WireGuard Setup for Building Automation Access Using Teltonika RUT

This guide provides step-by-step instructions for configuring WireGuard on a Teltonika RUT router, which operates on OpenWRT. This configuration is perfect for ensuring secure remote access to your building automation system.

This guide is tailored for the 0.07.07.X release. Steps may vary for different versions.

Prerequisites

  • A Teltonika RUT router with firmware that supports WireGuard.

  • A SIM card with a public IP or a firewall configured to allow port forwarding from a public IP.

  • Administrative access to the router's web interface.

  • Basic understanding of network configuration.

  • Devices to connect via WireGuard (e.g., a monitoring PC or mobile device).

Step-by-Step Guide

For a similar setup guide provided by Teltonika for a different application, refer here.

Step 1: Access the Router's Web Interface

  1. Connect your PC to the Teltonika RUT router using either Ethernet or Wi-Fi.

  2. Open a web browser and enter the router's web interface URL, usually http://192.168.1.1.

  3. Log in using the admin credentials.

Step 2: Update Firmware (if Necessary)

  1. Navigate to System > Firmware to check if you are running the latest firmware version. This ensures you have the latest security updates and features.

  2. Follow the on-screen instructions to update the firmware if needed.

Step 3: Configure WireGuard on the Router

  1. Go to Services > VPN > WireGuard.

  2. Choose a suitable name for the interface (e.g., wg0).

  3. Click on Add new instance to create a new WireGuard interface. Both Private and Public keys will be generated.

Configure the WireGuard Interface:

Under General Setup, configure the following:

  • Enable: Set to ON to enable WireGuard.

  • IP addresses: Choose a unique network for the VPN (e.g., 172.16.0.1/24).

Under Advanced Settings, configure the following:

  • Listen Port: Set the listening port (default is 51820).

Step 4: Configure Peers

  1. After setting up the interface, either with the dialog still open or by reopening it, choose a name (e.g., client1) and click on Add new instance to configure the client device that will connect to this WireGuard server.

Peer Configuration:

NOTE: Everything except the Public Key is controlled by the server. This input must come from the client.

Under General Setup, configure the following:

  • Public Key: Enter the public key generated by the client. For details, see Client Configuration.

  • Endpoint Host: (Optional) Leave empty.

  • Allowed IPs: This is the static IP assigned to the client on the VPN. If the network is 172.16.0.1/24, then the server uses 172.16.0.1, the first client uses 172.16.0.2, the second client uses 172.16.0.3, and so on.

  • Description: Add a description or name for the device.

  • Route Allowed IPs: Set to ON to allow access to the LAN network and any device within it.

Under Advanced Settings, configure the following:

  • Nothing. Keep the defaults.

Step 5: Configure the Client Device

  1. Install WireGuard on the client device (available for Windows, macOS, Linux, iOS, and Android).

  2. Import a configuration file or manually enter the settings. Most WireGuard solutions allow for key generation directly in the user interface.

Example Configuration File

[Interface]
PrivateKey = (Client's private key, generated by the client)
Address = 172.16.0.2/32
DNS = 172.16.0.1

[Peer]
PublicKey = (Router's public key)
Endpoint = (Router's public IP):51820
AllowedIPs = 172.16.0.0/24

Remember to add the Public key from the Client to the Peer configuration in the Server.

Step 6: Test the Connection

  1. Start the WireGuard interface on both the router and the client device. Ensure the switch is in the ON position.

  2. Verify the connection by pinging devices within the network and checking for secure access to the building automation system.

Conclusion

By completing these steps, you now have a fully functional WireGuard server running on your Teltonika RUT device. This setup secures remote access to your building automation systems, safeguarding sensitive data and control commands from potential cyber threats.

Managing WireGuard clients through the Teltonika RUT interface is straightforward but does involve some manual configuration. Each client must be individually set up with its own key pair and assigned a unique IP address within the VPN network. Although this process requires careful attention to detail, it enables you to maintain a high level of security and control over your remote connections.