When there is a single WG instance in the system everything is fine -
even after reboot router creates route to WG endpoint via our current defualt GW (wan or mobile)
Looks like this
91...76 via 8*.254..1 dev eth1 metric 1
91..*.76 dev qmimux0 scope link metric 3
We are using this single WG intgerface to route 0.0.0.0/0 through WG (all internet traffic)
Issue :
If I add second WG Configuration (second tunnel) to one of our remote private networks (172.*, doesn’t matter here) and reboot - router will NOT add route to our WG endpoint for first tunnel but only for second.
And internet won’t work of course.
If I login in RUTX after that and restart both WG tunnels one by one (Disable/Enable) everything works fine and router adds routes to both of our tunnel via our current wan/mobile GW
In which order do you do the operation ? The 172.* tunnel first and then the 0.0.0.0 or the reverse ?
Does it still fails if you replace 0.0.0.0/0 by 0.0.0.0/1 + 128.0.0.0/1 (+ ::/1 + 8000::/1 if you use ipv6) ?
This is interesting, I was looking for such an occurrence I know it happens but I don’t know why.
If you are interested in debugging this issue could you add the following lines:
set -x
exec 2>/tmp/wg-$$.loq
to /lib/netifd/proto/wireguard.sh, just after the first comments and reboot. /tmp will contain several wg-*.log files check if they indicate route add errors or there is something else.
ip route add 195...* dev wg0 metric
Error: argument “” is wrong: “metric” value is invalid
Also I want to add that it has nothing to do with tunnels quantity but instead it’s peer quantity.
Meaning you can have 1 tunnel with 3 peers in it and some of them will still fail (to add route to that peer)
In our case 2 tunnels, in 1 there is 1 peer and in second there are 3 peers and only 1 route out of 4 will be created
p.s. despite the fact that it creates 1 route and 3 other fail there is only 1 error
Error: argument “” is wrong: “metric” value is invalid
in the file.
Some other “fun” facts :
only route to last peer in second (last) tunnel is added after reboot. Always.
So it looks like it doesn’t know how to add multiple routes for WG at boot step and always
adds only last one (from last peer in config file)
Other fact - even after disable/enable of second tunnel route to peer in first tunnel appears
but other routes to other peers in second tunnel doesn’t appear
After reboot
root@RUTX50:~# ip route | grep 89
default via 89...1 dev eth1 proto static src 89...135 metric 1
89..…0/24 dev eth1 proto static scope link metric 1
195...86 via 89...1 dev eth1 metric 1 <<<< this is last peer in config file (and also last peer in second tunnel)
After disable/enable second tunnel (which holds 3 peers)
default via 89...1 dev eth1 proto static src 89...135 metric 1
89..…0/24 dev eth1 proto static scope link metric 1
91...76 via 89...1 dev eth1 metric 1 << route to 1st peer (from 1st tunnel) appears
195...86 via 89...1 dev eth1 metric 1
Sure, if the value of the metric is missing the command fails …
What is strange is the value of dev, it should be a physical interface not wg0.
The code is in /lib/netifd/proto/wireguard.sh line 226 could you post the traces before the failure else it will be difficult to see what is wrong.
Tunnel a - 1 peer (allowed 0.0.0.0/0 - new/second default route)
Tunnel b - 3 peers ( 172., 10. etc, )
Each peer has multiple ranges (not related)
In my understanding there should be separate route to each peer and it is not created.
IP ranges (allowed routes) are always created and present in the routing table, no problem here. The problem is missing route to peer.
I also think it is not the issue with WG itself but with route daemon (Im not sure who orchestrate routing in OpenWRT, teltonika is on openwrt right?)
There should be separate /32 route for each peer ip via Wan/mobile IP because in our case you have multiple default routes (one of WG peers do the 0.0.0.0/0 routing).
I can give full access to this RUTX device to teltonika staff if needed.
Answer on your question - 3 peers, I’m talking about separate peers in the tunnel. (inside WG interface to be precise)
I believe that there is a misunderstanding here because Teltonika is calling WG interfaces - tunnels (in their GUI).
In network terminology tunnel is an instance between point a and b (or multipoint)
/lib/netifg/proto/wireguard.sh’: No such file or directory
What do you mean here ?
I can send full logs to Teltonika if you can give me your corporate email
IMO this isn’t correct nohostroute tells the script ‘don’t add a route to the wg server’ if it is set, and DEFAULT_ROUTE is a mirror of route_allowed_ips which has a different meaning. IMO this is wrong.
FYI, I am not from Teltonika but I have issues similar to yours related to the routes to the wg server and decided to dig in the code. Currently I have a wireguard.sh derived from the Openwrt’s source it looks good but i am still testing.
I’ll have time later this week to look deeper into this issue, compare to my other systems like my manual wg/linux installations and opnsense routers. + I’ll look into WG logs from Teltonika
wg/linux use wg-quick, the logic for the default route is different. I’ll open a generic ticket about wireguard this w-e with all the details if I’ll catch the remaining fw issues.