Routing all traffic through a wireguard interface

Talleyrand · November 7, 2023, 8:15pm

No error, but ‘network is down’.

Makes sense as I have no internet and no handshake.

Also tried with metric 8 and same mtu limit you use. Only other difference is routing allowed Ips off. Tried changing that for good measure, but no change (and that killed my internet already in the first stages of this process)

flebourse · November 7, 2023, 8:25pm

What is the output of:

ip -4 route show dev residwg table 48574

Have you set the “Route Allowed Ips via tunnel” flag ?

Talleyrand · November 7, 2023, 8:27pm

Sorry, the error was my typo. See edit above for route Ip:s via tunnel - only thing I’ve ever seen it do is kill internet.

flebourse · November 7, 2023, 8:33pm

There must be another cause for that.

check the RX and TX counters with ifconfig several times:

date; ifconfig eth1; ifconfig residwg

the tcpdump outputs would be very useful. You will need at least two ssh sessions:

tcpdump -i eth1 -n -v ‘port 48574’
tcpdump -i residwg -n -v

Talleyrand · November 7, 2023, 8:35pm

Interesting. After a zillion typos from me I copypasted your line to get it right and … nothing. Just a new prompt. Which I assume means command has been executed with nil results.

Talleyrand · November 7, 2023, 8:43pm

eth1 looks reasonable with internal addresses and rx/tx results, residwg looks dead:

residwg Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
0
POINTOPOINT NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Something funny is going on. The metric is 1 above, but both in my web UI and int the config file as can be seen in the CLI it is 8.

(BTW it still makes very limited sense to me to set the metric so high for the interface that we want the router to use?)

Talleyrand · November 7, 2023, 8:47pm

With my error rates in simple typing I think it’s probably better to postpone the tcpdump installation/operation. I’ll be back tomorrow to try this and any other ideas you might have. Thank you for today.

flebourse · November 7, 2023, 9:17pm

For tomorrow:

start the tunnel with "Route Allowed IPs"set.
print the output of wg, ifconfig eth1, ifconfig resid, ip -4 route show, ip -4 rule show and ip -4 route show dev residwg table 48574

Talleyrand · November 9, 2023, 9:00pm

Again, apologies for a wall of output but here you are.

For good measure and control I repeat ifconfig for residwg & peer.

Four notes:

The web UI seems to override the commands given through the CLI. I fooled around a bit an after ubus down it was still listed as active in the web UI. I then shut it down in the web UI and it could not be found from the CLI when I tried to start it. This is why you have a series of ups/downs in the printout below - I was checking.
As always with route allowed IPs turned on there is no handshake and no internet at all.
Metric of residwg is 1 in the ifconfig residwg printout in spite of it being 8 in the configuration file printout.
ip -4 route show dev residwg table 48574 gets no reply.

Hope this helps you see something.

/T

config interface ‘residwg’
option proto ‘wireguard’
option private_key (EDITED)
option public_key (EDITED)
option listen_port ‘48574’
option mtu ‘1280’
option metric ‘8’
list dns ‘98.128.186.86’
list dns ‘155.4.89.136’
list addresses ‘10.0.138.123/24’
option disabled ‘1’

config wireguard_residwg ‘resipeer’
option endpoint_port ‘48574’
option public_key (EDITED)
option persistent_keepalive ‘25’
option endpoint_host (NAME OF SERVER)
option route_allowed_ips ‘1’
list allowed_ips ‘0.0.0.0/1’
list allowed_ips ‘128.0.0.0/1’

root@RUTX10:~# wg
interface: residwg
root@RUTX10:~# ubus call network.interface.residwg down
root@RUTX10:~# ubus call network.interface.residwg up
root@RUTX10:~# wg
interface: residwg
root@RUTX10:~# ubus call network.interface.residwg down
-ash: ubus: not found
root@RUTX10:~# ubus call network.interface.residwg down
root@RUTX10:~# wg
root@RUTX10:~# ubus call network.interface.residwg up
root@RUTX10:~# wg
interface: residwg
root@RUTX10:~#

