Member
Posts: 242
Registered: ‎04-13-2017
Kudos: 43
Solutions: 5

Re: Release: WireGuard for EdgeRouter

Sounds like you are up and running with a WireGuard setup. The key was disabling the route-allowed-ips by the looks of things.

Anything else now is specific to your local setup.

I don't use 192.168.x for any of my wireguard setups. I also generally avoid it for my LAN setups. I assume you will be exposing the UDP port at some point so you VPN in remotely?
Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Anyone build the latest 0.0.20190406 binary and try it out?

 

Member
Posts: 242
Registered: ‎04-13-2017
Kudos: 43
Solutions: 5

Re: Release: WireGuard for EdgeRouter

https://github.com/Lochnair/vyatta-wireguard/issues/97#issuecomment-483260324

 

Still not officially released but seems to work just fine.

Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

Both of those links result in bad gateway from the website.


@phillipmcmahon wrote:

https://github.com/Lochnair/vyatta-wireguard/issues/97#issuecomment-483260324

 

Still not officially released but seems to work just fine.


 

Member
Posts: 242
Registered: ‎04-13-2017
Kudos: 43
Solutions: 5

Re: Release: WireGuard for EdgeRouter

Oh no. They worked a few days ago. Not sure what changed.
Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

So I just went through the process of building a Debian VM on my Win10 machine and following the instructions to "make" the binaries.  Except that the .deb file that was generated in the package folder was a lot smaller than previous .deb files (200KB vs 20KB).

 

I'm not a linux person by any means, but I've at least figured out how to get the packages built.  I'm guessing there is some step somewhere that i missed that's not spelled out.   Can anyone provide some guidance or point me where to look?

 

Thanks!

Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter


@amoeba00 wrote:

So I just went through the process of building a Debian VM on my Win10 machine and following the instructions to "make" the binaries.  Except that the .deb file that was generated in the package folder was a lot smaller than previous .deb files (200KB vs 20KB).

 

I'm not a linux person by any means, but I've at least figured out how to get the packages built.  I'm guessing there is some step somewhere that i missed that's not spelled out.   Can anyone provide some guidance or point me where to look?

 

Thanks!


Whoops - nevermind.  Looks like the wireguard.ko text files all have "Bad Gateway" in them - so nothing to do at this point but wait.

 

 

Member
Posts: 245
Registered: ‎11-01-2015
Kudos: 112
Solutions: 6

Re: Release: WireGuard for EdgeRouter

@amoeba00 

Apologies, it's back up now. I'm in the processing of moving everything over to a new box, so I had to take it down for a bit to transfer the instance over.

 

Might as well tag a release now anyway.

New Member
Posts: 4
Registered: ‎04-12-2017

Re: Release: WireGuard for EdgeRouter

Hello,

I have got an issue with the WG Interface and routing.

It seems that the route I set up, goes offline when I disable and enable the Interface.

After enabling the Interface, the route is not working anymore and all the traffic goes through my normal WAN Interface.

Only a reboot of the ER brings back the route.

 

ER-Lite with version 2.0.1

WG with version 0.0.20190406

Config of the wg interface and routing:

 table 3 {
     interface-route 0.0.0.0/0 {
         next-hop-interface wg0 {
             distance 1
         }
     }
 }
...
 rule 45 {
     action modify
     disable
     modify {
         table 3
     }
     source {
         address 10.0.50.16
     }
 }
...
 rule 5003 {
     description "masquerade for WG0"
     log disable
     outbound-interface wg0
     protocol all
     type masquerade
 }
...
 wireguard wg0 {
     address 10.../32
     description Mullvad
     firewall {
         in {
             name WG0_IN
         }
         local {
             name WG0_LOCAL
         }
     }
     mtu 1420
     peer ... {
         allowed-ips 0.0.0.0/0
         description se2-mullvad
         endpoint se2-wireguard.mullvad.net:3011
     }
     private-key /config/auth/wg.key
     route-allowed-ips false
 }
Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair wrote:

@amoeba00 

Apologies, it's back up now. I'm in the processing of moving everything over to a new box, so I had to take it down for a bit to transfer the instance over.

 

Might as well tag a release now anyway.

Didn't know if you were aware but the e300 package at lochnair.net is different than the one at github.

