Business Community > Routers > Can't get Wireguard working propperly
< Routers

Can't get Wireguard working propperly

Can't get Wireguard working propperly

Can't get Wireguard working propperly
Can't get Wireguard working propperly
a week ago
Model: OC200   ER7206 (TL-ER7206)   TL-SG3428XMP  
Hardware Version: V1
Firmware Version: 5.12.9
Hallo everyone,
 
I am trying to configure Wireguard for quite some time now and won't work es expected.
1st of all Devices:
OC200 Controller version 5.12.9
 
MAP:
[internet] ------ [Router: ER7206] ----- [Switch: TL-SG3428XMP] ----- [OC 200]
 
On the ER7206 we have a couple of internal vlans. Only one vlan should be fully accessable via wireguard. Let's call that vlan 8.
vlan 8:
192.168.8.0/24
 
known systems on that subnet:
ER7206: 192.168.8.1
ServerA: 192.168.8.2
ServerB: 192.168.8.3
NAS: 192.168.8.4
 
Let's also assume my public WAN-IP might be 88.77.66.55
 
On the controller side my wireguard config looks like
Edit Wireguard
Name: wg0
Status: [x] Enable
MTU: 1420 (576-1440)
Listen Port: 51820 (1-65535)
Local IP Address: 88.77.66.55  // YES it's my WAN-IP. I'll explain later why.
Private Key: ***

 

Edit Peer
Name: wg0p1
Status: [x] Enable
Interface: wg0
Endpoint: - (Optional)
Endpoint Port: - (Optional)
Allow Address: 10.10.10.1/24
Persistent Keepalive: 25 (0-65535 second)
Comment: - (0-128 characters)
Public Key: sEcReT***PubKeyFromClient
Preshared Key: -
 
Client side config 
[Interface]
PrivateKey = PrIvAtEkEy
Address = 10.10.10.10/24
DNS = 192.168.8.1

[Peer]
PublicKey = sEcReT***PubKeyFromController
AllowedIPs = 192.168.8.0/24
Endpoint = 88.77.66.55:51820

 

With this configuration I can ping all devices on the internal network. I can connect to the WebGUI of the NAS vie IP.

ping 192.168.8.1

Pinging 192.168.8.1 with 32 bytes of data:
Reply from 192.168.8.1: bytes=32 time=9ms TTL=127
 

But I can't get DNS to work. "nslookup" won't work:

nslookup 192.168.8.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

 

Remote Desktop to the Server IP also fails, despite being pingable.

 

I tried several FAQs, Guides, Dokumentaions, but nothing works.

For excample: If I put on the Wireguard controller the "Local IP Address" to an unocupied IP on the internal subnet I can rech the subnet via Wireguard tunel, but I will have 50-80% packet loss. Setting MTU to 1280 does not change that. If I set it to a complete other subnet I cant reach the internal subnet with my servers at all.

Setting the client IP to the same subnet as the servers (192.168.8.x), results also in not having a connection what so ever...

 

clearly I am making a mistake somewhere, or missing a config somewhere. But I can't get my head around it...

Any suggenstions, what I might miss here? How do I get the DNS working?

 

Thx in advance

 

  0      
 
  0      
 
#1
Options
5 Reply
Re:Can't get Wireguard working propperly
a week ago

Hi @silverSl1DE 

Thanks for posting in our business forum.

The Interface on the WG ER7206 should not be the public one. I don't see an explanation for that.

How to Configure WireGuard VPN on Omada Controller

 

Client interface try /32.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#2
Options
Re:Can't get Wireguard working propperly
a week ago

  @Clive_A 

 Thank you for your reply.

 

I already followed earlier that guide, that you mentioned.

how ever. I just sat the Interface IP on the WG ER7206 to an unoccupied IP on my subnet in the vlan 8:

192.168.8.13

 

I also sat the Client interface to /32 for the peer on the controller.

 

As mentioned earlier. I now get MASSIVE packet losses:

C:\Users\Administrator>ping /t 192.168.8.4

Pinging 192.168.8.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=13ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.

Ping statistics for 192.168.8.4:
    Packets: Sent = 37, Received = 15, Lost = 22 (59% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 13ms, Average = 12ms
Control-C

 

DNS Still not working.

Unknown adapter wg0p1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

C:\Users\Administrator>nslookup 192.168.8.3
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

  0  
  0  
#3
Options
Re:Can't get Wireguard working propperly
a week ago

Hi @silverSl1DE 

Thanks for posting in our business forum.

silverSl1DE wrote

  @Clive_A 

 Thank you for your reply.

 

I already followed earlier that guide, that you mentioned.

how ever. I just sat the Interface IP on the WG ER7206 to an unoccupied IP on my subnet in the vlan 8:

192.168.8.13

 

I also sat the Client interface to /32 for the peer on the controller.

 

As mentioned earlier. I now get MASSIVE packet losses:

C:\Users\Administrator>ping /t 192.168.8.4

Pinging 192.168.8.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.8.4: bytes=32 time=13ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Reply from 192.168.8.4: bytes=32 time=12ms TTL=63
Request timed out.
Request timed out.

Ping statistics for 192.168.8.4:
    Packets: Sent = 37, Received = 15, Lost = 22 (59% loss),
Approximate round trip times in milli-seconds:
    Minimum = 12ms, Maximum = 13ms, Average = 12ms
Control-C

 

DNS Still not working.

Unknown adapter wg0p1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.8.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

 

C:\Users\Administrator>nslookup 192.168.8.3
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.8.1

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

If there are pings over the VPN tunnel, that means the VPN is successful. You probably paste a diagram of your network for better clarification about your VLAN config in the LAN.

Very strange that you have super high loss but it is actually working.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#4
Options
Re:Can't get Wireguard working propperly
a week ago

  @Clive_A 

Strange, right?

 

I will create a map and report back.

  1  
  1  
#5
Options
Re:Can't get Wireguard working propperly
a week ago

  @Clive_A 

 

So.

Good news everyone!

I kinda solved my problem.

 

As you suggested, I started to create a detailed network map of my (my customers) network. I inspected every Port, every connection, every uplink, and BOOM!

Turns out they have a 2nd ISP as fallback and 1:1 load balancing. I was planing, on switching the port to the 2nd ISP temporarily offline, for testing purposes. But today in the morning, I got a text, that the (currently used) openVPN doesn't work. Quick checks revealed, that the 1st ISP was offline, so no connection to the public openVPN IP.

 

I changed in the Wireguard client to connect to the 2. ISPs Uplink IP. Guess what! Worked like a charm! For 3 hours. Then all of a sudden massive packet losses. Checked the 1st ISP. Yep. 1st WAN Port is online again. So... don't have to test on the weekend. Can't complain about that. ;-)

 

However. Is there a possibility to get Wireguard working over TWO separate connection / ISPs / IPs?

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 118

Replies: 5

Related Articles
cannot get wireguard working
167 0
ER605 v2.0 fw 2.2.2 Wire guard peer - can't select interface to create peer (solved; not fw issue)
278 0
Can't get NTP time
782 0
Can't get Wireguard VPN server working on ER605 v2
4013 0
Can't Get VPN Client to work
468 0
HS100 - Can't get Sunset to work properly
904 1
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.