UDM-P crashes when starting VPN

[clarkewing]

Hello!

I have been using Wireguard-kmod along with peacey's split-vpn package for a few months without issue. Recently, we decided that we now want to route all our traffic through the VPN, the UDM-P being configured as a Wireguard client.

As such, I removed the startup script for split-vpn and began to set everything up directly with this package. However, now when I try to run wg-quick up hoppy (hoppy being the configured interface name), the SSH connection is dropped and the UDM-P automatically reboots.

I believe my config is setup properly as it's essentially a carbon copy of the one I had with the split-vpn package with the PreUp and PostUp hooks removed.

Any idea what could be causing the crash and subsequent restart?

Thanks!

[peacey]

Hi @clarkewing,

Are you sure the UDMP is rebooting or is the SSH connection just dropping? Once you log back in, is the uptime reset?

Which version of the UDM are you using? If it is really crashing, can you show us the output of cat /sys/fs/pstore/console-ramoops-0 after the UDM restarts from the crash? That should contain any kernel errors.

Finally, if you're using the built-in WireGuard module on 1.11, can you switch to the external module by modifying setup_wireguard.sh and setting LOAD_BUILTIN=0 at the top? The external module is a newer version. Then when you run the script, check the output of dmesg to see the correct version loaded (1.0.20211208).

[clarkewing]

Hey @peacey,

Thanks for these troubleshooting steps. I’m out of the office, but I’ll try them out when I’m back in next week.

[clarkewing]

Hi @peacey,

I can't seem to get the UDM-Pro to crash anymore (I guess that's a good thing!).

I went ahead and set LOAD_BUILTIN=0 nonetheless as that got me around issues I was experiencing having ::/0 in my AllowedIPs.

Now however, while the UDM-Pro doesn't crash, when I run wg-quick up hoppy (hoppy being the name of my interface), I'm unable to connect to the internet. All pings time out.

When I run wg, I get the following output:

interface: hoppy
  public key: (redacted)
  private key: (hidden)
  listening port: 48258
  fwmark: 0xca6c

peer: (redacted)
  endpoint: (redacted):51820
  allowed ips: 0.0.0.0/1, 128.0.0.0/1, ::/0
  latest handshake: 59 seconds ago
  transfer: 92 B received, 4.02 GiB sent
  persistent keepalive: every 55 seconds

Of particular note it that, while the received data stays stable at 92 B, the sent data continues to climb every time I run wg.

Any idea what could be causing this?

[clarkewing]

Closing this because it seems my issues were due to improper credentials.

[peacey]

Glad everything worked out, @clarkewing.

Just FYI, the built-in modules do not contain the iptables raw modules, which is needed to support ::/0 in AllowedIPs. You can however use ::/1,8000::/1 instead, which covers the catch-all subnet ::/0 and does not require the iptables raw modules to work.

We do include the iptables raw modules with this package, and selecting the external module does load them, which is why ::/0 worked with the external module option.