search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.45k stars 68 forks source link

Strange routes when using more than one wg interface #145

Open WojtekWaga opened 1 year ago

WojtekWaga commented 1 year ago

Package version

1.0.20220627-1

Firmware version

2.0.9-hotfix.6

Device

EdgeRouter Lite / PoE - e100

Issue description

When configuring more than one wgX interface I'm getting odd routes in the routing table:

image

Configuration and log output

interfaces {
     ethernet eth0 {
         description WAN
         duplex auto
         mtu 1500
         speed auto
         vif 35 {
             description FTTH
             pppoe 0 {
                 default-route auto
                 firewall {
                     local {
                         name WAN_LOCAL
                     }
                 }
                 mtu 1492
                 name-server auto
                 password xxxxxx
                 user-id xxxxxx
             }
         }
     }
     ethernet eth1 {
         address dhcp
         description "WAN 2"
         disable
         duplex auto
         firewall {
             in {
                 name WAN_IN
             }
             local {
             }
         }
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         firewall {
             in {
                 modify balance
             }
         }
         speed auto
         vif 101 {
             address 192.168.xxxxxx/24
             description LAN
             mtu 1500
         }
         vif 102 {
             address 192.168.xxxxxx/24
             description CAM
             firewall {
                 in {
                     name CAM
                 }
             }
             mtu 1500
         }
         vif 104 {
             address 192.168.xxxxxx/24
             description Automatyka
         }
         vif 105 {
             address 192.168.xxxxxx/24
             description Drukarka
             mtu 1500
         }
         vif 106 {
             address 192.168.xxxxxx/24
             description IoT
             firewall {
                 in {
                     name IoT
                 }
             }
             mtu 1500
         }
         vif 200 {
             address 192.168.xxxxxx/24
             description GST
             firewall {
                 in {
                     name GST
                 }
             }
             mtu 1500
         }
     }
     loopback lo {
     }
     wireguard wg0 {
         address 192.168.xxxxxx/24
         firewall {
             in {
                 name vpn
             }
         }
         listen-port 32768
         mtu 1420
         peer xxxxxx {
             allowed-ips 192.168.xxxxxx/24
         }
         private-key /config/auth/wg.key
         route-allowed-ips true
     }
     wireguard wg1 {
         address 10.0.0.110/24
         firewall {
             in {
                 name Marcin
             }
         }
         listen-port 32769
         mtu 1420
         peer xxxxxx {
             allowed-ips 10.0.0.0/24
             endpoint xxxxxx
         }
         private-key /config/auth/wg.key
         route-allowed-ips true
     }
 }
chri2 commented 9 months ago

Just stumbled over this or something very similar:

wireguard 1.0.20220627-1

Version:      v2.0.9-hotfix.7
Build ID:     5622762
Build on:     06/15/23 11:31
Copyright:    2012-2020 Ubiquiti Networks, Inc.
HW model:     EdgeRouter 4

I found a suspicious route for 0.0.0.0/24. After deleting that route i found that it reappeared after setting one of the wireguard interfaces down:

root@wand:~# ip li li | grep wg
29: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
30: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
root@wand:~# ip ro li | grep wg
0.0.0.0/24 dev wg1 proto kernel scope link 
10.10.0.0/24 dev wg1 proto kernel scope link src 10.10.0.3 
192.168.179.0/24 dev wg0 proto kernel scope link src 192.168.179.254 
root@wand:~# ip ro del 0.0.0.0/24
root@wand:~# ip ro li | grep wg
10.10.0.0/24 dev wg1 proto kernel scope link src 10.10.0.3 
192.168.179.0/24 dev wg0 proto kernel scope link src 192.168.179.254 
root@wand:~# ip li set wg1 down
root@wand:~# ip ro li | grep wg
0.0.0.0/24 dev wg0 proto kernel scope link 
192.168.179.0/24 dev wg0 proto kernel scope link src 192.168.179.254

Also re-enabling the interface does let the suspicious route re-appear.

graelo commented 7 months ago

I have the same issue with the e300-v2 (ER-6P).