search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.46k stars 68 forks source link

route-allowed-ips in startup config #98

Closed SwimGeek closed 2 years ago

SwimGeek commented 2 years ago

Hi

It seems that after I disable 'route-allowed-ips true' and do a commit and save, the feature is still enabled in startup config file: /config/config.boot

For my use, it seems that I need route-allowed-ips to be off, else I get an RTNETLINK error when trying to add allowed-ips configs. So currently when I reboot my ER-X things break pretty badly.

I'm using: EdgeRouter X 5-Port with OS: v2.0.9-hotfix.2 and Wireguard: e50-v2-v1.0.20210606-v1.0.20210424.deb

SwimGeek commented 2 years ago

After manually editing the config.boot file things also did not work. If I boot the ER-X with only the endpoint defined, and then add the allowed-ips after boot - things work. So basically the VPN config cant survive a reboot.

dulitz commented 2 years ago

Was just looking at this: https://github.com/Lochnair/vyatta-wireguard/issues/6 .

One thing stood out to me: your wording in the sentence "after I disable route-allowed-ips true." I would have expected you to say, "after I set route-allowed-ips false."

What does show interfaces wireguard wg0 route-allowed-ips print?

dulitz commented 2 years ago

If it prints "false" and you still think the allowed IPs are being routed, maybe instrument /opt/wireguard/update-routes.sh to see if routes are being attempted to be added there?

SwimGeek commented 2 years ago

My latest theory is that 'route-allowed-ips' is not the problem - even though it gets enabled by default.

I suspect what happens after a reboot is that the endpoint/tunnel is not connected when it attempts to add the routes defined by the allowed-ips config. Maybe it needs to wait a few seconds before it adds the routes.

SwimGeek commented 2 years ago

To disable 'route-allowed-ips' I used:

delete interfaces wireguard wg0 route-allowed-ips true

which seems to remove it from the running config

SwimGeek commented 2 years ago

At the moment it shows:

show interfaces wireguard wg0 route-allowed-ips route-allowed-ips true

dulitz commented 2 years ago

Yeah, deleting true is not how to set false.

set interfaces wireguard wg0 route-allowed-ips false

Not sure this will solve your problem but start there.

SwimGeek commented 2 years ago

I suspect my initial guess about route-allowed-ips was wrong.

I'll open another ticket / issue.