Reply
Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

I'm sure I'm missing something easy.  

Router A - ER4 directly on the internet. 

 

wireguard wg0 {
address 10.0.0.94/24
listen-port 51820
mtu 1420
peer <B public> {

allowed-ips 0.0.0.0/0

endpoint xx.xx.9.83:51820
persistent-keepalive 25
}
private-key <A private>
route-allowed-ips false
}

 

Router B: ER-X behind NAT.

wireguard wg0 {
address 10.0.0.4/24
listen-port 51820
mtu 1420
peer <A public> {
allowed-ips 0.0.0.0/0
endpoint xxx.xx.188.249:51820
persistent-keepalive 25
}
private-key <B private>
route-allowed-ips false
}

 

 

A receives packets from B:

I receive packets from the other side:

ubnt@ubnt:~$ show interfaces ethernet eth0 capture | grep 51820
23:34:02.200618 IP xx.xx.90.83.39424 > xx.xx.188.249.51820: UDP, length 148
23:34:07.322219 IP xx.xx.90.83.39424 > xx.xx.188.249.51820: UDP, length 148

 

but sudo wg never shows and received bytes

peer: <B public>
endpoint:xx.xx.90.83:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 148 B sent
persistent keepalive: every 25 seconds

 

Anything obvious that I'm missing?  Any logs I can check?

 

Thanks,

Kevin

 

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

I'm sure I'm missing something simple.  Router A has its own public IP and is an ER4.  Router B is an ER-X behind NAT.

 

Router A:

wireguard wg0 {
address 10.0.0.94/24
listen-port 51820
mtu 1420
peer <A>  {
allowed-ips 0.0.0.0/0

endpoint x.x.90.83:51820
persistent-keepalive 25
}
private-key <B> =
route-allowed-ips false
}

 

Router B:

wireguard wg0 {
address 10.0.0.4/24
listen-port 51820
mtu 1420
peer <A public>= {
allowed-ips 0.0.0.0/0
endpoint x.x.188.249:51820
persistent-keepalive 25
}
private-key <B private>=
route-allowed-ips false
}

 

A can see B's requests, and sends out its own:

 

show interfaces ethernet eth0 capture | grep 51820
23:54:45.338198 IP B.B.90.83.39424 > A.A.188.249.51820: UDP, length 148
23:54:50.458167 IP B.B.90.83.39424 > A.A.188.249.51820: UDP, length 148
23:54:55.572942 IP B.B.90.83.39424 > A.A.188.249.51820: UDP, length 148
23:54:57.124408 IP A.A.188.249.51820 > B.B.83.51820: UDP, length 148
23:55:00.691139 IP B.B.90.83.39424 > A.A.188.249.51820: UDP, length 148

 

 

But sudo wg shows no received:

sudo wg
interface: wg0
public key: <a public>=
private key: (hidden)
listening port: 51820

peer: <B public>
endpoint: B.B.90.83:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 15.03 KiB sent
persistent keepalive: every 25 seconds

 

Any ideas what I may be missing?

 

Thanks,

Kevin

 

Emerging Member
Posts: 47
Registered: ‎03-26-2014
Kudos: 5

Re: Release: WireGuard for EdgeRouter

Nevermind, just needed a firewall rule allowing 51820 in WAN_LOCAL.

 

Thanks, wireguard's working great!

 

New Member
Posts: 13
Registered: ‎03-08-2014
Kudos: 2
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Is there a way to get a little bit more debug output on what is going on in cases where things don't work as expected?

 

I would love something like the following messages somewhere

 

  • got wireguard UDP packages from IP [ADDRESS] but not peer found
  • got wireguard UDP packages from IP [ADDRESS] for peer [PEER] but IP [ANOTHER ADDRESS] is not allowed-ip
  • can't reach peer [PEER], no answer
  • can't reach peer [PEER], wrong answer
  • can't reach peer [PEER], ...

That would be a great first step to help debug issues that can show up when something is not working as it should be.

It would be even greater if there would be an debug level that would show what happens with the packages

  • got wireguard UDP packages from IP [ADDRESS] for peer [PEER], NAT translated the IP to [XYZ] and send the package out interface [eth0]

Reason for those information is, we are deploying wireguard on edge routers between more and more sites and it works great, however when it doesn't it is extremly hard to debug where the problem is, it could be configuration mistakes, routing issues, NAT issues, ...

New Member
Posts: 7
Registered: ‎04-08-2016

Re: Release: WireGuard for EdgeRouter

I can't seem to be able to add multiple peers to a wg0 interface for some reason, it seems like a shortcoming of the config parser.

Works fine when each peer has its own interface but I would rather avoid it.

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@TheLT wrote:

I can't seem to be able to add multiple peers to a wg0 interface for some reason, it seems like a shortcoming of the config parser.

Works fine when each peer has its own interface but I would rather avoid it.


Multiple peers per interface can be configured. What exactly is the issue you are running into?