root@RUTX10:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr (EDITED)
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:42ff:fe63:3458/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5007 errors:0 dropped:0 overruns:0 frame:0
TX packets:823 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1733825 (1.6 MiB) TX bytes:134781 (131.6 KiB)

root@RUTX10:~# ifconfig residwg
residwg Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
0
POINTOPOINT NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@RUTX10:~# ip -4 route show
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 2
192.168.1.0/24 dev br-lan proto static scope link metric 1
192.168.1.0/24 dev eth1 proto static scope link metric 2
root@RUTX10:~# ip -4 rule show
0: from all lookup local
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@RUTX10:~# ip -4 route show dev residwg table 48574
root@RUTX10:~# ip -4 route show
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 2
192.168.1.0/24 dev br-lan proto static scope link metric 1
192.168.1.0/24 dev eth1 proto static scope link metric 2
root@RUTX10:~# ip -4 route show dev residwg table 48574
root@RUTX10:~#

flebourse · November 9, 2023, 9:22pm

I see, so the routes and rules are not setup.

Metric of residwg is 1 in the ifconfig
I have the same value:

wgtls     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.31.248.2  P-t-P:172.31.248.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:451404 errors:0 dropped:0 overruns:0 frame:0
          TX packets:251802 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:573016444 (546.4 MiB)  TX bytes:31517388 (30.0 MiB)

I suspect ther may be something else at play here, I just don’t know what. Could you try to do the same using the static route workaround ? No need to clear /etc/mwan3.user just put a return at the beginning.

Talleyrand · November 11, 2023, 7:50pm

I have entered return as a single line at the top of mwan3.user
I entered a static route with my VPN endpoint as given by the provider in the target field, gave it metric 2 and the same MTU as the tunnel (1400)
Route allowed IPs is on
I rebooted

I have neither internet nor handshake, and output looks the same as before as far as I can see except that I see the static route in route show.

root@RUTX10:~# ubus call network.interface.residwg down
root@RUTX10:~# wg
root@RUTX10:~# ubus call network.interface.residwg up
root@RUTX10:~# wg
interface: residwg
root@RUTX10:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr (EDITED)
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:42ff:fe63:3458/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:76 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26299 (25.6 KiB) TX bytes:4312 (4.2 KiB)

root@RUTX10:~# ifconfig residwg
residwg Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
0
POINTOPOINT NOARP MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

root@RUTX10:~# ip -4 route show
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 2
10.0.138.123 dev eth1 proto static scope link metric 2 mtu 1400
192.168.1.0/24 dev br-lan proto static scope link metric 1
192.168.1.0/24 dev eth1 proto static scope link metric 2
root@RUTX10:~# ip -4 rule show
0: from all lookup local
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@RUTX10:~# ip -4 rule show dev residwg table 48574
root@RUTX10:~#

Talleyrand · November 11, 2023, 7:53pm

Let me know if you want me to factory reset to make sure there is nothing unwanted and we do all in the right order.

flebourse · November 11, 2023, 9:25pm

It houldn’t be necessary to perform a factory reset.
Are you sure about the keys / peer IDs ?
Can you execute a tcpdump in CLI before starting the tunnel via the UI:
tcpdump -i eth1 -n -v 'port 48574'
What do you see ?

Talleyrand · November 11, 2023, 11:28pm

If I use the keys from the config file from the provider (that I copy paste into the web UI) straight from my computer they work fine and I get a tunnel which I can also confirm through the provider’s test web page. Before we added the code and (especially) turning on ‘route allowed IPs’ I would also get a handshake from them in the router although traffic would not flow through the tunnel.

I did one via the built in windows ssh server and one via the cli after starting the tunnel. Same result:

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

flebourse · November 12, 2023, 2:47am

I think I have been able to replicate your issue after a power outage. More tomorrow.
Edit: false alarm, there was an issue on another router.

Talleyrand · November 12, 2023, 9:05pm

(Ah. Got my hopes up there. Will be away for two weeks or so and since my Teltonika is not a mobile model it will not join me. Will get back in the saddle when I return - can start a new thread with whatever ideas or advice you may come up with in the meantime. Thank you for your efforts so far! /T)

AndzejJ · November 17, 2023, 9:11pm

This topic was automatically closed after 19 days. New replies are no longer allowed.