Routing issue with multiple wireguard interfaces


We have RUTX50 running RUTX_R_00.07.06 firmware.

When there is a single WG instance in the system everything is fine -
even after reboot router creates route to WG endpoint via our current defualt GW (wan or mobile)
Looks like this
91...76 via 8*.254..1 dev eth1 metric 1
.*.76 dev qmimux0 scope link metric 3
We are using this single WG intgerface to route through WG (all internet traffic)

Issue :
If I add second WG Configuration (second tunnel) to one of our remote private networks (172.*, doesn’t matter here) and reboot - router will NOT add route to our WG endpoint for first tunnel but only for second.
And internet won’t work of course.

If I login in RUTX after that and restart both WG tunnels one by one (Disable/Enable) everything works fine and router adds routes to both of our tunnel via our current wan/mobile GW



In which order do you do the operation ? The 172.* tunnel first and then the or the reverse ?

Does it still fails if you replace by + (+ ::/1 + 8000::/1 if you use ipv6) ?

This is interesting, I was looking for such an occurrence I know it happens but I don’t know why.
If you are interested in debugging this issue could you add the following lines:

set -x
exec 2>/tmp/wg-$$.loq

to /lib/netifd/proto/, just after the first comments and reboot. /tmp will contain several wg-*.log files check if they indicate route add errors or there is something else.



There are errors like this :

  • resolveip -4 195...*
  • ip route add 195...* dev wg0 metric
    Error: argument “” is wrong: “metric” value is invalid

Also I want to add that it has nothing to do with tunnels quantity but instead it’s peer quantity.
Meaning you can have 1 tunnel with 3 peers in it and some of them will still fail (to add route to that peer)

In our case 2 tunnels, in 1 there is 1 peer and in second there are 3 peers and only 1 route out of 4 will be created
p.s. despite the fact that it creates 1 route and 3 other fail there is only 1 error
Error: argument “” is wrong: “metric” value is invalid
in the file.


Some other “fun” facts :
only route to last peer in second (last) tunnel is added after reboot. Always.
So it looks like it doesn’t know how to add multiple routes for WG at boot step and always
adds only last one (from last peer in config file)

Other fact - even after disable/enable of second tunnel route to peer in first tunnel appears
but other routes to other peers in second tunnel doesn’t appear

After reboot
root@RUTX50:~# ip route | grep 89
default via 89...1 dev eth1 proto static src 89...135 metric 1
89..…0/24 dev eth1 proto static scope link metric 1
195...86 via 89...1 dev eth1 metric 1 <<<< this is last peer in config file (and also last peer in second tunnel)

After disable/enable second tunnel (which holds 3 peers)
default via 89...1 dev eth1 proto static src 89...135 metric 1
89..…0/24 dev eth1 proto static scope link metric 1
91...76 via 89...1 dev eth1 metric 1 << route to 1st peer (from 1st tunnel) appears
195...86 via 89...1 dev eth1 metric 1

2 more routes are still missing

Sure, if the value of the metric is missing the command fails …
What is strange is the value of dev, it should be a physical interface not wg0.
The code is in /lib/netifd/proto/ line 226 could you post the traces before the failure else it will be difficult to see what is wrong.

Hmm. 3 peers or three IP ranges in Allowed IPs ?

Tunnel a - 1 peer (allowed - new/second default route)
Tunnel b - 3 peers ( 172., 10. etc, )
Each peer has multiple ranges (not related)

In my understanding there should be separate route to each peer and it is not created.
IP ranges (allowed routes) are always created and present in the routing table, no problem here. The problem is missing route to peer.
I also think it is not the issue with WG itself but with route daemon (Im not sure who orchestrate routing in OpenWRT, teltonika is on openwrt right?)

There should be separate /32 route for each peer ip via Wan/mobile IP because in our case you have multiple default routes (one of WG peers do the routing).

I can give full access to this RUTX device to teltonika staff if needed.

Answer on your question - 3 peers, I’m talking about separate peers in the tunnel. (inside WG interface to be precise)
I believe that there is a misunderstanding here because Teltonika is calling WG interfaces - tunnels (in their GUI).
In network terminology tunnel is an instance between point a and b (or multipoint)

/lib/netifg/proto/’: No such file or directory
What do you mean here ?
I can send full logs to Teltonika if you can give me your corporate email

/lib/netifd/proto/ sorry for the typo.

I can’t post full log here because this log is a wall of text with all our ips and out private/public keys.

Regarding /lib/netifd/proto/ (line 211)

Can you explain “if [ “${nohostroute}” != “1” ] && [ “$DEFAULT_ROUTE” -eq 1 ]; then” please ?
Especially “$DEFAULT_ROUTE” -eq 1

IMO this isn’t correct nohostroute tells the script ‘don’t add a route to the wg server’ if it is set, and DEFAULT_ROUTE is a mirror of route_allowed_ips which has a different meaning. IMO this is wrong.
FYI, I am not from Teltonika but I have issues similar to yours related to the routes to the wg server and decided to dig in the code. Currently I have a derived from the Openwrt’s source it looks good but i am still testing.

I’ll have time later this week to look deeper into this issue, compare to my other systems like my manual wg/linux installations and opnsense routers. + I’ll look into WG logs from Teltonika

wg/linux use wg-quick, the logic for the default route is different. I’ll open a generic ticket about wireguard this w-e with all the details if I’ll catch the remaining fw issues.

Edit: having traces will help debug this point. The code doesn’t seem very clean (grep -v tata … what is that ?).

This topic was automatically closed after 15 days. New replies are no longer allowed.