Business Community > Gateways > Can't get Wireguard working propperly
< Gateways

Can't get Wireguard working propperly

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Can't get Wireguard working propperly

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Can't get Wireguard working propperly
Can't get Wireguard working propperly
2024-04-22 14:52:43
Model: OC200   ER7206 (TL-ER7206)   TL-SG3428XMP  
Hardware Version: V1
Firmware Version: 5.12.9
Hallo everyone,
 
I am trying to configure Wireguard for quite some time now and won't work es expected.
1st of all Devices:
OC200 Controller version 5.12.9
 
MAP:
[internet] ------ [Router: ER7206] ----- [Switch: TL-SG3428XMP] ----- [OC 200]
 
On the ER7206 we have a couple of internal vlans. Only one vlan should be fully accessable via wireguard. Let's call that vlan 8.
vlan 8:
192.168.8.0/24
 
known systems on that subnet:
ER7206: 192.168.8.1
ServerA: 192.168.8.2
ServerB: 192.168.8.3
NAS: 192.168.8.4
 
Let's also assume my public WAN-IP might be 88.77.66.55
 
On the controller side my wireguard config looks like
Edit Wireguard
Name: wg0
Status: [x] Enable
MTU: 1420 (576-1440)
Listen Port: 51820 (1-65535)
Local IP Address: 88.77.66.55  // YES it's my WAN-IP. I'll explain later why.
Private Key: ***

 

Edit Peer
Name: wg0p1
Status: [x] Enable
Interface: wg0
Endpoint: - (Optional)
Endpoint Port: - (Optional)
Allow Address: 10.10.10.1/24
Persistent Keepalive: 25 (0-65535 second)
Comment: - (0-128 characters)
Public Key: sEcReT***PubKeyFromClient
Preshared Key: -
 
Client side config 
[Interface]
PrivateKey = PrIvAtEkEy
Address = 10.10.10.10/24
DNS = 192.168.8.1

[Peer]
PublicKey = sEcReT***PubKeyFromController
AllowedIPs = 192.168.8.0/24
Endpoint = 88.77.66.55:51820

 

With this configuration I can ping all devices on the internal network. I can connect to the WebGUI of the NAS vie IP.

ping 192.168.8.1

Pinging 192.168.8.1 with 32 bytes of data:
Reply from 192.168.8.1: bytes=32 time=9ms TTL=127
 

But I can't get DNS to work. "nslookup" won't work:

nslookup 192.168.8.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

 

Remote Desktop to the Server IP also fails, despite being pingable.

 

I tried several FAQs, Guides, Dokumentaions, but nothing works.

For excample: If I put on the Wireguard controller the "Local IP Address" to an unocupied IP on the internal subnet I can rech the subnet via Wireguard tunel, but I will have 50-80% packet loss. Setting MTU to 1280 does not change that. If I set it to a complete other subnet I cant reach the internal subnet with my servers at all.

Setting the client IP to the same subnet as the servers (192.168.8.x), results also in not having a connection what so ever...

 

clearly I am making a mistake somewhere, or missing a config somewhere. But I can't get my head around it...

Any suggenstions, what I might miss here? How do I get the DNS working?

 

Thx in advance

 

  0      
 
  0      
 
#1
Options
5 Reply
Re:Can't get Wireguard working propperly
2024-04-23 01:42:08

Hi @silverSl1DE 

Thanks for posting in our business forum.

The Interface on the WG ER7206 should not be the public one. I don't see an explanation for that.

How to Configure WireGuard VPN on Omada Controller

 

Client interface try /32.

  0  
  0  
#2
Options
Re:Can't get Wireguard working propperly
2024-04-23 07:42:00

  @Clive_A 

 Thank you for your reply.

 

I already followed earlier that guide, that you mentioned.

how ever. I just sat the Interface IP on the WG ER7206 to an unoccupied IP on my subnet in the vlan 8:

192.168.8.13

 

I also sat the Client interface to /32 for the peer on the controller.

 

As mentioned earlier. I now get MASSIVE packet losses:

C:\Users\Administrator>ping /t 192.168.8.4

Pinging 192.168.8.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=13ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.

Ping statistics for 192.168.8.4:
    Packets: Sent = 37, Received = 15, Lost = 22 (59% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 13ms, Average = 12ms
Control-C

 

DNS Still not working.

Unknown adapter wg0p1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

C:\Users\Administrator>nslookup 192.168.8.3
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

  0  
  0  
#3
Options
Re:Can't get Wireguard working propperly
2024-04-23 08:08:37

Hi @silverSl1DE 

Thanks for posting in our business forum.

silverSl1DE wrote

  @Clive_A 

 Thank you for your reply.

 

I already followed earlier that guide, that you mentioned.

how ever. I just sat the Interface IP on the WG ER7206 to an unoccupied IP on my subnet in the vlan 8:

192.168.8.13

 

I also sat the Client interface to /32 for the peer on the controller.

 

As mentioned earlier. I now get MASSIVE packet losses:

C:\Users\Administrator>ping /t 192.168.8.4

Pinging 192.168.8.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=13ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.

Ping statistics for 192.168.8.4:
    Packets: Sent = 37, Received = 15, Lost = 22 (59% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 13ms, Average = 12ms
Control-C

 

DNS Still not working.

Unknown adapter wg0p1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

C:\Users\Administrator>nslookup 192.168.8.3
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

If there are pings over the VPN tunnel, that means the VPN is successful. You probably paste a diagram of your network for better clarification about your VLAN config in the LAN.

Very strange that you have super high loss but it is actually working.

  0  
  0  
#4
Options
Re:Can't get Wireguard working propperly
2024-04-23 12:36:50

  @Clive_A 

Strange, right?

 

I will create a map and report back.

  1  
  1  
#5
Options
Re:Can't get Wireguard working propperly
2024-04-26 13:59:06

  @Clive_A 

 

So.

Good news everyone!

I kinda solved my problem.

 

As you suggested, I started to create a detailed network map of my (my customers) network. I inspected every Port, every connection, every uplink, and BOOM!

Turns out they have a 2nd ISP as fallback and 1:1 load balancing. I was planing, on switching the port to the 2nd ISP temporarily offline, for testing purposes. But today in the morning, I got a text, that the (currently used) openVPN doesn't work. Quick checks revealed, that the 1st ISP was offline, so no connection to the public openVPN IP.

 

I changed in the Wireguard client to connect to the 2. ISPs Uplink IP. Guess what! Worked like a charm! For 3 hours. Then all of a sudden massive packet losses. Checked the 1st ISP. Yep. 1st WAN Port is online again. So... don't have to test on the weekend. Can't complain about that. ;-)

 

However. Is there a possibility to get Wireguard working over TWO separate connection / ISPs / IPs?

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 1158

Replies: 5

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.