Incorrect route created by WireGuard on if-up

RewAU · November 15, 2023, 12:38pm

Since a recent update of a peer to 23.05.0 and a subsequent patch update (yesterday), WireGuard has started mangling the creation of a route to a peer network when the interface is up'd.

I suspect the issue is related to the update to netifd 2023-11-07-516ab774-1 » 2023-11-10-35facc83-1

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd15:efe1:81fa::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.10.1/24'

config device
	option name 'eth0.2'
	option macaddr '28:ee:52:62:e3:b4'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option ipv6 'auto'
	option username 'VVV'
	option password 'WWW'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'wg11'
	option proto 'wireguard'
	list addresses '192.168.10.211'
	option listen_port '51810'
	option private_key 'XXX'

config wireguard_wg11
	option description 'Peer Router'
	option route_allowed_ips '1'
	option endpoint_host '5.6.7.8'
	option persistent_keepalive '30'
	option public_key 'YYY'
	option preshared_key 'ZZZ'
	option endpoint_port '51810'
	list allowed_ips '192.168.11.0/24'
	list allowed_ips '192.168.10.211'

When interface is brought up, the routing table is as seen here;

default via 1.2.3.4 dev pppoe-wan 
0.168.11.0/24 dev wg11 scope link
1.2.3.4 dev pppoe-wan scope link  src 4.3.2.1 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
192.168.10.211 dev wg11 scope link 
5.6.7.8 via 1.2.3.4 dev pppoe-wan

To restore connectivity to the remote network, I manually create the correct route 192.168.11.0/24 to replace the route to 0.168.11.0/24 which was created with the interface came up;

ip route add 192.168.11.0/24 via 192.168.10.211

Has anyone else encountered this / thoughts ?

Thanks in advance.

krazeh · November 15, 2023, 1:05pm

Not seen any similar issues in my setup, but my netifd version is slightly older (2023-09-19-7a58b995-2)

This shouldn't be an address from an existing subnet.

This is unnecessary (and doesn't do anything). The peer isn't sending to or receiving from that address.

mk24 · November 15, 2023, 1:37pm

Configuring your own IP as an allowed_ip is wrong. Take that out. Allowed_ips are IPs that exist on the other side of the tunnel. Packets with a source IP matching an allowed IP will be allowed in, and packets with a destination IP matching an allowed IP will be routed out.

In a point to point situation, technically the tunnel itself does not need to hold an IP at all, though setting up a basic /24 that doesn't overlap anything else in the system is useful for troubleshooting. It should be defined as /24 in the config interface (proto wireguard) section as that will install a route to other peers.

PjV · November 15, 2023, 2:18pm

You updated 1 day too early
For me it was solved with 23.05.2

RewAU · November 16, 2023, 7:33am

Thanks for the feedback.

When initially configuring the WireGuard peers, I misunderstood the 'recommended' label in the IP Addresses field in the General Settings tab.

Removing the local subnet IP address did not resolve the issue, but does simplify the configuration.

RewAU · November 16, 2023, 7:35am

Per my reply to krazeh, thanks for the feedback !

egc · November 16, 2023, 8:28am

It is not only the following which is wrong and should be removed:

But also the WG interface list address is wrong:

WireGuard is a routed solution and there need to be three different subnets, the server, the client and WireGuard all need to have different subnets (theoretically the WG interface does not need an address but for all practical purposes you should add one).

Furthermore it is advised to not only set the ip address but also specify the subnet with /24 e.g. `list addresses '192.168.222.1/24'
This will automatically create a default route via the WG interface for the WG subnet

system · November 26, 2023, 8:29am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.