Reply
New Member
Posts: 12
Registered: ‎02-16-2016
Kudos: 3

Re: Release: WireGuard for EdgeRouter

 

Hi,

First of all, happy new year 2018, and a big thank you for this awesome piece of software ! It's a very handy tool to build VPN tunnels in a few minutes ! Man Happy

 

I'm quite confused with the "allowed-ips" command, what is it used for exactly ? Should it match the IP subnet of the remote side of the tunnel ?

 

Let me describe shortly the setup : 

Main site :

Edgerouter Lite + LAN network 192.168.22.0/24 and wg0 IP 192.168.88.1/24.

EdgeOS v1.9.7+hotfix.1 and wireguard-octeon-0.0.20171221-3.deb

Remote site :

Edgerouter-X + LAN network 192.168.48.0/24 and wg0 IP 192.168.88.3/24.

EdgeOS v1.9.7+hotfix.1 and wireguard-ralink-0.0.20171221-3.deb

 

This configuration works perfectly :

 

Main site ER-Lite : 
set interfaces wireguard wg0 address 192.168.88.1/24
set interfaces wireguard wg0 listen-port 4321
set interfaces wireguard wg0 peer public-key-remote-site allowed-ips 192.168.48.0/24
set interfaces wireguard wg0 peer public-key-remote-site allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer public-key-remote-site description ERX1
set interfaces wireguard wg0 peer public-key-remote-site endpoint 'remotesitedomain.com:4321'
set interfaces wireguard wg0 peer public-key-remote-site persistent-keepalive 15
set interfaces wireguard wg0 private-key private-key-main-site
set interfaces wireguard wg0 route-allowed-ips true

Remote site ER-X : 
set interfaces wireguard wg0 address 192.168.88.3/24
set interfaces wireguard wg0 listen-port 4321
set interfaces wireguard wg0 peer public-key-main-site allowed-ips 192.168.22.0/24
set interfaces wireguard wg0 peer public-key-main-site allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer public-key-main-site description ERL1
set interfaces wireguard wg0 peer public-key-main-site endpoint 'mainsitedomain.com:4321'
set interfaces wireguard wg0 peer public-key-main-site persistent-keepalive 15
set interfaces wireguard wg0 private-key private-key-remote-site
set interfaces wireguard wg0 route-allowed-ips true


If I remove the "allowed-ips 0.0.0.0/0" configuration line from one site, I lose connectivity. No more ping to either LAN networks, nor the interconnect network.
From the site where I removed "allowed-ips 0.0.0.0/0", if I ping 192.168.88.x IP of the other site, I get a few thousands "Destination Host Unreachable" ICMP answers per second Man Very Happy 

 

Example route table for remote site where I removed the line, a strange route 0.0.0.0/24 through wg0 is present, even after a reboot :
S *> 0.0.0.0/0 [210/0] via a.b.c.d, eth0
C *> 0.0.0.0/24 is directly connected, wg0
C *> 127.0.0.0/8 is directly connected, lo
K *> 192.168.22.0/24 [0/0] via wg0
C *> 192.168.48.0/24 is directly connected, switch0
C *> 192.168.88.0/24 is directly connected, wg0
C *> a.b.c.e/xy is directly connected, eth0

 

Doing more tests while writing this post, I also noticed I can get everything working (ping ok on LAN 22, 48 and 88) if I replace "allowed-ips 0.0.0.0/0" by "allowed-ips 192.168.88.0/24".
Route table remains unchanged.

 

Remote site new configuration :
set interfaces wireguard wg0 address 192.168.88.3/24
set interfaces wireguard wg0 listen-port 4321
set interfaces wireguard wg0 peer public-key-main-site allowed-ips 192.168.22.0/24
set interfaces wireguard wg0 peer public-key-main-site allowed-ips 192.168.88.0/24
set interfaces wireguard wg0 peer public-key-main-site description ERL1
set interfaces wireguard wg0 peer public-key-main-site endpoint 'mainsitedomain.com:4321'
set interfaces wireguard wg0 peer public-key-main-site persistent-keepalive 15
set interfaces wireguard wg0 private-key private-key-remote-site
set interfaces wireguard wg0 route-allowed-ips true


tl;dr :
- what is the purpose of allowed-ips command ?
- is it normal to need to allow the IP subnet of the tunnel itself ?
- why is there always a directly connected route 0.0.0.0/24 via wg0 in the routing table ?

