605 is working means the VPN is working. Do you have another VLAN interface? Ping its gateway. I don't care the ping to other clients, just verify if the gateway and devices like EAP or switch are pingable.
If they all work, simply not working with some of your clients, you should consider the firewall after you have verified your settings are correct.
The routing table on the router does not contain the VPN routing tables.
If you wanna discuss this issue further, please start a new thread with your screenshots of the all related parameters and a simple diagram. Mosaic the sensitive parts.
- Copy Link
- Report Inappropriate Content
Wireguard is 10x easier to setup and use on Ubiquiti stuff. Hopefully TP Link get to that point where you essentially just turn it on, create the users and can export a config file for each of the users to directly import! .........
TPLink is very much playing catch up with Ubiquiti.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5112
Replies: 17
Voters 0
No one has voted for it yet.