Unable to configure Wireguard on EdgeOS 2.0.9-hotfix6

[prettyyellowdog]

Package version

1.0.22020627

Firmware version

2.0.9-hotfix6

Device

EdgeRouter 4 / 6P / 12 - e300

Issue description

Wireguard interface appears in "show interfaces". Attempting to configure results in:

ubnt@router# commit [ interfaces wireguard wg0 ] Unable to access interface: Not supported

Downgrading to 2.0.9-hotfix4 resolves the issue.

Configuration and log output

No response

[vladpetric]

Same issue

[xcolwell]

+1 Seeing the same

[MrChrisWeinert]

Same package version, same firmware version but on EdgeRouter-X (e50). There is no Wireguard interface (wg0) shown when I run "show interfaces"

[boteman]

Identical Wireguard and hotfix6 on my ER-X (e50) router, shows wg interfaces just fine. I'm still fighting off distractions to my time to finish configuring my tunnels on both ends, but it looks OK to me. Trimmed config follows:

me@bc-er-x:~$ show version
Version:      v2.0.9-hotfix.6
Build ID:     5574651
Build on:     12/30/22 10:15
Copyright:    2012-2020 Ubiquiti Networks, Inc.
HW model:     EdgeRouter X SFP 6-Port
Uptime:       19:26:37 up 19 days,  4:11,  1 user,  load average: 1.15, 1.06, 1.01

me@bc-er-x:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         75.Comcrap                        u/u  WAN public
eth1         -                                 u/D  trunk
eth2         -                                 u/D
eth3         -                                 u/D
eth4         192.168.4.1/24                    u/D  backdoor
eth5         -                                 u/u  fiber
lo           127.0.0.1/8                       u/u
             ::1/128
switch0      192.168.1.1/24                    u/u  Local
switch0.2    192.168.2.1/24                    u/u  Entertainment
switch0.3    192.168.3.1/24                    u/u  Guest
switch0.65   192.168.65.1/24                   u/u  LAN
wg1          10.1.37.1/30                      u/u  tunnel 1
wg2          10.1.37.5/30                      u/u  tunnel 2

me@bc-er-x:~$ show configuration
...
interfaces {
    ethernet eth0 {
        address dhcp
        description "WAN public"
    }
    ethernet eth1 {
        description trunk
    }
    ethernet eth2 {
    }
    ethernet eth3 {
    }
    ethernet eth4 {
        address 192.168.4.1/24
        description backdoor
    }
    ethernet eth5 {
        description fiber
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        }
        vif 2 {
        }
        vif 3 {
        }
        vif 65 {
        }
    }
    wireguard wg1 {
        address 10.1.37.1/30
        description 'tunnel 1'
        mtu 1420
        peer key {
            allowed-ips 10.1.37.0/30
            persistent-keepalive 25
        }
        private-key ****************
    }
    wireguard wg2 {
        address 10.1.37.5/30
        description 'tunnel 1'
        mtu 1420
        peer key {
            allowed-ips 10.1.37.4/30
            persistent-keepalive 25
        }
        private-key ****************
    }
}

[dc361]

@prettyyellowdog - You did re-install wireguard after the update didn't you? If you saw the error message before the re-install you may want to go into configuration mode then issue the command "load config.boot" then "compare" (to display what hasn't been committed yet) and then "commit" and if there are no errors "save"

if you are still seeing an error from the CLI try "sudo modinfo wirequard" to make sure the wireguard kernel module is loaded.

Not that it helps, but my ER4's wireguard is working fine. I have the latest version of the package in the firstboot directory which means that it is installed automatically when you update the firmware before the configuration is loaded so I don't get any error messages.

