cannot get wireguard working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

cannot get wireguard working

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
cannot get wireguard working
cannot get wireguard working
2024-03-30 02:35:09 - last edited 2024-03-30 18:17:29
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.4.1

Hello,

I must start by saying I'm not an IT person nor do I know anything about VPNs. This is literally my first crack at trying to get any VPN working at all. I tried OpenVPN first but couldn't find any way to get a client downloaded for my Mac so I couldn't even test it. But there's a handy Wireguard app for Mac in the app store so I decided to switch to that since Wireguard is in the list of VPNs I can set up on this router.

 

I've followed the instructions TO THE TEE in this guide: https://www.tp-link.com/us/support/faq/3559/

 

Nothing works. If I activate the VPN in the app on my Mac and look at the logs, I see either:

Handshake did not complete after 5 seconds

 

or:

 

A whole bunch of "stopping" messages and then nothing after that.

 

I've tried restarting the app many times, to no avail. I've tried changing some of the settings, also to no avail. I've also tried something that was entirely missing from the guide: I forwarded ports 51820 and 51821 to the router itself since I believe that's where the VPN server is. I don't know how else to open ports on this thing. I tried in the firewall but there appears to be no way to "open" a "port". There's a bunch of stuff in there that makes no sense to me but the keywords "open" and "port" are nowhere to be found. Or even just the word "port" would have worked for me, but nope, not there.

 

Can someone please tell me what I'm missing? And please remember that I have no idea what I'm doing LOL. I have basic knowledge but know nothing about VPNs. And I really need to get *any* VPN working so that I can access some things off premeses that I haven't built front-facing logins for. If I'm fundamentally misunderstaing how a VPN should work you can also tell me that. I was expecting that it would make my laptop look like it's on the local network.

 

TIA.

  0      
  0      
#1
Options
2 Accepted Solutions
Re:cannot get wireguard working-Solution
2024-03-30 15:28:11 - last edited 2024-03-30 18:30:31

  @graymalk Alright I got it fully working! Here is my attempt at explaining everything I did in case someone else has this problem.

 

First, I'm using the standalone version. All instructions are for that. Also, my skill level: noob, forced into IT because there's no one else who'll do it.

 

1) Create a new VLAN. Network -> LAN -> Add.

Name: anything that makes sense

IP Address: something low, but definately a different subnet, like 192.168.100.1 if your primary one was 192.168.0.x.

Subnet mask: 255.255.255.0

Normal

Vlan number: anything not already used

I used DHCP and an address range of 100-199. (so, in this example, 192.168.100.100 to 192.168.100.199)

Enable it (it should already be enabled) and leave everything else blank.

Click OK.

 

2) Firewall -> Access Control -> Add

Name: erhm I forget now if I was able to type something in or if I had to pick from a list. If I had to pick from a list, I just picked the VLAN name.

Policy: allow

Service Type: all

Direction: LAN->LAN

Source and destination need to match your existing VLAN and LAN

Effective time: any

 

3) Transmission->NAT->Virtual Servers->Add

Actually I'm not 100% sure if this one was necessary, but I did it and am leaving it and am not going to test it by disabling. Maybe you can try skipping this and if it doesn't work, go back and add it.

Name: anything

Interface: which port your internet is plugged into

External port: the Wireguard listening port (can be a range)

Internal port: the Wireguard listening port (can be a range)

Internal server IP: Make this match whatever you create for Wireguard, eg 192.168.0.2 from the guide.

Protocol: ALL

 

4) VPN->Wireguard

Actually for this you can follow their guide, but you need to be very careful about which key goes where. I'll just outline the few things that I had to do differently from the guide.

In Peers, I set the IP address to the lowest one in my VLAN range, /32. (eg 192.168.100.100/32). And the endpoint is my PUBLIC IP ADDRESS. I'm stressing that, because IIRC the guide has you putting something weird in.

 

On the client, put this in:

[Interface]

PrivateKey = <your private key from the client app>

Address = 192.168.100.100/24

DNS = 8.8.8.8

 

[Peer]

PublicKey = <your public key from the server>

AllowedIPs = all IP addresses you wish to allow (eg 0.0.0.0/0 to tunnel all traffic). My understanding here is less great. I tunneled all traffic. I don't know how to make it be picky.

Endpoint = <your PUBLIC IP or domain>:51820

 

Lastly, you have to run the client on whatever you plan to log in with. eg if using a laptop via phone, the client has to be on the laptop.

One more thing: if you are using any other levels of firewall internally, you might need to allow traffic from your new VLAN. That was my final hiccup LOL.

 

Happy Wireguarding!