 

Thank you for your help ! Man Happy 

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@ptibeur

1) I'd suggest reading this: https://www.wireguard.com/#cryptokey-routing

2) Yes, that'll become clear after reading 1)

3) We're not quite clear on that. Some testing showed that this also occurs with other tunneling protocols, so we decided not to pursue the issue. Not sure if it's the old kernel, or something else in EdgeOS.

 

New Member
Posts: 12
Registered: ‎02-16-2016
Kudos: 3

Re: Release: WireGuard for EdgeRouter

@Lochnair

Thank you for the fast answer, indeed it's much clearer now after reading the cryptokey-routing concept ! 

New Member
Posts: 3
Registered: ‎12-27-2017

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Thanks, but  adding the route 'set protocols static interface-route 0.0.0.0/0 next-hop-interface wg0'  results in a loss of connectivity altogether.

 

When I add that route there exists the default route, plus one with the next-hop being my ISP's router over eth0, like so, is this  expected?

Screenshot from 2018-01-07 16-41-52.png

 

(Also what's up with the 0.0.0.0/32 route, I didn't add that..)

 

To be clear: I have allowed-ips set to 'allowed-ips 0.0.0.0/0' and 'route-allowed-ips false', and I'm trying to route all LAN traffic through the wg0  interface..  but it's not going.

 

With the default route to wg0 disabled/deleteed, I've added  a static route to a machine I know exists on the other side of the wg0 tunnel, and can ping it successfully, so I know the wg connection itself is working.

 

Any idea what's causing this?

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

@rmblr

Having two default routes are going to lead to problems. I'm going to assume that you're not doing PBR, and simply want to route all internet traffic through the wg peer.

 

First I'd remove the default route going via the modem, if you're using DHCP do:

set interfaces ethernet eth0 dhcp-options default-route no-update

Or if you've added it manually

delete protocols static route 0.0.0.0/0 next-hop 10.0.0.138

Then add a static route for the public IP of your wg peer, e.g. if the IP is 77.66.55.44:

set protocols static route 77.66.55.44/32 next-hop 10.0.0.138

This way encrypted traffic going to the peer'll go through the modem and everything else goes through the wg tunnel.

New Member
Posts: 3
Registered: ‎12-27-2017

Re: Release: WireGuard for EdgeRouter

[ Edited ]
@Lochnair Thanks! Removing the default-route via dhcp-options was definitely the trick. For some reason I still see the 3 default routes listed above in my screenshot,  but 'ip route' and 'show ip route' shows the correct routes.

For others my final config is:
set interfaces wireguard wg0 address <client-ip>/32
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 peer <key> allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer <key> endpoint '<endpoint-ip>:51820'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false

set interfaces ethernet eth0 dhcp-options default-route no-update
set protocols static route <endpoint-ip>/32 next-hop <wan-router-ip>
set protocols static interface-route 0.0.0.0/0 next-hop-interface wg0

My 'show ip route' output is (other rows removed):

 

IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] is directly connected, wg0
S       0.0.0.0/0 [210/0] via <wan-router-ip>, eth0
C    *> 0.0.0.0/32 is directly connected, wg0

S    *> <endpoint-ip>/32 [1/0] via <wan-router-ip>, eth0

 

New Member
Posts: 4
Registered: ‎11-21-2017

Re: Release: WireGuard for EdgeRouter

I make a new test between 2 ubiquiti infinity (1.9.7 hf4 and 10g modules)

 

wireguard iperf3 test results:

[ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-600.00 sec 79.4 GBytes 1.14 Gbits/sec 2091 sender
[ 4] 0.00-600.00 sec 79.4 GBytes 1.14 Gbits/sec receiver

 

directly connect iperf3 test results:

[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-60.00 sec 20.7 GBytes 2.96 Gbits/sec 640 sender
[ 4] 0.00-60.00 sec 20.7 GBytes 2.96 Gbits/sec receiver

 

I thought it will be faster...