In my case running on my EdgeRouter 4 with firmware v2.0.9-hotfix.6

/config/data/firstboot/install-packages/e300-v2-v1.0.20220627-v1.0.20210914.deb

[farmwald]

I have the same issues on an e1000 with hotfix6. It was working fine until I upgraded to hotfix6. Tried downgrading to hotfix4, but still can't get it to work. I will try downgrading wireguard. My config file tries to load wg0 and wg1, but only wg1 is working. How do I see error messages from loading the config? /var/log/messages doesn't refer to wireguard or wg0. I really need my wg0 back, as I can't get to my remote sites.

[farmwald]

I got wg0 working again by moving to old edge router firmware, old wireguard deb, and an old config file. I haven't tracked it down, but the old config file seems to be important to get it to work for me.

[vladpetric]

Could it be that the wg0 interface needs to be added manually to the config?

[boteman]

It is generally a good idea to reset to factory defaults after upgrading the firmware of any device, then reload the saved configuration. This eliminates the possibility that a config setting got corrupted during the firmware upgrade or if the upgraded firmware relies on a new parameter or one which had its name changed.

At least it provides a known starting point and eliminates this as possibility if you reset it, then you can look elsewhere for the problem.

[vladpetric]

Fine but in my case I only installed the packages way after the upgrade.

[saeraphas]

@prettyyellowdog - You did re-install wireguard after the update didn't you? If you saw the error message before the re-install you may want to go into configuration mode then issue the command "load config.boot" then "compare" (to display what hasn't been committed yet) and then "commit" and if there are no errors "save"

if you are still seeing an error from the CLI try "sudo modinfo wirequard" to make sure the wireguard kernel module is loaded.

Not that it helps, but my ER4's wireguard is working fine. I have the latest version of the package in the firstboot directory which means that it is installed automatically when you update the firmware before the configuration is loaded so I don't get any error messages.

In my case running on my EdgeRouter 4 with firmware v2.0.9-hotfix.6

/config/data/firstboot/install-packages/e300-v2-v1.0.20220627-v1.0.20210914.deb

These steps from @dc361 fixed this issue on 1x EdgeRouter Pro and 6x EdgeRouter X for me.

[pixelspark]

For what it's worth - after the hotfix-6 update (on an e300 / ER-12P) my wg0 came up but ping failed:

ping: sendmsg: Destination address required
From 10.42.42.11 icmp_seq=10 Destination Host Unreachable

The issue was that for some reason the endpoint address for the peer went missing. Added it back in and worked fine again 👍🏻

[boteman]

I found that when I used a DNS name in the endpoint definition it would disappear later. When I used a numeric i.p. address it stuck.

I think they discovered that it's trying to resolve the DNS name before the network interface is fully up at boot time, so it fails and just gives up. No idea why it would remove it from the config, that makes no sense.

[pixelspark]

I found that when I used a DNS name in the endpoint definition it would disappear later. When I used a numeric i.p. address it stuck.

I think they discovered that it's trying to resolve the DNS name before the network interface is fully up at boot time, so it fails and just gives up. No idea why it would remove it from the config, that makes no sense.

That makes sense, my configuration contained a hostname as well (I actually also assumed it would also periodically update that somehow, which is not the case, not even on e.g. Debian with wg-quick)

[dulitz]

It can't periodically update the endpoint by re-resolving the endpoint hostname, because the specified endpoint is only used to bring the tunnel up. Once the tunnel is up, according to the wireguard spec, it will return packets to the most recent address/port from which a valid packet was received. There's no room in that to re-use the pre-specified endpoint until/unless the wireguard interface goes down. If you want it to retry the pre-specified endpoint you'd need to bounce the interface, at which time it ought to re-resolve it.

This is unrelated to anything regarding the procedure EdgeOS is using to bring up the interface initially. If EdgeOS is trying to bring it up too soon and then not retrying later that would be less than ideal, and in theory fixable.

[skyliner21]

It can't periodically update the endpoint by re-resolving the endpoint hostname, because the specified endpoint is only used to bring the tunnel up.

Maybe we could add a cron or other daemon to check if the endpoint has changed and bounce the interface