Reply
New Member
Posts: 9
Registered: ‎03-24-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

I got a notice of a reply that solved the problem but never showed up in the post.  (Thanks evildog)

 

It was both something basic and an associated routing problem.

 

The solution was to add the internal lans to each side of the allowed-ips and to set route-allowed-ips to true.

 

So, on the remote office ER LIte the allowed-ips (for the main office peer) are both 10.0.0.1/32 and 10.0.1.1/24

Changing the route-allowed-ips to true adds a kernel route 10.0.1.0/24 on the remote office ER Lite.

 

On the main office ER Lite the allowed-ips (for the rmeote office peer) are both 10.0.0.8/32 and 192.168.60.1/24

Route-allowed-ips true adds a kernel route 192.168.60.0/24 on the main office ER Lite

 

It is now up and working.

New Member
Posts: 3
Registered: ‎04-07-2017

Re: Release: WireGuard for EdgeRouter

[ Edited ]

I veeery briefly had wireguard up (but not really passing traffic), kind of back at an impasse now; below is my config/environment:

 

     wireguard wg0 {
         address 10.99.17.32/32
         listen-port 51820
         peer <peer_pubkey> {
             allowed-ips 0.0.0.0/0
             endpoint peer_ip:peer_port
         }
         private-key /config/auth/privkey
         route-allowed-ips false
[...]
 protocols {
     static {
         route 0.0.0.0/0 {
             next-hop 192.168.1.1 {
                 distance 210
             }
         }
     }
 }
admin@ubnt# sudo wg interface: wg0 public key: my_pubkey private key: (hidden) listening port: 51820 peer: peer_pubkey endpoint: peer_ip:peer_port allowed ips: 0.0.0.0/0
(no handshake, etc)

IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [210/0] via 192.168.1.1, switch0
C    *> 0.0.0.0/32 is directly connected, wg0
C    *> 10.99.17.32/32 is directly connected, wg0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 192.168.1.0/24 is directly connected, switch0

 

The peer involved is Mullvad so I'm fairly sure their settings are sane and this is something on my end.

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

You might need a static route to Mullvad to make sure the Wireguard traffic doesn't try routing over Wireguard?

New Member
Posts: 3
Registered: ‎04-07-2017

Re: Release: WireGuard for EdgeRouter

[ Edited ]

I got the tunnel to come back up by copying resolvconf and wg-quick over from an Ubuntu install.  Still no luck with default route though; if I add a default route even with an obscenely high AD so that I can get internet access to reach the endpoint, whatever route gets added by wireguard never seems to get used.

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

You have no routes that would drive traffic to the Wireguard interface and cause it to even try to establish a connection. Is your intention to have the Wireguard interface be the default route for all traffic?. If so you need a static route for the Wireguard endpoint point to your internet gateway and a static default route pointing to the Wireguard interface as the nexthop. 

New Member
Posts: 3
Registered: ‎04-07-2017

Re: Release: WireGuard for EdgeRouter

Yeah, I figured this out shortly after you replied - basically one static route to the local network (on which the gateway resides) and then a static route to the endpoint using the gateway as the next hop. That obviates the need to do default route shuffling which greatly simplifies things.
Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

Is there an easy way to prevent WireGuard from using a particular interface?  I'm trying to set it up to be a VPN backup, but it keeps updating the endpoint to be the fiber/"LAN" IP.  

 

Example:

 

Main Router:

10.255.255.3 internal

98.x.x.65 public

wg23 config:

address 10.3.23.254/24
listen-port 51023
mtu 1350
peer publickey {
allowed-ips 10.23.0.0/16
endpoint 96.x.x.89:51821
persistent-keepalive 25
}
private-key privatekey
route-allowed-ips false

 

 

Site 23:

10.23.x.254 internal

96.x.x.89 public

wg0 config:

address 10.3.23.1/24
listen-port 51821
mtu 1350
peer publickey {
allowed-ips 0.0.0.0/0
endpoint 98.x.x.65:51023
persistent-keepalive 25
}
private-key privatekey
route-allowed-ips false

 

 

sudo wg show wg23 on the main site shows

endpoint: 10.23.x.254:51821

 

and show wg0 on site 23 of course shows:

endpoint: 10.255.255.3:51023

 

This behavior is currently going on on half the sites we're testing with WireGuard.  It takes careful timing with manually resetting the endpoint on both to get it to update.  These are static IPs on both ends that will never change.

 

I'm thinking of putting a firewall rule to block the internal traffic, but I'm afraid WireGuard will still try.  Is there something I can do to tell WireGuard which interface to use, or to guarantee it won't switch to the internal address?

