Config fails at reboot

[SwimGeek]

Hi. My Wireguard config on an ER-X works until I reboot the device.

When it reboots the allowed-ips sections fall away. I think it's because the endpoint is not yet up and then RTNETLINK errors are generated because it can't add the routes.

If I only set the endpoint, remove the rest of the config, then reboot it, and then add the allowed-ips section manually, all is happy.

Could it be a timing thing? Maybe it needs to check the endpoint is up before adding routes?

Please try to reproduce this problem.

I'm using: EdgeRouter X 5-Port with OS: v2.0.9-hotfix.2 and Wireguard: e50-v2-v1.0.20210606-v1.0.20210424.deb

Here is my config (with small modifications for privacy)

show interfaces wireguard

wireguard wg0 { address 10.10.10.2/24 address 200f:0:0:0::2/64 mtu 1420 peer YKDkblahblahblahblahblahblahblahblahHo= { allowed-ips 10.10.10.1/32 allowed-ips ::0/0 endpoint vpn.myserver.com:51820 persistent-keepalive 30 } private-key /config/auth/wg.key route-allowed-ips true }

Thanks!

[dulitz]

There is not remotely enough information here to try to replicate anything.

To answer your question, no the endpoint does not need to be up before adding routes.

Before anyone can help, you'll need to answer these questions:

• "When it reboots the allowed-ips sections fall away." What does "fall away" mean?
• What happens when you set route-allowed-ips to be false? (Per other thread: setting false, not deleting true.)
• What happens when you remove the IPv6 elements of the wireguard config? And what happens if you keep them but remove the IPv4 elements?

[SwimGeek]

I think the problem is related to IPv6...

...

show interfaces wireguard

wireguard wg0 { address 10.10.10.2/24 mtu 1420 peer YKDblahblahblahblahblahblahblahblahblahblah= { allowed-ips 10.10.10.1/32 endpoint vpn.atomic.ac:51820 persistent-keepalive 25 } private-key /config/auth/wg.key route-allowed-ips true } ...

If I boot with the above IPv4 config all is happy

... set interfaces wireguard wg0 address 2c0f:0:0:0::2/64 set interfaces wireguard wg0 peer YKDblahblahblahblahblahblahblahblahblahblah= allowed-ips ::/0 ...

If I add the above two config lines the v6 VPN works, but if I save this config and reboot, wireguard seems to fail to start

If the startup config contains "address 2c0f:0:0:0::2/64" OR "allowed-ips ::/0" the endpoint fails to start up.

...

show interfaces wireguard

wireguard wg0 { address 10.10.10.2/24 address 2c0f:0:0:0::2/64 mtu 1420 peer YKDblahblahblahblahblahblahblahblahblahblah= { allowed-ips 10.10.10.1/32 allowed-ips ::/0 endpoint vpn.atomic.ac:51820 persistent-keepalive 25 } private-key /config/auth/wg.key route-allowed-ips true }

[dulitz]

I'm particularly suspicious that you are getting RTNETLINK errors even if there is no IPv6 allowed-ips entry, just with the 2c0f::2/64 address.

Looking at ip addr can you double check you don't have any other interfaces in 2c0f::/64?

What happens if you give wg0 a known unique IPv6 address like fd11:3bba:1234 ::2 and don't include any allowed-ips?

I also have questions about your first followup to this issue.

allowed-ips sections fall away = the lines in the config related to allowed-ips go away after reboot - they are not active in the running config anymore

I am still unclear. show interfaces wireguard wg0 prints exactly what you included above, except the IPv4 and IPv6 allowed-ips lines are both missing? And what does sudo wg show wg0 say in that case? Does that output show allowed_ips?

"set interfaces wireguard wg0 route-allowed-ips false" - that seems to do nothing as far as I can tell. route-allowed-ips is still true / active in running config.

Then something is very broken in your installation and you should get it fixed, including reinstalling from factory reset if need be. Lots of us are running with route-allowed-ips false (I am, for example) and that is how we all set it. Remember you need to commit in order for any changes to take effect in the running config.

When you say it is "true / active in the running config" you are not being clear. Are you saying you ran

set interfaces wireguard wg0 route-allowed-ips false
show interfaces wireguard wg0 route-allowed-ips

and it printed route-allowed-ips true? Because that's a level of broken I've never seen. Do a full factory reset and reinstall.

Are you saying you ran those commands, and committed, but your routing tables still had routes for interface wg0? I wouldn't be surprised because wireguard is a post-release patch to the Vyatta config system and it may not cover this corner case. But that is not the same as saying it is true/active in the running config. To test that you would:

1. Start with your IPv4-only config, commit, and save. After you reboot, your routing table (show ip route) should be the same regardless of whether route-allowed-ips is true or false, because you've specified 10.10.10.2/24 as your local address for wg0 and 10.10.10.1 is within that subnet.
2. set route-allowed-ips false and commit. Then add your IPv6 address and the allowed-ip ::/0 and commit. Now your routing table should not have a route for ::/0 to wg0.
3. set route-allowed-ips true and commit. Now your routing table should have a route for ::/0 to wg0.

[SwimGeek]

Hi, about the last part of your message - the 1, 2, 3 part. This is pretty much what I did.

It boots into v4 only config, and then everything works as expected. I keep route-allowed-ips as true - because I want the ::/0 route to be added.

I then give the wg0 interface a v6 IP and add allowed-ip ::/0 and commit.

At this point everything works as I would like it to. I just can't do a 'save' and 'reboot'.

...

Maybe it wants the v4 endpoint to be up before adding the v6 config?

[SwimGeek]

This solves my problem. Boot with v4 config, add v6 config later. I can now reboot my router and everything works as expected.

... cat /config/scripts/post-config.d/boot.sh

!/bin/vbash

source /opt/vyatta/etc/functions/script-template configure set interfaces wireguard wg0 address 2c0f:0:0:0::2/64 set interfaces wireguard wg0 peer YKDblahblahblahblahblahblahblahblahblahblah= allowed-ips ::/0 commit exit ...

[vchrizz]

Could it be, that the router has no internet connection when the wireguard peer(s) get connected? Try to use a specific IP as endpoint instead a DNS name. See also #95 (and maybe #124).