Business Community > All Threads > ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
< All Threads

ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1

123

ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1

ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago - last edited a week ago
Tags: #VPN #WireGuard
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.3.1

Hello,

 

I have ER8411 V1 and OC200.

After a firmware upgrade from 1.2.3 to 1.3.1, Wiregaurd VPN is now completly broken.

 

I have rx and tx on the android Wiregaurd app but I cannot access any of my local ips and no internet access when Wiregaurd is turned on!!!

 

Does anyone else having this issue?

It was working juts fine when I was on firmware 1.2.3.

 

I can post my configs for the Wiregaurd VPN if anyone has a clue.

 

Thanks!!!

  0      
 
  0      
 
#1
Options
25 Reply
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @parhamsan 

 

Someone else posted soemthing about this, and they resolved it by double checking their WAN IN gateway ACLs and found they had a block "everything" which on the new firmware works slightly differently and does indeed, block everything (its not necessary either)

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#2
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @GRL Hey, thanks for the reply. can you please direct me to the post as I am a total newbie and dont understand where I have to go to change that setting.

 

I turned all the ACLs off but still dont have internet access or LAN access when on my phone (and when wiregaurd is activated).

 

Can you elaborate where exactly "WAN IN gateway ACLs" are?

Here is screenshot form my OC200:

 

 

Thanks!

  0  
  0  
#3
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @parhamsan I can confirm that for some odd reason my OpenVPN connection is also not working after the upgrade.

 

I tried to downgrade in staddealone mode and can't go back to 1.2.3; so after the latest Firmware upgrade I am completely without VPN!!!

There must be something I'm completely missing in the new Firmware!

  0  
  0  
#4
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @parhamsan 

parhamsan wrote

  @parhamsan I can confirm that for some odd reason my OpenVPN connection is also not working after the upgrade.

 

I tried to downgrade in staddealone mode and can't go back to 1.2.3; so after the latest Firmware upgrade I am completely without VPN!!!

There must be something I'm completely missing in the new Firmware!

Roll the downgrade from the CLI. 

If you want further diagnosis and advice, please post your config and settings. 

 

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  0  
  0  
#5
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @parhamsan 

 

I have firmware 1.3.1 and both Wireguard and OpenVPN work after upgrading.

 

 

  0  
  0  
#6
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago - last edited a week ago

  @MR.S Hello,

 

So here is what I did. I Forgot the ER8411 from the OC200 (the ER8411 got factory reset), enabled the SSH and SSHed to ER8411.

I then roll-back to the previouse Firmware, 1.2.3, and adopted the ER8411 again.

 

I can now confirm that the Wiregaurd is working as before so it must be a setting on the new firmware that is blocking the traffic.

Maybe someone can explain what is preventing the wiregaurd to work on the new firmware:

 

To start I have 2 LANS:

 

Default 192.168.1.1/24

LAN69 192.168.69.1/24 (LAN69 is only setup to be used in the ACL for Wiregaurd to block access to LAN1, which I found is usless)

 

On Wiregaurd I have 2 Servers (both port 51800 and 51820 are open in NAT):

 

 

 

And below are the Peers:

 

 

 

And the ACL for LAN69 (which is kind of useless, since when I created LAN69 and used it on the wiregaurd VPN, I only have access to WAN and no LAN regardless of the ACL being on or off, which is not an issue I can deal with that by having 2 different addressess for the wiregaurd). 

 

 

 

With this configuration wiregaurd works fine.

 

But when upgarded to firmware 1.3.1 everything stopped working???

Is there a setting I need to set for the wiregaurd to work on the new firmware?

 

Any help would be appreciated.

 

Thanks!

  1  
  1  
#7
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @parhamsan 

 

ok, first of all, do you have port forwarded wireguard or OpenVPN then delete all of these. you shouldn't do that.
you also shouldn't use VPN ip that overlaps with any of your other networks. it didn't look like you had done that here.
and you use /32 on allowed ip, that's good. so then it should work.

start by deleting port forward (NAT) if you have something like that.

As for ACL, it doesn't work with Wireguard,

 

 

  1  
  1  
#8
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago

  @MR.S Hey,

Thanks for getting back to me!

 

Sure I have followed you instructions as below:

 

1-Removed LAN69 from networks.

2-Disabled Port forwarding rules for wiregaurd and OpenVPN (I can confirm that Wiregaurd is still working, and previousely OpenVPN was not working and after removing port 1194 from NAT it is working again, so thank you so much for the tip!!!)

3-Removed any ACL rules regarding LAN69 (so there is no way I can block a wiregaurd connection from accessing certain LANs; I wanted for certain wiregaurd connections to only access WAN and not LAN!!!)

 

I will upgrade to the new firmware, 1.3.1, tomorrow morning and let you know about the results.

 

Thanks Again!!!

  0  
  0  
#9
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago - last edited a week ago

 @parhamsan

parhamsan wrote

  @MR.S Hello,

 

So here is what I did. I Forgot the ER8411 from the OC200 (the ER8411 got factory reset), enabled the SSH and SSHed to ER8411.

I then roll-back to the previouse Firmware, 1.2.3, and adopted the ER8411 again.