New Member
Posts: 7
Registered: ‎04-08-2016

Re: Release: WireGuard for EdgeRouter

I've narrowed it down to the latest wireguard package 20180420. It doesn't autoload the wireguard.ko module automatically for some reason. I've rolled back to 20180413 and everything is fine. Thanks!
Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

I'm trying to setup WG on my ER-X for use from a mobile phone.

 

On the ER-X I have eth0 attached to WAN, the other ports are on switch with address 192.168.1.1/24

 

    wireguard wg0 {
        address 192.168.9.1/24
        description WireGuard
        firewall {
            out {
            }
        }
        listen-port 54321
        mtu 1500
        peer <public-key_MobileP> {
            description MobileP
        }
        private-key <private-key_router>
        route-allowed-ips true
    }

on the Android mobile app I configured this:

 

Private Key <private-key_mobileP>
Public Key <private-key_mobileP>
Addresses: 192.168.9.2/24
Listen Port: 54321
DNS servers 8.8.8.8
MTU 1500

Peer

Public Key <public-key_router>
Allowed IPs: 192.168.0.0/16
Endpoint: <DDNS-name_router>:54321

since this isn't working I'm obviously overlooking something. Most examples online are about point to point setups or connecting to a VPN provider.

 

The phone isn't rooted so I've not got easy access to logs of why it is failing

 

The ER-X has firmware v1.10.1 and wireguard loaded:

wireguard: WireGuard 0.0.20180420 loaded. See www.wireguard.com for information.
wireguard: Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

 

Any help appreciated

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

The Wireguard Android app currently requires a custom kernel with Wireguard support compiled in. A version using a user space Wireguard implementation is under development.

Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

[ Edited ]

Are you sure? Because the app page says it supports userland (unless the text reflects what the app will do some day)

 

it's version 0.4.2 (via F-Droid)

 

Where did you find the actual status on the app?

 

EDIT: I found https://git.zx2c4.com/wireguard-go/about/ so indeed that will be the reason :/

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

You're right they did activate the user space fallback. I hadn't checked the app for a few weeks and there had not been an announcement to the WireGuard mailing list regarding the change.

 

Have you added a rule to WAN_LOCAL to allow the WireGuard listen-port in on udp?

Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

I assume so

 

    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "SSH to router from WAN"
            destination {
                port <avoid kiddies>
            }
            log disable
            protocol tcp
            state {
                established enable
                invalid disable
                new enable
                related disable
            }
        }
        rule 30 {
            action accept
            description Wireguard
            destination {
                port 54321
            }
            log disable
            protocol udp
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }

I also see the stats mention

37913904ACCEPTWireguard

 

but that could be anything

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

 

    wireguard wg0 {
        address 192.168.9.1/24
        description WireGuard
        firewall {
            out {
            }
        }
        listen-port 54321
        mtu 1500
        peer <public-key_MobileP> {
            description MobileP
        }
        private-key <private-key_router>
        route-allowed-ips true
    }

Just noticed you don't have an allowed-ip assigned to the peer.

Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

right, I had all forgotten about having tried to supply that and failed with a weird error.

 

I put 192.168.9.2 as allowed IP and then I get the error that it conflicts with an existing route

New Member
Posts: 18
Registered: ‎12-17-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@peturdainn wrote:

right, I had all forgotten about having tried to supply that and failed with a weird error.

 

I put 192.168.9.2 as allowed IP and then I get the error that it conflicts with an existing route


When you add 192.168.9.2 to allowed-ips either do so as the host address 192.168.9.2/32 or set route-allowed-ips to false. When route-allowed-ips is set to true routes are created for any allowed-ips assigned to peers on that interface. If the routes would conflict with other existing routes then the commit will fail. If you have the allowed-ips set to 192.168.9.2/24 then the route would conflict with the route for the interface since it has an address in the same network. Setting the allowed-ip to 192.168.9.2/32 would cause a more specific route to be created that will not conflict with the exisiting route and setting route-allowed-ips to false will turn off the creation of the route which in your case is not needed since the allowed-ip is within the network of the address assigned to the interface.  

Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

Sadly that didn't work...

 

I can do

 

route-allowed-ips = false

 

but adding 192.168.9.2/32 to allowed-ips gives an error, regardless of route-allowed-ips 

 

On the routing tab I see these two wg0 related entries:

Yes		0.0.0.0/24		wg0	connected	Yes
Yes		192.168.9.0/24		wg0	connected	Yes

Is that ok/expected?

New Member
Posts: 23
Registered: ‎03-31-2008
Kudos: 1

Re: Release: WireGuard for EdgeRouter

I had the same problem with release "wireguard-e1000-0.0.20180420-1.deb" - any change to allowed-ips gave an error that it conflicts with an existing route.

I noticed that there was a new release "wireguard-e1000-0.0.20180420-2.deb". This lets me add entries to allowed-ips without an error, but now nothing is added to the routing table. When I add static routes it seems to work ok.

I check and "route-allowed-ips" is set to "true".