Recommended Solution
  1  
  1  
#3
Options
Re:cannot get wireguard working-Solution
2024-03-30 15:31:02 - last edited 2024-04-01 02:10:37

  @graymalk Oh I forgot. I *also* added the new VLAN under Network->VLAN, but I'm not sure this was necessary. This is just where you can tie a physical port to it. I reduced it to a single port that has nothing plugged into it.

Recommended Solution
  1  
  1  
#4
Options
3 Reply
Re:cannot get wireguard working
2024-03-30 04:54:45 - last edited 2024-03-30 04:55:34

  @graymalk 

 

Update: I appear to have it half working at the moment. Whenever I figure out the remaining problems, I'll try to post a detailed guide of what I did so that other people can try it when they find themselves here looking for help. The remaining problem I have is that I can connect but I can't see services on my LAN. I can tunnel traffic and use the internet totally fine.

 

Settings:

[Interface]

PrivateKey = <private key>

Address = 192.168.0.200/29

DNS = 8.8.8.8

 

[Peer]

PublicKey = <public key>

AllowedIPs = 192.168.0.0/32, 0.0.0.0/0

Endpoint = <myIP>:51820

 

My LAN only goes up to 192.168.0.199 so I didn't think there'd be overlap but I'm probably wrong. Oh and I'll likely remove the 0.0.0.0/0 part later.

  0  
  0  
#2
Options
Re:cannot get wireguard working-Solution
2024-03-30 15:28:11 - last edited 2024-03-30 18:30:31

  @graymalk Alright I got it fully working! Here is my attempt at explaining everything I did in case someone else has this problem.

 

First, I'm using the standalone version. All instructions are for that. Also, my skill level: noob, forced into IT because there's no one else who'll do it.

 

1) Create a new VLAN. Network -> LAN -> Add.

Name: anything that makes sense

IP Address: something low, but definately a different subnet, like 192.168.100.1 if your primary one was 192.168.0.x.

Subnet mask: 255.255.255.0

Normal

Vlan number: anything not already used

I used DHCP and an address range of 100-199. (so, in this example, 192.168.100.100 to 192.168.100.199)

Enable it (it should already be enabled) and leave everything else blank.

Click OK.

 

2) Firewall -> Access Control -> Add

Name: erhm I forget now if I was able to type something in or if I had to pick from a list. If I had to pick from a list, I just picked the VLAN name.

Policy: allow

Service Type: all

Direction: LAN->LAN

Source and destination need to match your existing VLAN and LAN

Effective time: any

 

3) Transmission->NAT->Virtual Servers->Add

Actually I'm not 100% sure if this one was necessary, but I did it and am leaving it and am not going to test it by disabling. Maybe you can try skipping this and if it doesn't work, go back and add it.

Name: anything

Interface: which port your internet is plugged into

External port: the Wireguard listening port (can be a range)

Internal port: the Wireguard listening port (can be a range)

Internal server IP: Make this match whatever you create for Wireguard, eg 192.168.0.2 from the guide.

Protocol: ALL

 

4) VPN->Wireguard

Actually for this you can follow their guide, but you need to be very careful about which key goes where. I'll just outline the few things that I had to do differently from the guide.

In Peers, I set the IP address to the lowest one in my VLAN range, /32. (eg 192.168.100.100/32). And the endpoint is my PUBLIC IP ADDRESS. I'm stressing that, because IIRC the guide has you putting something weird in.

 

On the client, put this in:

[Interface]

PrivateKey = <your private key from the client app>

Address = 192.168.100.100/24

DNS = 8.8.8.8

 

[Peer]

PublicKey = <your public key from the server>

AllowedIPs = all IP addresses you wish to allow (eg 0.0.0.0/0 to tunnel all traffic). My understanding here is less great. I tunneled all traffic. I don't know how to make it be picky.

Endpoint = <your PUBLIC IP or domain>:51820

 

Lastly, you have to run the client on whatever you plan to log in with. eg if using a laptop via phone, the client has to be on the laptop.

One more thing: if you are using any other levels of firewall internally, you might need to allow traffic from your new VLAN. That was my final hiccup LOL.

 

Happy Wireguarding!

Recommended Solution
  1  
  1  
#3
Options
Re:cannot get wireguard working-Solution
2024-03-30 15:31:02 - last edited 2024-04-01 02:10:37

  @graymalk Oh I forgot. I *also* added the new VLAN under Network->VLAN, but I'm not sure this was necessary. This is just where you can tie a physical port to it. I reduced it to a single port that has nothing plugged into it.

Recommended Solution
  1  
  1  
#4
Options