Wireguard Client fails while Win11 Wireguard Client (with same config) works fine...
I've been looking for a decent 5G hotspot with a built in VPN client and I had high hopes for the M8550. I've been fighting with this for a couple of days now...
Basic Problem: Can not get the Wireguard client to pass traffic properly to/from my router (OPNsense 25.7.10-amd64 = latest)
- The M8550 seems to work fine as a hotspot for my test PC to/from the Internet. So that is good. To simplify things, my Test PC is connected directly to the ethernet port on my M8550.
- I have tested my configuration using the generic Wireguard client on my Test PC. It works just fine. This confirms that my router and my test configuration is appropriate and functional. I am even using the M8550 in this configuration as my hotspot (obviously with the M8550's Wireguard client disabled).
- Trying to import the simple Wireguard Configuration file is all but impossible on the M8550. I don't think I have ever seen it succeed so I always have to enter the corresponding client configuration data by hand (copy/pasting the all-important public/private keys to be sure they are correct).
- Even when entering the data by hand, the M8550 always seems to want more data then is available in the config file (like MTU and PersistentKeepalive). The M8550 never reports a meaningful error (just "9007 invalid data" - even when a field is left blank). Anyway, I finally know which fields arte required and I can get a proper config entered by hand.
- In comparing the manually entered configuration data with the data in the client configuration file everything seems consistent and accurate.
- The M8550 shows that the connection is established once the client is activated but this is pretty useless data. I have seen the "connected" message on the M8550 when even a knowingly incorrect config parameter was provided. The client "connected" indication is essentially useless for troubleshooting.
- The M8550 also provides no useful VPN data in the system log files even at "debug" level.
- However, I can see on my router when a Wireguard Client (any client) successfully negotiates a tunnel. The router will indicate when a tunnel has been established and also when it collapses. I can see from my router that it looks like the M8550 is successfully opening a Wireguard tunnel.
- After the M8550 appears to successfully open the wireguard tunnel, it looks like something is broken with respect to the routing tables on the device. If I try to ping an internal IP address in my network (from my test PC), I will get a "192.168.1.1: Destination host unrerachable". To me, this looks like the M8550 (192.168.1.1) does not understand what it needs to do to reach the internal network on the other side of the Wireguard tunnel. "AllowedIPs = 0.0.0.0/0" is set in my cleint config so all traffic should be passed via the tunnel. Again, this exact same configuration works just fine when imported into the generic Wireguard client on my Test PC.
- I have also tried "AllowedIPs = 0.0.0.0/1" as I have seen that used as an example in various TP-Link documentation - but it also does not work.
- I have tried "AllowedIPs = 172.20.0.0/16" in the M8550 (and reconfiguring the OpnSense router accordingly) as that is the RFC1918 Class B address of my internal/private network - but it also does not work.
I don't think there is anything else I can do here. I've been at this literally for days. The fact that the generic Wireguard client on my Test PC works just fine and the M8550 client does not is a pretty good indication where the problem is. It would be helpful if the Client Config import actually worked properly (not hanging) and also if it would give meaningful information if it thought it had a configurastion issue. This is pretty lazy programming I think...
Anyone have any ideas?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
glad you're getting somewhere.
Mine was collected yesterday, and I would be disappointed that you are getting somewhere, if it wasn't for the other mis-marketing of the WIFI and none over riding power facilities in regards to the LAN port. The removal of battery for improved performance baffles me too, why can't you just plug it in?
I've ordered an Inseego, appears to be quite honest with specs in comparrison. This is a bit older but does appear to support OPENVPN and IPSEC (although this is only through the cloud connect feature I believe??), if I can get that to work and configure it should be fine. Also a lot cheaper too.
Anyway will still be interested to see how you get on with this.
Regards
Pete
- Copy Link
- Report Inappropriate Content
I have an Inseego MiFi X 5G but could never get it to work properly. The device was pretty slow in any case (even without the VPN enabled). ...and I'm not interested in sending my traffic through anybody's "cloud".
I was also trying to find an OpenVPN solution but the implementation appears to be a challenge for most manufacturers. Wireguard is much faster and simpler to implement. The speeds I am seeing with the VPN turned on (when its working properly) are pretty good I think.
Do you have any links to threads regarding the "WiFi", "Power Issues for the LAN port", and "Battery Removal"?
I'm working right now to see if I can get my FireTV's to use the device VPN. This will allow them to think they are "home" and I can then get local station on Hulu. I really don't require the VPN anymore (like when I was working) so these are the goals I am left with... ;-)
I'm pretty miffed that I introduced that typo while trying to simplify my config (cause it wasn't working or getting properly imported). I did a couple of things to try and simplify my config in hopes it would work (like replacing my DynDNS host name for the endpoint with a physical IP and also changing my "AllowedIPs" to force everything through the tunnel).
I still can't get the M8550 to split my traffic. When I put the spec in place for my private network (instead of "0.0.0.0/0") the tunnel completely breaks.
I would also like to see the VPN tunnel able to be turned on/off directly from the front panel on the device...
- Copy Link
- Report Inappropriate Content
Noted about it being slow. I wonder if that is network and region related. If it is then that too can go back. I did see in one video that you should force 5G as opposed to allowing the modem to auto select which gives reasonable performance. It also cost (as a claimed pristine openbox, assume used), about 1/3 of the price of the 8558, hence it had to go back without the testing being complete.
In terms of links for the WIFI / LAN, and battery removal, it is noted in various threads. That is how I came across this thread through searching.
Performance boost if you run off of the USB-C, but must have the battery removed? Again why can you just not plug it in? It should be able to manage the battery, the Inseego apparently does.
Tri band WIFI marketed, but you can only use 6 or 5GHz band in WIFI, not a show stopper but again this is probably due to hardware and power saving limitations, and marketed as Tri-band, you'd expect the flexibility even if it drained the battery.
The final straw as mentioned previous was trying to test the unit through the RJ45 configured in WAN mode, which kept dropping out, that did annoy me becuase it is not even having to power the RF Modem. I guess that reduce TX, and a long cable or a coupler inline may have caused this? I doubt it, again to me says bugs. I did afteral have it running as a LAN without any problems except the default off after three mins in battery mode.
A swift Google should find what you need in regards to these aspects listed above.
Maybe I'll pick another one up if it is improved and a few more in depth reviews come out, but I'll let you know how I get on with the Inseego.
Thanks
Pete.
- Copy Link
- Report Inappropriate Content
Despite all the stupid issues importing data from a text file, this is the only 5G Hotspot I have ever got to work with the onboard VPN (in any real capacity). Although I still think the firmware is pretty sketchy, at least I am able to get a decent VPN connect back to my home network if I spend some time nurturing the connection. It is also my hope that the firmware will improve with time but I think it will take some focused feedback to TP-Link to get it all sorted so the device can just be used without having to check in on it, reboot, etc.
I did get two of my FireTV devices to work through it (over VPN) after a couple of false starts. Not sure what was going on but rebooting all devices a couple of times seemed to clear things up. Netflix and Hulu wouldn't talk at first (at all) but now they appear convinced I am at home. It was flaky enough that I can't say that its fully working as expected until I actually spend some quality time with it.
The admin pages simply won't load properly on the Silk browser under FireTV. I can't scroll down to the bottom of any of the pages. Silk is prett weak in itself so I can't say where the issue is. I can get to the admin pages OK with my Android phone though.
I'ld like to see them give us the option to turn the VPN on/off right from the front panel. Otherwise I will have to continue doing this from my phone if I'm on the road without my laptop...
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 689
Replies: 34
Voters 1