It looks like the fix for "-1" broke something else?

 

Mike Farmwald
Emerging Member
Posts: 49
Registered: ‎03-11-2016
Kudos: 15

Re: Release: WireGuard for EdgeRouter

[ Edited ]

wooot

 

First tests seem to look good!

wireguard-e1000-0.0.20180420-2.deb  fixes my problem

 

Thanks a lot

New Member
Posts: 9
Registered: ‎03-24-2017
Kudos: 1

Re: Release: WireGuard for EdgeRouter

I am very close to getting wireguard set up but have hit a wall.  I think that I am missing something pretty basic.

 

My setup is remote office -->  main office.  ER Lite on both sides running 1.10.3 with current wireguard installed

 

Main office has a static ip and LAN is 10.0.1.1/24 behind it (edge router is 10.0.1.1)

Remote office has a dynamic ip with a ddns and LAN is 192.168.60.1/24 behind it (edge router is 192.168.60.1)

 

I am in the remote office.  No one at the main office needs to see or connect to my remote LAN.  Ideally the only remote office LAN traffic routed through wg0 is traffic I need to go to 10.0.1.1/24

 

the config on the remote office ER LIte is:

 

wireguard wg0 {
        address 10.0.0.8/24
        description wg-peer
        listen-port 51820
        mtu 1420
        peer [main-office-publickey]
            allowed-ips 10.0.0.1/32
            description office-wg-server
            endpoint 63.[X].[X].[X]:51820
            persistent-keepalive 25
        }
        private-key /config/auth/wg/privatekey
        route-allowed-ips false

The config on the main office ER Lite is:

 

 

    wireguard wg0 {
        address 10.0.0.1/24
        description wg-server
        listen-port 51820
        mtu 1420
        peer [remote-office-publickey]
            allowed-ips 10.0.0.8/32
            description edge-client
            endpoint [dyn.domain.name]:51820
            persistent-keepalive 25
        }
        private-key /config/auth/wg/privatekey
        route-allowed-ips false

On both routers I have:

 

 

        rule 30 {
            action accept
            description "Allow wireguard"
            destination {
                port 51820
            }
            log disable
            protocol udp
        }

 

 

So,  

 

---- on main office ER Lite ---

$ sudo wg
interface: wg0
  public key: [main-office-publickey]
  private key: (hidden)
  listening port: 51820

 

peer: [remote-office-publickey]
  endpoint: [resolved.dyn.domain.name]:51820
  allowed ips: 10.0.0.8/32
  transfer: 20.09 KiB received, 36.18 KiB sent
  persistent keepalive: every 25 seconds

 

--- on the remote office ER Lite ---

$ sudo wg

interface: wg0

  public key: [remote-office-publickey]

  private key: (hidden)

  listening port: 51820

 

peer[main-office-publickey]

  endpoint: 63.[X].[X].[X]:51820

  allowed ips: 10.0.0.1/32

  transfer: 41.36 KiB received, 23.47 KiB sent

  persistent keepalive: every 25 seconds

 

No handshake information is given.

 

I can ping from remote office ER Lite to the main office ER Lite.

 

$ ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=27.8 ms

64 bytes from 10.0.0.1: icmp_req=2 ttl=64 time=26.3 ms

 

However, from remote office ER Lite no ping response to any machines on main office LAN (10.0.1.1/24)

Also no ping response from remote office LAN machine 192.168.60.5 to main office LAN (10.0.1.1/24)

 

I have tried different iterations of the config like route-allowed-ips true and allowed-ips of 0.0.0.0/0 with no luck. 

 

Is this is a routing issue?  If so what is the next step?  What I am missing? TIA

 

New Member
Posts: 33
Registered: ‎11-18-2016
Kudos: 11
Solutions: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

From your description it looks like wireguard is connecting fine.

 

As far as I can see all you need to do is update your config to include the remote side subnets in the allowed-ips statement or include 0.0.0.0, but I think with the 0.0.0.0 you'd have to insert static routes for the remote networks into the routing table yourself on each eouter.

 

I've highlighted the changes to your config that should make it work.

 

remote office ER LIte:

 

wireguard wg0 {
        address 10.0.0.8/24
        description wg-peer
        listen-port 51820
        mtu 1420
        peer [main-office-publickey]
            allowed-ips 10.0.0.1/32
allowed-ips 10.0.1.1/24 description office-wg-server endpoint 63.[X].[X].[X]:51820 persistent-keepalive 25 } private-key /config/auth/wg/privatekey route-allowed-ips true

 

main office ER Lite:

 

    wireguard wg0 {
        address 10.0.0.1/24
        description wg-server
        listen-port 51820
        mtu 1420
        peer [remote-office-publickey]
            allowed-ips 10.0.0.8/32
allowed-ips 192.168.60.1/24 description edge-client endpoint [dyn.domain.name]:51820 persistent-keepalive 25 } private-key /config/auth/wg/privatekey route-allowed-ips true

 

 

 

Reply