I’ve configured wireguard as described in here: https://doc.turris.cz/doc/en/public/wireguard
It’s working pretty good (fast, easy to configure etc.), but I’ve to reconnect the wan-interface after starting the wireguard wg0 interface via ifup wg0 or luci.
After a reboot of the router, wireguard doesn’t work, until I restart the wireguard interface, which results in a non-working internet connection and again -> restart of wan-interface is needed.
How can I debug this appropriately to fix this behavior?
WAN is a PPoE connection to the ISP via a bridged modem (VLAN 7) and wireguard is configured exactly as described in the tutorial linked above but I changed the port from 1234 to 443. Newest firmware and package until now, installed the router a week ago and the packages today.
I cannot confirm this behaviour. After router reboot wg0 is directly up and running, I can immediately connect to it and wan is also up.
Don’t know if this has to do with my change compared to the documentation you mentioned - I didn’t add a firewall zone for wg0 but directly bridged wg0 with lan zone. And I didn’t add a forward wan -> lan (which I already described here).
I also use a ISP modem, but in my case it is the modem which does the tagging and it transparently passes through the traffic (German Telekom, AVM Fritz!Box 7412).
Maybe you could post your configuration to do a more detailed troubleshooting?
I’ll give it a try and update the thread afterwards.
Nope - it’s still the same behavior.
I’ve put the wg0 into the lan-zone and removed the forwarding, but if I ifdown wg0-ifup wg0 - the wan connection doesn’t work anymore.
The tagging is done via the router, not the modem, so this seems to be the only (?) obvious difference?
I use the Telekom as the ISP as well.
Stupid question, but how do I post the config of a service I’ve configured via uci? In /etc/wireguard (or similar) there’s no config (which I expected, because on my freetzed fritzbox it was in a similar path)
I definitely have a reproducible error, the wg0 interface have to be started before wan, otherwise the routing to wan doesn’t work.
Look into the system log whether there are any error messages about the wan connectivity when wg is in play.
Run traceroutes from the router (via LuCI or ssh cmd) and router clients to discover potential connectivity issues.
Did you deploy option route_allowed_ips '1' & list allowed_ips '0.0.0.0/0'?
wg config parameters should be contained in /etc/config/network (mentioned in the linked documentation)
Thank you for your input!
route_allowed_ips '1' & list allowed_ips '0.0.0.0/0' - these options are set for the (at this moment there is just one) peer.
Here’s the output of /var/log/messages
2019-05-08 15:38:01 info /usr/sbin/cron[9017]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2019-05-08 15:38:01 info /usr/sbin/cron[9018]: (root) CMD (nethist_stats.lua)
2019-05-08 15:38:11 notice netifd[]: Interface 'wg0' is setting up now
2019-05-08 15:38:11 notice netifd[]: Interface 'wg0' is now up
2019-05-08 15:38:11 notice netifd[]: Network device 'wg0' link is up
2019-05-08 15:38:11 notice firewall[]: Reloading firewall due to ifup of wg0 (wg0)
2019-05-08 15:38:11 info turris-firewall-rules[]: (v63) IPv4 WAN interface used - 'wg0'
2019-05-08 15:38:11 info turris-firewall-rules[]: (v63) IPv6 WAN interface used - 'lo'
2019-05-08 15:38:12 info turris-firewall-rules[]: (v63) 3524 ipv4 address(es) and 3 ipv6 address(es) were loaded (c83b72d5b03454292e5000b3967bc350), 0 rule(s) overriden, 0 rule(s) skipped
2019-05-08 15:38:14 warning dhcp_host_domain_ng.py[]: Add_lease, hostname check failed
2019-05-08 15:38:14 warning dhcp_host_domain_ng.py[15072]: Last message 'Add_lease, hostname ' repeated 6 times, suppressed by syslog-ng on turris
2019-05-08 15:38:14 info kresd[10289]: hints.del('MacBook.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('robot-pc.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('Chromecast.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('Lulas-MacBook.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('android-673726bc85133489.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('teamsan.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.del('iPad-von-Hans.lan')
2019-05-08 15:38:14 info kresd[10289]: [result] => false
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.add_hosts('/tmp/kresd/hints.tmp')
2019-05-08 15:38:14 info kresd[10289]: [result] => true
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info kresd[10289]: > hints.add_hosts('/tmp/dhcp.leases.dynamic')
2019-05-08 15:38:14 info kresd[10289]: [result] => true
2019-05-08 15:38:14 info kresd[10289]:
2019-05-08 15:38:14 info dhcp_host_domain_ng.py[]: Refresh kresd leases
This should be the issue maybe?:
2019-05-08 15:38:11 info turris-firewall-rules[]: (v63) IPv4 WAN interface used - 'wg0'
2019-05-08 15:38:11 info turris-firewall-rules[]: (v63) IPv6 WAN interface used - 'lo'
Ping gave me an “Destination address required”
EDIT: I do only have wan6 because the Telekom only allows one PPoE connection and wan6 gives me both ipv6 and ipv4.
After a while, this pops up in messages:
2019-05-08 15:45:02 info nikola[]: (v43.1) recognized WAN interfaces: lo, pppoe-wan6, wg0
Ok, the issue was list allowed_ips ‘0.0.0.0/0’
I’ve replaced it with 10.0.10.2/24 and it works flawlessly, thanks for any input folks!
1 Like