Cake-wg-pbr script problem

xize · August 31, 2023, 7:23am

Hello!,

In the past this script by @Lynx worked fine until I had to reset my Mochabin.

The log in /tmp/cake-wg-pbr.log says this:

root@Mochabin:~# cat /tmp/cake-wg-pbr.log
What is "193.<snip>.<snip>.<snip>/32"?
Usage: ... u32 [ match SELECTOR ... ] [ link HTID ] [ classid CLASSID ]
               [ action ACTION_SPEC ] [ offset OFFSET_SPEC ]
               [ ht HTID ] [ hashkey HASHKEY_SPEC ]
               [ sample SAMPLE ] [skip_hw | skip_sw]
or         u32 divisor DIVISOR
Where: SELECTOR := SAMPLE SAMPLE ...
       SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} | mark }
                 SAMPLE_ARGS [ divisor DIVISOR ]
       FILTERID := X:Y:Z
NOTE: CLASSID is parsed at hexadecimal input.

I'm confused what I'm missing here, do I miss a dependency?

It should be this line of code:
tc filter add dev $wan_if parent ffff: protocol ip prio 1 u32 match ip src ${wg_endpoint}/32 action pass

Lynx · August 31, 2023, 9:45am

Presumably a dependency? I take it you have installed:

tc-tiny
kmod-ifb
kmod-sched-core
kmod-sched-cake

Any ideas @dave14305?

xize · August 31, 2023, 9:59am

All seem to be installed, I'm running it on 23.05.0-RC3

Lynx · August 31, 2023, 10:27am

You could try with tc-full and if that works then perhaps there is another missing dependency. Hopefully @dave14305 has an idea or two.

dave14305 · August 31, 2023, 10:40am

Is there a chance there is more than one endpoint being detected and passed to the tc command? Never used wireguard myself to know if this is feasible.

xize · August 31, 2023, 1:13pm

this is possible because I also use a wgserver.

when I echo this part of the script I see this:

root@Mochabin:~# echo $(wg show | awk '{if($1 == "endpoint:"){split($2,a,":"); print a[1]}}')
10.234.80.100 (local wgserver) 193.x.x.x (mullvad)

between the curly braces this is just a indication not output from the echo command.

edit

I think you found the issue , once I replaced the wg_endpoint with the direct mullvad vpn endpoint it worked like a charm, now I only need to figure how I can make it so it uses the correct one since I can use multiple peers.

dave14305 · August 31, 2023, 1:23pm

If multiple peers are possible, @Lynx probably needs to loop over the valid peer IPs in a for loop or similar to add multiple filter statements.

Lynx · August 31, 2023, 3:46pm

Isn't there only ever just one endpoint currently active and wouldn't the hotplug script result in recapturing any endpoint change?

xize · August 31, 2023, 4:52pm

I'm afraid both are active.

the wgserver is kinda configurated like a road warrior so my phone uses a local vpn connection to the Mochabin basicly it shows my phone as endpoint refering to 10.234.80.100 ip, and then cascades it to mullvad via wgclient interface.

Lynx · September 1, 2023, 4:11am

So is it that case that we need to loop over endpoints?

Since this setup is more complicated, you might like to consider trying cake-dual-ifb:

It operates using a different mechanism altogether that would deal with this situation I think. Also it means you can properly leverage DSCPs, which is not possible with the wireguard-specific solution.

Slightly more challenging to set up but it's a more powerful solution.

xize · September 1, 2023, 10:19am

Thank you, I gonna look into this

system · September 11, 2023, 10:19am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.