 

Thanks,

Kevin

 

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@kshrwood02 wrote:

Is there an easy way to prevent WireGuard from using a particular interface?  I'm trying to set it up to be a VPN backup, but it keeps updating the endpoint to be the fiber/"LAN" IP.  

 

Example:

 

Main Router:

10.255.255.3 internal

98.x.x.65 public

wg23 config:

address 10.3.23.254/24
listen-port 51023
mtu 1350
peer publickey {
allowed-ips 10.23.0.0/16
endpoint 96.x.x.89:51821
persistent-keepalive 25
}
private-key privatekey
route-allowed-ips false

 

 

Site 23:

10.23.x.254 internal

96.x.x.89 public

wg0 config:

address 10.3.23.1/24
listen-port 51821
mtu 1350
peer publickey {
allowed-ips 0.0.0.0/0
endpoint 98.x.x.65:51023
persistent-keepalive 25
}
private-key privatekey
route-allowed-ips false

 

 

sudo wg show wg23 on the main site shows

endpoint: 10.23.x.254:51821

 

and show wg0 on site 23 of course shows:

endpoint: 10.255.255.3:51023

 

This behavior is currently going on on half the sites we're testing with WireGuard.  It takes careful timing with manually resetting the endpoint on both to get it to update.  These are static IPs on both ends that will never change.

 

I'm thinking of putting a firewall rule to block the internal traffic, but I'm afraid WireGuard will still try.  Is there something I can do to tell WireGuard which interface to use, or to guarantee it won't switch to the internal address?

 

Thanks,

Kevin

 


You can't specify the outgoing interface for WireGuard to use. It will use the normal linux source interface selection process which means it will choose an interface based upon the routing table. Run "show ip route x.x.x.x" with x.x.x.x replaced with the other routers extenal interface ip address to make sure that they are properly set to route the traffic using their external interfaces.

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

Each side has a static route to the other via its public IP.  Everything else is learned via OSPF. 

 

I have no idea how WireGuard is learning about the local address.  After the most recent reboot of this particular peer, it's back on the 96.x.x.x address, but it was that way when I checked last week too and swapped to the local 10. addresses some time.

 

 

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

If the external interface is down can the routers communicate across the internal network? WireGuard by default doesn't send keepalives and will only send traffic when there is traffic to send, so if the last time there was traffic destined for the WireGuard interface was when the external interface was down then it may have used the internal network. Next time there is traffic and the external interface is up it should source from it. 

 

Check your logs to see if your external interface has been dropping. If it happens again try generating traffic across the WireGuard interface and see if the reported endpoint address updates to show the external interface. Also you may want to configure persistent-keepalives on the peer, so there is some regular traffic.

 

If you want to force the WireGuard traffic to always attempt to use the external interface no matter the circumstances you can use policy based routing. You could match on the destination ip address and port for the endpoint to force the nexthop to be the external interface. Or you could configure a fwmark on the WireGuard interface and then match that. Just know that the WireGuard tunnel will not be able to use the internal network to connect when the external interface is down.

 

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

The external interface on the satellite is a business cable modem, which shouldn't often drop but with all the recent power outages at that site could well have.  The external interface on the other is our primary gigabit fiber to the internet; I'd hear about it from everyone in the company if that dropped.  The internal network between both is a Metro Ethernet delivered on fiber.

 

Persistent-keepalive is set to 25 for both sides.

 

And yes the routers by default reach each other across the internal network.  The wireguard termination point at the main site is just the VPN termination point so it isn't normally handling traffic, but it is accessible from both sides.

 

I never want the WireGuard interface to use the internal route - the network can already reach itself internally.  I just want this to be the VPN backup to the fiber.  I'll take a look at the options and see.

 

Thanks,

Kevin

 

New Member
Posts: 3
Registered: ‎02-15-2018

Re: Release: WireGuard for EdgeRouter

[ Edited ]

What about ipv6? When I try to bind an v6 address to an wg0 interface  I cannot see it with ip a s wg0 (and it has no link local). I can configure allowed-ips with v6 addresses but cannot see any functionality. Am I doing something wrong or is it simply not implemented?

 

IMHO it is important to have a v6 support: think about side channel effects in dual stack environments (where the v4 stuff goes through the default wg-interface and the v6 stuff through the normal gateway!).

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@cy8aer wrote:

What about ipv6? When I try to bind an v6 address to an wg0 interface  I cannot see it with ip a s wg0 (and it has no link local). I can configure allowed-ips with v6 addresses but cannot see any functionality. Am I doing something wrong or is it simply not implemented?

 

IMHO it is important to have a v6 support: think about side channel effects in dual stack environments (where the v4 stuff goes through the default wg-interface and the v6 stuff through the normal gateway!).


Wireguard has ipv6 support, but a link local address is not assigned to the interface. You need to assign an ipv6 address to the interface.