 

I can now confirm that the Wiregaurd is working as before so it must be a setting on the new firmware that is blocking the traffic.

Maybe someone can explain what is preventing the wiregaurd to work on the new firmware:

 

To start I have 2 LANS:

 

Default 192.168.1.1/24

LAN69 192.168.69.1/24 (LAN69 is only setup to be used in the ACL for Wiregaurd to block access to LAN1, which I found is usless)

 

On Wiregaurd I have 2 Servers (both port 51800 and 51820 are open in NAT):

 

 

 

And below are the Peers:

 

 

 

And the ACL for LAN69 (which is kind of useless, since when I created LAN69 and used it on the wiregaurd VPN, I only have access to WAN and no LAN regardless of the ACL being on or off, which is not an issue I can deal with that by having 2 different addressess for the wiregaurd). 

 

 

 

 

 

With this configuration wiregaurd works fine.

 

But when upgarded to firmware 1.3.1 everything stopped working???

Is there a setting I need to set for the wiregaurd to work on the new firmware?

 

Any help would be appreciated.

 

Thanks!

I don't understand what you would set up like that. 

Allowed peer should be an existing network. If you allow 192.168.50.0/24, which is non-existed, what's the reason? 

 

As for the 192.168.69.0/24, when your phone is connected, and your phone settings are missing from the reply, you should be able to ping the 192.168.69.1, so did you verify that?

As for the phone, WG has to be configured with the DNS. 

 

 

If you ask why, that seems to be a config issue. Not sure if you have read the config guide on the forum. Mr.S is suggesting you remove all the non-related settings to verify the integrity of WireGuard. 

I also don't see a problem with the WG on my test bench. 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
  1  
  1  
#10
Options
Re:ER8411 V1 Wireguard stopped working after firmware upgrade to 1.3.1
a week ago - last edited a week ago

Clive_A wrote

 @parhamsan

parhamsan wrote

  @MR.S Hello,

 

So here is what I did. I Forgot the ER8411 from the OC200 (the ER8411 got factory reset), enabled the SSH and SSHed to ER8411.

I then roll-back to the previouse Firmware, 1.2.3, and adopted the ER8411 again.

 

I can now confirm that the Wiregaurd is working as before so it must be a setting on the new firmware that is blocking the traffic.

Maybe someone can explain what is preventing the wiregaurd to work on the new firmware:

 

To start I have 2 LANS:

 

Default 192.168.1.1/24

LAN69 192.168.69.1/24 (LAN69 is only setup to be used in the ACL for Wiregaurd to block access to LAN1, which I found is usless)

 

On Wiregaurd I have 2 Servers (both port 51800 and 51820 are open in NAT):

 

 

 

And below are the Peers:

 

 

 

And the ACL for LAN69 (which is kind of useless, since when I created LAN69 and used it on the wiregaurd VPN, I only have access to WAN and no LAN regardless of the ACL being on or off, which is not an issue I can deal with that by having 2 different addressess for the wiregaurd). 

 

 

 

 

 

With this configuration wiregaurd works fine.

 

But when upgarded to firmware 1.3.1 everything stopped working???

Is there a setting I need to set for the wiregaurd to work on the new firmware?

 

Any help would be appreciated.

 

Thanks!

I don't understand what you would set up like that. 

Allowed peer should be an existing network. If you allow 192.168.50.0/24, which is non-existed, what's the reason? 

 

As for the 192.168.69.0/24, when your phone is connected, and your phone settings are missing from the reply, you should be able to ping the 192.168.69.1, so did you verify that?

As for the phone, WG has to be configured with the DNS. 

 

 

If you ask why, that seems to be a config issue. Not sure if you have read the config guide on the forum. Mr.S is suggesting you remove all the non-related settings to verify the integrity of WireGuard. 

I also don't see a problem with the WG on my test bench. 

  @Clive_A 

 

Hello Clive,

Thanks for your reply!

 

To answer your questions:

I followed this video to create and setup Wiregaurd on the ER8411 and on my phone:

https://youtu.be/ySovFaq9FV0?si=0t9kMSZ46ytjDroP

I though the WG server IPs and peers should be on a completely different subnet from my existing LAN subnet (in my case I only have 192.168.1.0/24)!!!

 

As for the 192.168.69.0/24, when I created the LAN on ER8411, the only reason was to be able to control peers access to WAN only and to deny access to my default LAN.

On my phone I am using 8.8.8.8 as DNS

Seems the ACL will not work for WG and there is no way to control and deny access through the ACL rules, correct?

 

For now I will stick to 1.2.3 Firmware, and will not upgrade to 1.3.1, since after the upgrade my router and internet went completely offline and I have to manually restart and unplug the router for a couple of time for it to come back online (it could be also related to my XGS-PON, so don't want to blame the Firmware for this issue!!!)

 

The only request that I have now is how can I control the way WG peers/clients can have limited access to WAN or LAN (if there is a way).

For example in Archer AX55 there is an option to limit client access by a simple rule correct? Why cant this be implemented in ER8411?

 

 

 

Thanks again for your help and reply!!!

  0  
  0  
#11
Options
123

Information

Helpful: 0

Views: 455

Replies: 25

Tags

VPN WireGuard
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.