How to setup wireguard properly on ER605?

How to setup wireguard properly on ER605?

How to setup wireguard properly on ER605?
How to setup wireguard properly on ER605?
Friday - last edited 19 hours ago
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

found out the issue is with allowed IPs in peer setting, 0.0.0.0/0 doesn't work.

(this is different from other vendor's implementation)

 

given the fact the peer of server is the client, the configuration can only be the same, in other vendor's implementation, such info are generated using QR code to avoid typo error; also they don't use this allowed IPs as routing entry, 

 

i guess different teams have different design philosopies, just get used to it(though take me a lot of time and test to figure out the reason)

 

 

 

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:How to setup wireguard properly on ER605?-Solution
Friday - last edited 19 hours ago

Hi @BruceInSG 

Thanks for posting in our business forum.

BruceInSG wrote

  @Clive_A 

 

thanks, I just edited my post while your reply came in at the same time,

 

i draw a network diagram for you.

 

GPON has an external public IP.

 

I can from my WG client access the web interface of ER605(192.168.6.1), and ping to 192.168.6.xx/24 of internal LAN, 

but I cannot access ER605's web interface on 192.168.1.2, neither ping to 192.168.1.xx/24 

no internet access(even using ip directly to ping 8.8.8.8)

 

 

 

configuration of wg client:

 

[Interface]
Address = 10.0.2.2/32
ListenPort = 56627
PrivateKey = xxxxx
DNS = 8.8.8.8
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = public IP of GPON:51820
PersistentKeepalive = 25
PublicKey = yyyyyy

 

 

and ping result with wg connection up, to 10.0.2.1 (which is wg vpn ip), and 192.168.6.1(ER605 internal downlink LAN ip, not ER605 uplink ip)

 

 

That's no longer an issue with the WG.

If you can ping the router and access its LAN IP to its web, that means the tunnel is up and running.

WAN access to the web requires access authority. You need to allow the WAN access in the Remote Assistance tab. However, if you are using the controller, then you don't have access to the web. Everything you need to view or configure is integrated into the controller.

Ping from WAN is also an option in the firewall settings.

Think you should check every tab of the router and see the Help Center or the User Guide to learn about the system.

 

On wheter you can ping the Internet, or 8.8.8.8, I want to know if you can ping to your 192.168.1.254 GPON(LAN IP)? If you cannot ping the 192.168.1.254, that indicates your WAN or the routing on the GPON LAN is not working as expected.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options
5 Reply
Re:How to setup wireguard properly on ER605?
Friday

Hi @BruceInSG 

Thanks for posting in our business forum.

You don't have a public IP address based on the last picture. Be sure you mosaic the public key when you post something like this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:How to setup wireguard properly on ER605?
Friday - last edited Friday

NA

  0  
  0  
#3
Options
Re:How to setup wireguard properly on ER605?
Friday

Hi @BruceInSG 

Thanks for posting in our business forum.

BruceInSG wrote

  @Clive_A 

 

thanks, to point this. but:

 

yes, the ER605 has only a private IP 192.168.1.2, but that's ok, because I do port forward from GPON to it, and the wg connection is up running.

 

the issue is really i cannot access the internet, cannot ping to even 192.168.1.0/24(which is the same subnet of ER605's uplink)

 

1) on ER605, it's default route is pointing to my GPON's 192.168.1.254,

the expected traffic flow should be:  wg client -> GPON(public IP), port fwding -> ER605 wg server -> (back to) GPON -> Internet?

 

2) on ER605, I setup a IPsec VPN, the same topology worked for an iphone

iphone (IKEv2/PSK) -> GPON(public IP), port fwding -> ER605 IPsec VPN(client-to-site setting) -> (back to) GPON -> Internet

 

 

in comparison, I have another 3rd party vendor's router, i also run WG server on it, with of course different key pairs/subnets/port fwding num

the traffic from my pc's wg client -> GPON (public IP) -> that 3rd party router -> (back to) GPON -> Internet is working

though there is an extra setting i did there(i'm not sure if it is relevant), that 3rd party vendor's router is acting as a side-gateway(not because of this WG configuration, but as a general setting for my other devices' static route), i was told by that vendor's tech support to add:
# drop-in gateway features: to enable forwarding
iptables -I FORWARD -j ACCEPT
iptables -I INPUT -j ACCEPT
 

is that the similar reason/root cause?

nonetheless, it is still strange that i cannot even ping the p2p interface ip from WG's connection with ER605.

 

 

 

Take a look at the insight about the VPN tunnel. Is the WG even up on the router? Still the IP thing I think.

It does not connect and that's why you don't have any ping working.

Looking forward to seeing some pictures of the setup and verification of the tunnel.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:How to setup wireguard properly on ER605?
Friday - last edited Friday

NA

 

  0  
  0  
#5
Options
Re:How to setup wireguard properly on ER605?-Solution
Friday - last edited 19 hours ago

Hi @BruceInSG 

Thanks for posting in our business forum.

BruceInSG wrote

  @Clive_A 

 

thanks, I just edited my post while your reply came in at the same time,

 

i draw a network diagram for you.

 

GPON has an external public IP.

 

I can from my WG client access the web interface of ER605(192.168.6.1), and ping to 192.168.6.xx/24 of internal LAN, 

but I cannot access ER605's web interface on 192.168.1.2, neither ping to 192.168.1.xx/24 

no internet access(even using ip directly to ping 8.8.8.8)

 

 

 

configuration of wg client:

 

[Interface]
Address = 10.0.2.2/32
ListenPort = 56627
PrivateKey = xxxxx
DNS = 8.8.8.8
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = public IP of GPON:51820
PersistentKeepalive = 25
PublicKey = yyyyyy

 

 

and ping result with wg connection up, to 10.0.2.1 (which is wg vpn ip), and 192.168.6.1(ER605 internal downlink LAN ip, not ER605 uplink ip)

 

 

That's no longer an issue with the WG.

If you can ping the router and access its LAN IP to its web, that means the tunnel is up and running.

WAN access to the web requires access authority. You need to allow the WAN access in the Remote Assistance tab. However, if you are using the controller, then you don't have access to the web. Everything you need to view or configure is integrated into the controller.

Ping from WAN is also an option in the firewall settings.

Think you should check every tab of the router and see the Help Center or the User Guide to learn about the system.

 

On wheter you can ping the Internet, or 8.8.8.8, I want to know if you can ping to your 192.168.1.254 GPON(LAN IP)? If you cannot ping the 192.168.1.254, that indicates your WAN or the routing on the GPON LAN is not working as expected.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options