New Member
Posts: 4
Registered: ‎11-21-2017

Re: Release: WireGuard for EdgeRouter

And a top result with a started wireguard iperf3 test:

Screenshot from 2018-01-16 16-39-16.png

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Upgrading to wireguard-e300-0.0.20180118-1 utterly nuked my wireguard config. After reboot the interface was gone completely and upon trying to reconfigure it and add it back post commit I just get: 

 

root@e300# commit
[ interfaces wireguard wg0 ]
RTNETLINK answers: Operation not supported

Commit failed
[edit]

 

Member
Posts: 230
Registered: ‎11-01-2015
Kudos: 97
Solutions: 5

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@jugs

My apologies. Seems I fubar'd the kernel modules. I'll update the release in a few.

 

Edit: Updated the release.

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: Release: WireGuard for EdgeRouter

@Lochnair

No problem, thank you for your support.

New Member
Posts: 13
Registered: ‎03-08-2014
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

I'm currently struggling with a setup I want to try. I would like WireGuard between two edge routers.

The idea is to get a site to site VPN working.

Site A the EdgeRouter is behind a pfSense firewall on the internal network. I could forward ports or an entire public IP address to the EdgeRouter.

Internal network 10.10.10.0

pfSense 10.10.10.1

EdgeRouter 10.10.10.5

 

Site B the EdgeRouter would be behind a FritzBox, with changing public IP addresses.

Internal network 10.10.20.0

FritzBox 10.10.20.1

EdgeRouter 10.10.20.5

 

I guess site B would initiate the connection to A, as A has a fixed IP. But how would I set up routing on the EdgeRouters for this to work through WireGuard?

 

Any ideas/help would be greatly appreciated.

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair

I downloaded the "latest" e300 release from GitHub and it's not functional, and not really any better than before.

 

root@e300# show interfaces wireguard                                 
Configuration under specified path is empty        
[edit]                                                            
root@e300# sudo wg                                                       
interface: wireguard0                                                    

peer: ABCDEFGHIJKLmnOP=
  endpoint: 12.34.56.78:443
  allowed ips: 172.16.0.0/16
[edit]
root@e300# set interface wireguard wireguard0 ... (configure the interface)
[edit]
root@e300# commit                                                
[ interfaces wireguard wireguard0 ]                                                              
RTNETLINK answers: File exists                                    
                                                                                          
Commit failed                                                         
[edit] 
New Member
Posts: 7
Registered: ‎04-08-2016

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Getting a "wireguard: Unknown symbol ip_tunnel_get_stats64 (err 0)" on insmod.

ERX-SFP, v1.9.7+hotfix.4. wireguard-e50-0.0.20180118-2.deb


What am I doing wrong?

New Member
Posts: 31
Registered: ‎05-25-2017
Kudos: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair: first of all thanks a lot for maintaining the wireguard packages for EdgeRouter, I really appreciate your work! I was wondering when you would have time to upgrade wireguard to the Feb, 2nd release? Thanks!

New Member
Posts: 22
Registered: ‎05-20-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

I want to see this beautiful vpn funded by a company (hint for Ubiquity)

I want to see this vpn officially embedded into edgeos (and why not, vyos)

Who's with me?

New Member
Posts: 34
Registered: ‎12-21-2016
Kudos: 8
Solutions: 1

Re: Release: WireGuard for EdgeRouter

While it's would be great for users, Ubiquiti is not an innovative company. They're just a low cost networking hardware provider and along with that comes the caveats of low cost. EdgeOS barely has basic IP features that VyOS has had for many years. Their small development team can't even keep up with taking code from upstream. Sorry to burst your bubble.
New Member
Posts: 31
Registered: ‎05-25-2017
Kudos: 2

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lochnair: Thanks again for updating the packages! Seems to be running smooth again... :-)

New Member
Posts: 7
Registered: ‎04-08-2016

Re: Release: WireGuard for EdgeRouter

Working fine on ER-X with the latest update...

New Member
Posts: 2
Registered: ‎02-13-2018

Re: Release: WireGuard for EdgeRouter

Hi there, I'm brand new to VPNs and suck at networking in general. (Sys admin) do you guys have a discord channel or gitter room that o can get some help setting this up tonight? 

Reply