WireGuard Kills Peer Internet & Host Network

WireGuard Kills Peer Internet & Host Network

WireGuard Kills Peer Internet & Host Network
WireGuard Kills Peer Internet & Host Network
2024-09-19 18:16:56 - last edited 2024-09-19 18:21:38
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6

Two different office locations, both behaving the same.

Followed this guide: https://community.tp-link.com/en/business/forum/topic/610198

 

Behavior:

Previously, both Office A and B were on 192.168.0.1. Due to LAN conflicts, I changed one office to 192.168.2.1.

While both Offices were on 192.168.0,1, we were having issues connecting from Office B to Office A, and from remote location into Office B. I thought this may have been due to the overlapping LANs, so I reconfigured Office B to 192.168.2.1

 

Now, anytime WireGuard is activated for the first time (after config) into either offices, it works great for about 2-3 minutes until a time-out. ONLY THE FIRST CONNECTION. Any attempt to re-activate WireGuard on the peer laptop into either offices, the peer laptop will lose all internet connectivity (essentially instantly) AND the Office network will crash, no internet connection, controller crashes, etc. Deactivating WireGuard off the peer laptop will re-enable internet connectivity at the peer AND after 2-3 minutes, the Office network will come back online.

 

I've rebuilt this config like 2-3 times at this point and at my wit's end - I have no idea what is causing this.

 

Goal:

The goal here is to be able to VPN into either offices (from either office, or a remote location) as to RDP into another machine.

 

Components:

ISP: Spectrum Modem (Business, static IP)

Router: ER605v2.0; firmware v2.2.6

AP: EAP 670v2.0; firmware v1.0.4

Controller: OC200v1; controller v5.14.26.23

 

Office A Office B

Gateway IP: 192.168.0.1
Network Broadcast IP: 192.168.0.255
Network IP Count: 254
Network IP Range: 192.168.0.1 - 192.168.0.254
Network Subnet Mask: 255.255.255.0

 

WireGuard Listen Port: 51820

WireGuard Local IP: 192.168.0.250

WireGuard Host "Allowed Address": 10.1.1.2/24, 10.0.10.2/24, 10.0.10.5/24

WireGuard Peer "AllowedIPs":  0.0.0.0/0, ::/0

Gateway IP: 192.168.2.1

Network Broadcast IP: 192.168.2.255

Network IP Count: 254

Network IP Range: 192.168.2.1 - 192.168.2.254

Network Subnet Mask: 255.255.255.0

 

WireGuard Listen Port: 51820

WireGuard Local IP: 192.168.2.250

WireGuard Host "Allowed Address": 10.0.1.1/24

WireGuard Peer "AllowedIPs": 0.0.0.0/0, ::/0

Peer Example:

[Interface]

PrivateKey = <privKey>

Address = 10.1.1.2/24

DNS = 8.8.8.8

 

[Peer]

PublicKey = <pubKey>

AllowedIPs = 0.0.0.0/0, ::/0

Endpoint = <staticIP>:51820

Peer Example: 

[Interface]

PrivateKey = <privKey>

Address = 10.0.1.1/24

DNS = 8.8.8.8

 

[Peer]

PublicKey = <pubKey>

AllowedIPs = 0.0.0.0/0, ::/0

Endpoint = <staticIP>:51820

  0      
  0      
#1
Options
6 Reply
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 01:46:28

Hi @rawfuls 

Thanks for posting in our business forum.

Seen someone on Reddit who has pasted you the correct link for the config. You might wanna retry the guide.

I don't iterate what's been explained by the user on Reddit. Basically, he's on the right direction.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 02:01:34

  @Clive_A thank for the response.

I'm not looking to be spoon-fed, but also can't totally wrap my head around where I went wrong.

 

I don't mind all remote traffic going through the local gateway, I see this as a positive.

 

The only thing that has stuck out at me is:
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.

 

 

  1. If I did choose to not pass the remote traffic, I would change the following in the WireGuard Peer (laptop): AllowedIPs = <local IP defined in WireGuard Omada router settings>/32, <local server IP>/32.
  2. If I choose to keep all remote traffic going through the office network, I just need to update the Omada router peer settings to be the same allowed IP/32.

 

Is this correct?

I suppose this explains why when the host (Omada) network goes down, my laptop network goes down; because all internet traffic is going through the Omada network.

However, this doesn't explain why the Omada network goes down (or does it?)

  0  
  0  
#3
Options
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 02:15:06

Hi @rawfuls 

Thanks for posting in our business forum.

rawfuls wrote

  @Clive_A thank for the response.

I'm not looking to be spoon-fed, but also can't totally wrap my head around where I went wrong.

