Santa got us …. Wireguard

Thanks to all the elf’s at Alta Labs for helping Santa to deliver WireGuard.
It’s up and running on Route10 firmware 1.3p; I can connect to it. And I can browse the internet via WG on my Route10.
Now I need to figure out the firewall rules to be able to access stuff on my network … but that can wait … :slight_smile:

Rise Of The Guardians Dancing GIF by DreamWorks Animation

edit: i was able to access local devices/services after i setup DNS server as the local IP of route10 and restarted dnsmasq (since i have a custom config setup by post-cfg.sh that breaks everytime i make a change in GUI)

5 Likes

I saw the update this morning myself! Do you mind sharing how you set yours up? I. E. Client config?

1 Like

How did you get the tunnel working? There is not really much setup-wise you can do (like generating a QR code for the tunnel.cfg)

1 Like

after you create the tunnel under Route10 VPN → Wireguard Setup
you need to go to Auth to create “wg peers” or users
press Add User, ‘expand’ Wireguard on the new ‘window’. (bonus tip – If you press setup it will ‘auto’ generate the config for you and show you the QR code for the setup on client site).

3 Likes

I"m not sure if it is just me, but I also had to reboot route10 after the initial setup for get the tunnel to actually come up.

I’ve obviously been naughty this year as Santa didn’t give me Wireguard. :confused:

Route10 on 1.3p, local self-hosted controller fully up to date and both the Route10 and controller rebooted … my VPN tab only has IPSec and no Wireguard options in the User settings.

Yeah, I am missing this on self hosted too :cry:. I guess there is a drift between cloud and on prem releases again.

The standalone and self-hosted updates are released separately from the cloud-based controller. Wireguard will be available for everyone on those as well before long.

How did you determine the up/down status of the tunnel?

I have wireguard enabled, and the client shows active, but I can’t ping devices from outside the network.

On the Wireguard tunnel manager, you can see the data sent and data received counters for the particular VPN connection. Make sure both have amounts showing and are climbing when you are connected. Initially when I had problems, only data sent had any value at all.

data

1 Like

What speeds are you getting?

Im waiting on buying one depending on the VPN speed. I really need the openvpn for my use. Currently Im using GL.iNet and getting 180mbps openvpn.

Iv been looking at n100 pfsense router but Im holding off to see what this can do.

Thanks

Seems the wireguard server only listens on the primary WAN. I only have static IP on my secondary/fallback WAN2 and my peers don’t get a reply unless the WAN falls-back to WAN2

Someone has posted a quick test on the unofficial Alta sub-reddit -
https://www.reddit.com/r/AltaLabs/comments/1hoelms/route10_wireguard_speed/

What kind of speeds would people expect from a Route10/Wireguard combo? Someone has commented it “doesn’t look great” but they look better than speeds I saw mentioned for Unifi gear?

I’m waiting (not very) patiently to be able to try Wireguard myself. :wink:

I am not sure what exactly “doesn’t look great” about that speed test. We are missing a lot of information about the configuration of the test, and even so it is just about maxing out the 1Gb connection. I have 600 down 30 up cable and it doesn’t even break a sweat maxing out that connection over Wireguard. I assume in your post you are referring Netgate 1100. That negate will not have performance anywhere near what the Route10 is capable of. Route10 has a quad core network accelerator chip in it, which will allow it to run circles around just about anything else on the market at this price. Full specs are here if you want more specifics.

Wireguard was just barely released for Route10. If there are any shortcomings that need tuning, I am sure the Alta team will get them taken care of ASAP.

1 Like

Thanks! I must have something misconfigured on the route10. If I want to VPN into the route10 LAN from outside do I set the subnet field to the same subnet of my LAN?

Good question! No, the Wireguard subnet needs to be unique. For example, if your LAN subnet is 192.168.1.1/24, use something like 192.168.5.1/24. All of the intervlan routing is handled behind the scenes. You do not need to add or change any firewall rules for this to work. Out of the box, Route10 Wireguard is set up as a full tunnel connection, so you will remotely be able to access all local subnets that are not isolated using the “Isolation” toggle. Your full internet connection will also run through the tunnel.
Does that help?

YES! Definitely. Thanks for the clear explanation.
I can see data received when on my LAN.
When I switch to a 5G hotspot (with the wireguard enabled on the laptop), data received stops incrementing, so something must still be incorrect in my understanding or my config. :frowning:

It is likely the hotspot period. I have very little luck with WireGuard over 5G using the default port. Unfortunately we can’t change the port yet.

1 Like

That person has no idea what they are talking about. Over 800 is great.

2 Likes

Good morning everyone!

Is the wireguard restricted to the QR Code right now? Can we get the option to export a .conf file for our Windows/Linux desktop clients?