Reply
Established Member
Posts: 1,667
Registered: ‎05-03-2016
Kudos: 576
Solutions: 158

Re: Release: WireGuard for EdgeRouter

@viviandarkbloom 

 

You could carefully text edit /config/config.boot to be what you actually want and then simply reboot the router.

New Member
Posts: 6
Registered: ‎08-24-2017
Kudos: 5

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@karog 

 

from the wg-quick documentation:

Table — Controls the routing table to which routes are added. There are two special values: ‘off’ disables the creation of routes altogether, and ‘auto’ (the default) adds routes to the default table and enables special handling of default routes.

But this configuration node is not available for wireguard for edgerouter.

 

route-allowed-ip = false, disables the routing between the peers. it still writes to the main routing table for the wireguard interface and inserts a 0.0.0.0/8 or /16 or /24.

 

I have table = off on my linux setup and works as intented but edgerouter port seems to be missing this confiration option.

 

show ip route for the edgerouter

C    *> 0.0.0.0/8 is directly connected, wg0

C    *> 10.0.0.0/8 is directly connected, wg0

 

i do not want the wireguard interface to write 0.0.0.0/8 to the main routing table. it creates confusion if i have multiple wireguard interfaces definited.

 

Emerging Member
Posts: 45
Registered: ‎02-11-2018
Kudos: 6
Solutions: 1

Re: Release: WireGuard for EdgeRouter

@Charlie_P It's probably the same bug as this: https://community.ubnt.com/t5/EdgeRouter/Routing-Table-Entry-0-0-0-0-24/m-p/2669560#M240292
I too asked about it as I'm getting a 0.0.0.0/24 route.
New Member
Posts: 6
Registered: ‎08-24-2017
Kudos: 5

Re: Release: WireGuard for EdgeRouter

thanks for the headup... didn't realised it a long standing bug. probably will never get fixed.

 

will uninstall the wireguard tunnels from edgerouter and use a standalone linux machine.

pitty.... the speed for wireguard was FAST on ER4

Member
Posts: 736
Registered: ‎09-13-2018
Kudos: 138
Solutions: 48

Re: Release: WireGuard for EdgeRouter

What problem was the 0.0.0.0/24 route causing?  I don't use wireguard (yet), but that route doesn't cause problems.  That is probably one of the reasons it has never been fixed.  Just ignore it, it isn't going to route any useful traffic.

Emerging Member
Posts: 45
Registered: ‎02-11-2018
Kudos: 6
Solutions: 1

Re: Release: WireGuard for EdgeRouter


@BuckeyeNet wrote:

What problem was the 0.0.0.0/24 route causing?  I don't use wireguard (yet), but that route doesn't cause problems.  That is probably one of the reasons it has never been fixed.  Just ignore it, it isn't going to route any useful traffic.


Or one could add a script to /config/scripts/post-config.d to clean up these routes if they are causing any problems, but I don't think they do, they are just confusing if not paying close attention to the mask, that's all.

Emerging Member
Posts: 89
Registered: ‎04-13-2017
Kudos: 17
Solutions: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

if it ain't broke, then don't fix it...

New Member
Posts: 4
Registered: ‎06-02-2018

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Hoping someone can point out why my WireGuard configuration allows IPv4 access to LAN and WAN but only IPv6 access to LAN through the tunnel. I am trying to setup as Road Warrier as described here but when testing the connection I cannot access IPv6 on the internet.

 

I am reasonably confident that my WireGuard server and client configurations are correct but would appreciate if anyone could point out whether additional router settings are required to get this working or whether it cannot be done. The client config is using AllowedIPs = 0.0.0.0/0, ::/0.

 

I have a feeling that the reason it works for IPv4 is this section of my configuration, but is there an IPv6 equivalent?

    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
    }

Has anyone got IPv6 to the internet working through a WireGuard tunnel on EdgeOS using a built-in function or maybe something like:

sudo /sbin/ip6tables -t nat -A POSTROUTING -s fd00::/64 -o pppoe0 -j MASQUERADE

Thanks for any advice!

New Member
Posts: 22
Registered: ‎12-15-2017
Kudos: 3
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Hey Guys -

 

I am trying to configure a road warrior setup, using a ERX (travel router) and ER4 (Main/Home).  The aim is to route all my traffic through the VPN so that all my devices are protected and have access to my home network.  The hotel provides 30Mbs/30Mbs up down from the rooms so a fairly good connection is available.

I have OpenVPN working perfectly but the perfromance hit is pretty heavy, especially when you are streaming.

 

I have the following Wireguard setup that works, however some sites don't load when I am connected to the Wireguard VPN.  I can access hosts on either side and browse most websites.

 

 

ER4 (Main/Home)

 

Spoiler
set interfaces wireguard wg0 address 172.16.10.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer remote-site-public-key allowed-ips 172.16.10.2/32
set interfaces wireguard wg0 peer remote-site-public-key allowed-ips 192.168.30.0/24
set interfaces wireguard wg0 peer remote-site-public-key description ERX
set interfaces wireguard wg0 peer remote-site-public-key endpoint 'XXX.XXX.com:51820'
set interfaces wireguard wg0 peer remote-site-public-key persistent-keepalive 15
set interfaces wireguard wg0 private-key main-site-private-key
set interfaces wireguard wg0 route-allowed-ips true

ERX (travel router)

 

Spoiler
ERX (Travel Router)

set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer main-site-public-key allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer main-site-public-key description ER4
set interfaces wireguard wg0 peer main-site-public-key endpoint 'XXX.XXX.com:51820'
set interfaces wireguard wg0 peer main-site-public-key persistent-keepalive 15
set interfaces wireguard wg0 private-key remote-site-private-key
set interfaces wireguard wg0 route-allowed-ips false

set firewall group network-group WG_Devices network 192.168.31.0/24
set protocols static table 1 description WireGuard
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255

set firewall modify WG_Routing rule 20 action modify
set firewall modify WG_Routing rule 20 description Inter-LAN
set firewall modify WG_Routing rule 20 destination group network-group WG_Devices
set firewall modify WG_Routing rule 20 modify table main
set firewall modify WG_Routing rule 40 action modify
set firewall modify WG_Routing rule 40 description WireGuard
set firewall modify WG_Routing rule 40 modify table 1
set firewall modify WG_Routing rule 40 source group network-group WG_Devices

set interfaces ethernet eth1 firewall in WG_Routing

set service nat rule 5012 description WG
set service nat rule 5012 log disable
set service nat rule 5012 outbound-interface wg0
set service nat rule 5012 protocol all
set service nat rule 5012 type masquerade

Any tips would be helpful.

 

Reply