[Solved] Should I report a WireGuard problem as a 'bug'?

BT HomeHub 5 OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)

Loaded kmod-wireguard, wireguard-tools and luci-proto-wireguard.

Everything appears fine until it comes to the 'Allowed IPS' in the 'Peer' Section.

Via LuCI, having one entry e.g. '192.168.1.2/32' seems to cause no issue.
Using the '+' to add another e.g. '192.168.2.0/24' and on pressing 'apply and save', the whole system hangs - LuCI stops responsing, the open ssh terminal connection stops responding and the only way to recover is to do a hard reset of the router back to original setup !

Editing the /etc/config/network instead of using LuCI and adding the second entry that way, causes exactly the same when the interface is reloaded.

As the only way I have been able to recover is to do a reset, I am reluctant to try again as I have had to go through setting everything up again (although I have now created the basic recovery to allow getting back to basics much easier.

I am new to OpenWrt, so it may be the mistake is mine, but if it is, it can only be that the entry I am making via LuCI or /etc/config/network is incorrect as that is all I am doing when this total freeze happens.

Is it a bug do you think ? Thank you for any comments/assistance. Habs.

I don't experience the issue you describe using Wireguard on any device.

Are you sure thay you're not making a second route to a network that already exists?

Thank you for taking time to reply.

Do you mean making a duplicate to a route in the linux routing table on the openwrt router ?

As far as I understood, the 'allowed-ips' config of WireGuard is just about specifying the ip's that are allowed down the tunnel. Regarding the flag (in LuCI) of 'add routing' in the peer section, could it be (if I am duplicating something in the linux routing) that is trying to add a route to what is already there ?

In any case, openwrt router goes into meltdown instead of gracefully (perhaps) declining the action !

I'll try further and have a go with the 'add routing' un-ticked and or try completely different ip networks that I know are not present in 'allowed-ips'.

I'm just nervous as all I can do is do a complete reset if the same problem occurs.

I'm asking do you have two networks that are numbered identically. Your tunnel should be numbered differently.

Very simply...do these IPs exist on any other interfaces?

No.

The tunnel address(es) are different - in fact all of them are different and I did that just in case.

I will revisit just to make sure nothing is lurking about.

I've just upgraded some router software, so maybe that will help (I doubt it - live in hope - or maybe it will go away like most technical glitches).

:slight_smile:

This could be stupidity on my part, or maybe I did not understand the config of WireGuard too well.

I was using a network range in the 'allowed-ips' for a peer that was also the same as a setting for another interface on the router (nothing to do with the WG interface). That's the only thing I could see that would be a possible conflict.

My view was that I expected the peer to be making requests to addresses on that network (at some point when I'd got it working) and therefore that address range needed to be in the 'allowed-ips'. This is seemingly not correct.

Perhaps that is the problem as it seems to have no further issue as reported if I do not do this - although I am not going back to try it as I can not face another reset and reinstall just now.

I am trying to get to grips too with firewall settings and what needs to be opened for WG to work etc. I will start a different thread if I do not get anywhere.

Thank you for the comments and questions, it has drawn my attention to a few things I am getting wrong!

Please provide a copy of /etc/config/network for both devices.

This is correct, you also need to make a route; but this depends on what you want to route over the tunnel; and that no IP conflicts exist.

It's only a conflict if that's also the IP of the interface (not talking about the allolwed-ips yet).

  • Why don't you describe all networks involved; and what you're [fully] trying to accomplish?

i am not sure how or if one marks topics as 'solved', but in any case this one is.

It was a case of my error and not carefully ensuring addresses and routes I had entered made sense...possibly my first foray into Wireguard too hasn't helped. Any way..all working now.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.