 

I don't mind all remote traffic going through the local gateway, I see this as a positive.

 

The only thing that has stuck out at me is:
i.e. Devices are using the interfaces below:
iOS device A, Peer A, interface = 10.0.0.1/24
macOS device B, Peer B, interface = 10.0.0.2/24
Windows device C, interface = 10.0.0.3/24
...
Allowed IPs in Omada router peer settings for A, B, and C should be 10.0.0.1/32 and 10.0.0.2/32, 10.0.0.3/32, and so on and so forth.

 

 

  1. If I did choose to not pass the remote traffic, I would change the following in the WireGuard Peer (laptop): AllowedIPs = <local IP defined in WireGuard Omada router settings>/32, <local server IP>/32.
  2. If I choose to keep all remote traffic going through the office network, I just need to update the Omada router peer settings to be the same allowed IP/32.

 

Is this correct?

I suppose this explains why when the host (Omada) network goes down, my laptop network goes down; because all internet traffic is going through the Omada network.

However, this doesn't explain why the Omada network goes down (or does it?)

The prerequisite is that routing all the traffic remotely(which you don't care about) depends on your tunnel connectivity.

When the tunnel is not properly set up, the network will be down.

When the network is down, the route does not work. And another peer connects to you, the network isn't working.

Both peers are routing the traffic to the other peer WG int, but that's some kind of problem.

 

For the explanation about the /24 or /32 on the WG int, you can refer to the guide.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 06:19:49

Clive_A wrote

The prerequisite is that routing all the traffic remotely(which you don't care about) depends on your tunnel connectivity.

When the tunnel is not properly set up, the network will be down.

When the network is down, the route does not work. And another peer connects to you, the network isn't working.

Both peers are routing the traffic to the other peer WG int, but that's some kind of problem.

 

For the explanation about the /24 or /32 on the WG int, you can refer to the guide.

 

I'm getting that, do you have direct answers of where I am going wrong?

I'm trying to find my mistake and I've gleaned as much info from that tutorial as I could have, but nothing is jumping out at me.

 

Are my questions below on the right track? Should I be changing the Omada router peer to /32, are you indicating that is the problem here?

 

  1. If I did choose to not pass the remote traffic, I would change the following in the WireGuard Peer (laptop): AllowedIPs = <local IP defined in WireGuard Omada router settings>/32, <local server IP>/32.
  2. If I choose to keep all remote traffic going through the office network, I just need to update the Omada router peer settings to be the same allowed IP/32.
  0  
  0  
#5
Options
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 06:29:12

Hi @rawfuls 

Thanks for posting in our business forum.

rawfuls wrote

Clive_A wrote

The prerequisite is that routing all the traffic remotely(which you don't care about) depends on your tunnel connectivity.

When the tunnel is not properly set up, the network will be down.

When the network is down, the route does not work. And another peer connects to you, the network isn't working.

Both peers are routing the traffic to the other peer WG int, but that's some kind of problem.

 

For the explanation about the /24 or /32 on the WG int, you can refer to the guide.

 

I'm getting that, do you have direct answers of where I am going wrong?

I'm trying to find my mistake and I've gleaned as much info from that tutorial as I could have, but nothing is jumping out at me.

 

Are my questions below on the right track? Should I be changing the Omada router peer to /32, are you indicating that is the problem here?

 

  1. If I did choose to not pass the remote traffic, I would change the following in the WireGuard Peer (laptop): AllowedIPs = <local IP defined in WireGuard Omada router settings>/32, <local server IP>/32.
  2. If I choose to keep all remote traffic going through the office network, I just need to update the Omada router peer settings to be the same allowed IP/32.

Instead of using 0.0.0.0/0 as the allowed IP, which routes all the traffic to the peer, start with the subnet you expect to access to the peer.

And, WG int with /32.

See if that works.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:WireGuard Kills Peer Internet & Host Network
2024-09-20 18:12:58

  @Clive_A 

Instead of using 0.0.0.0/0 as the allowed IP, which routes all the traffic to the peer, start with the subnet you expect to access to the peer.

And, WG int with /32.

See if that works.

 

Thank you, this was very helpful to hear the confirmation.

 

Changing the WireGuard interface on the router side to the <address>/32 instead of /24 seemed to resolve the issue.

What's weird is that one other user was able to function normally with /24.

 

Regardless, I understand that the /32 is best practice since it isolates to one IP.

 

I've also changed the 0.0.0.0/0 to 192.168.0.1/24 and 2.1/24 respectively and those are also seeming to work.

 

I'll deploy these changes to the end users to ensure everything is functional, appreciate the patience. 

  1  
  1  
#7
Options