 

set interfaces wireguard wg0 address xxxx::x/x

New Member
Posts: 3
Registered: ‎02-15-2018

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Yes I thought that would work:

 

 

set interfaces wireguard wg0 private-key myserverprivkey
set interfaces wireguard wg0 address 192.168.10.1/24
set interfaces wireguard wg0 address '2001:abcd:ef01:1::1/64'
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 peer mypeerpubkey allowed-ips 192.168.10.2/32
set interfaces wireguard wg0 peer mypeerpubkey allowed-ips '2001:abcd:ef01:1::2/128'

 

The other machine is a simple linux machine:

 

 

[Interface]
PrivateKey = mypeerprivkey
ListenPort = 51821

[Peer]
PublicKey = myserverpubkey
AllowedIps = 0.0.0.0/0, ::/0
EndPoint = endpointaddr:51820

 

And scripting like this:

 

 

ip link add dev wg0 type wireguard
ip address add dev wg0 192.168.10.2/24
ip address add dev wg0 192.168.10.2 peer 192.168.10.1
ip address add dev wg0 2001:abcd:ef01:1::2/64
ip address add dev wg0 2001:abcd:ef01:1::2 peer 2001:abcd:ef01:1::1
wg setconf wg0 keyfile
ip link set up dev wg0

This ends up with RTNETLINK answers: File exists

 

at the peer 2001.abcd... line. This works only with link locals at this point. Forgetting this line does not work (of course). Setting link local lines on the router side is a desaster: you cannot delete them anymore. And with the configuration above this is shown on the router side:

 

ip a s wg0 on router shows

 

19: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default 
    link/none 
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
       valid_lft forever preferred_lft forever

(no v6 address - this is shown on the client side). There is also no v6 allowed-ips shown on sudo wg show. On client side I see both 0.0.0.0/0 and ::/0.

 

And examples, like https://technofaq.org/posts/2017/10/how-to-setup-wireguard-vpn-on-your-debian-gnulinux-server-with-i... also use link lokals for peer connections.

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

If you have been messing about with this for a while you might want to reboot your router. My experience is that the EdgeRouter stops properly taking ipv6 configuration, not wiregaurd specific, after adding and removing addresses. Rebooting gets it back to a good state. Your configuration for the router side is correct.

 

On the client side you get the Netlink error because linux will only allow you to assign a single peer address to the interface. The good news is that you don't need the peer address assignment statements. Just leave them out and things should work. I have successfully recreated your configuration here with success.

 

New Member
Posts: 3
Registered: ‎02-15-2018

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Reboot... interesting... Now it looks good, but now I probably have a firewall issue (and that is my own problem ;-). Thanks for your help.

 

[Update] And found it, did not have zone rules local -> vpn v6...

Emerging Member
Posts: 46
Registered: ‎11-08-2016
Kudos: 6
Solutions: 2

Re: Release: WireGuard for EdgeRouter

@UBNT-cmb how are you going with implementing wireguard into EdgeOS ? it would be great to not worry when upgrading and make this my site-to-site of choice! Man Very Happy Cheers

Member
Posts: 244
Registered: ‎09-16-2011
Kudos: 46
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@zx2c4 @Lochnair

 

First, thank you for your work and support.

 

1) I am noticing that even by using a ddns FQDN, wireguard only once getting the IP and then never re-query for a newer one. My ISP changes the IP every 23 hours, and the ddclient updates it within 2 minutes.

 

ERPro8 on 1.10.0 and ERX-SFP on 1.10.3, wireguard on both is 0.0.20180531-1

 

2) Sometimes the set interfaces wireguard wg0 peer zzz endpoint 'example.com:51920' entry disappears. I think (although not sure), this happens after restart (config is saved I am sure).

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@alawadhi

  1. True, there's no function for updating the endpoint when the DNS record changes.
    The preferred workaround is to use cron to periodically re-set the endpoint, making wg resolve the domain again and update the endpoint in the kernel.

     

    system {
        task-scheduler {
            task wg_ddns {
                executable {
                    arguments "set wg0 peer <KEY> endpoint ddns.example.com:51920"
                    path /usr/bin/wg
                }
                interval 5m
            }
        }
    }
  2. Someone mentioned having this issue to me a few days ago. I haven't gotten around attempting to reproducing it yet.
    If you're seeing this on every reboot, I'd appriciate if you could send over the contents of /var/log/vyatta/vyatta-config-loader.log when it happens. There should be something interesting in there if there's a bug when loading the config.

 

 

Emerging Member
Posts: 64
Registered: ‎05-20-2014
Kudos: 60
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Hi,

 

Can you explain "route-allowed-ips false" what this does?

 

Thank you very much. 

Reply