I used the one from github, and my ER-4 running v1.10.9 works great (using latest Android client v20190319)

 

Thanks again for all your work on this project!

Member
Posts: 245
Registered: ‎11-01-2015
Kudos: 112
Solutions: 6

Re: Release: WireGuard for EdgeRouter

@amoeba00 

Different how? The checksum? If so it's likely because the packages uploaded to GitHub was generated manually from the repo, and are not a direct copy of the ones on Jenkins. Content-wise they should be exactly the same.

Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

The data and control folders within the packages are slightly different file lengths, but then I used Beyond Compare on the actual files within those folders and they all match up identically.  Apologies for the false positive.

 

wireguard.jpg
New Member
Posts: 17
Registered: ‎10-08-2018

Wireguard VPN for remote access to the LAN on an Edgerouter with dual WAN

I have a specific config I need some help with. If someone could look at https://community.ubnt.com/t5/EdgeRouter/Wireguard-for-Remote-VPN-into-the-LAN/m-p/2763862 I'd appreciate it.

Thank you Jason for being so active even here!

Emerging Member
Posts: 47
Registered: ‎10-12-2018
Kudos: 4
Solutions: 2

Re: Release: WireGuard for EdgeRouter

As per the KB here, I was curious if anyone has upgraded from v1x to v2.0.3 with the v2 wireguard.deb package in the /config/data/install-packages and had any success?

 

 

 

Member
Posts: 201
Registered: ‎04-26-2014
Kudos: 30
Solutions: 4

Re: Release: WireGuard for EdgeRouter

I am upgraded on an ER4 using the newest v2 debs from github. I pre-installed before I updated firmware because I was already on v2.0. But so far, no issues.
New Member
Posts: 7
Registered: ‎01-30-2013
Kudos: 3

Re: Release: WireGuard for EdgeRouter

[ Edited ]

I've installed the 0.0.20190406 E100 release on my ERL-3 running v2.0.1 and I'm getting the following error whenever I attempt to commit the basic wg0 interface config

 

# commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: Operation not supported

Commit failed


Anyone encountered a similar problem or have suggestions for a solution ?

Member
Posts: 242
Registered: ‎04-13-2017
Kudos: 43
Solutions: 5

Re: Release: WireGuard for EdgeRouter

Try removing, reinstalling the package and rebooting.

The error suggests the kernel module isn't loaded.
Member
Posts: 117
Registered: ‎09-30-2014
Kudos: 32
Solutions: 6

Re: Release: WireGuard for EdgeRouter

I agree with @phillipmcmahon's advice and please make sure you are using the wireguard-v2.0-e100-0.0.20190406-1.deb  package for eOS v2 package.

 

I was testing V2.0.3 on my ERL last evening and ran into a similar issue as I was trying to install the wireguard package for firmware V1.10.x

Member
Posts: 242
Registered: ‎04-13-2017
Kudos: 43
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@Profdrno did you ever get this sorted?
New Member
Posts: 4
Registered: ‎05-29-2018

Re: Release: WireGuard for EdgeRouter

 

In the example on Lochnair/vyatta-wireguard. I'm confused about the following:

 

wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public

configure

set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 peer GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc= endpoint example1.org:29922
set interfaces wireguard wg0 peer GIPWDet2eswjz1JphYFb51sh6I+CwvzOoVyD7z7kZVc= allowed-ips 192.168.33.101/32

set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= endpoint example2.net:51820
set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= allowed-ips 192.168.33.102/32
set interfaces wireguard wg0 peer aBaxDzgsyDk58eax6lt3CLedDt6SlVHnDxLG2K5UdV4= allowed-ips 192.168.33.103/32

set interfaces wireguard wg0 private-key /config/auth/wg.key

set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 51820

commit
save
exit

 

> set interfaces wireguard wg0 address 192.168.33.1/24

 

What am I actually indicating here? Is this the internal range of IPs that I'm saying should be routed through WireGuard? This setting is the most confusing and seems to possibly conflict with the IP range one can set of the `allowed-ips` under a peer setting.

 

> set interfaces wireguard wg0 listen-port 51820

 

This seems to be the port to listen to on this device.

 

> set interfaces wireguard wg0 route-allowed-ips true

 

Does this indicate that any IPs listed within each peers `allowed-ips` setting will be sent through `wg0`?