Static route problem

hedzwillroll · February 8, 2025, 9:52pm

Hmmm, not so straightforward.

The uci syntax for routes is

network.@route[1].interface='Proton123'
network.@route[1].interface.disabled='1'

So I'd have to add variables for the routes too (unless there's a way to target the network.@route[1].interface.disabled parameter via the network.@route[1].interface='*name*' parameter.

Is there a way to do that with uci?

egc · February 10, 2025, 12:37pm

I just do it like this.

Create multiple WG interfaces, in this example I have two interfaces, one to Proton and one to Mullvad, both are made with option4table '100' but only one interface is active at one time at this moment it is proton which is active

config interface 'wg_proton_nl'
	option proto 'wireguard'
	option private_key 'UJmovc='
	list dns '10.2.0.1'
	list addresses '10.2.0.2/24'
	option ip4table '100'

config wireguard_wg_proton_nl
	option description 'wg_proton_nl-NL-FREE-1.conf'
	option public_key 'vH2i8RY1qc6='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option persistent_keepalive '25'
	option endpoint_host '217.23.3.76'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'wg_mullv_se'
	option proto 'wireguard'
	option private_key 'iLFBBBe='
	list addresses 'fc00:bbbb:bbbb:bb01::6:4edd/64'
	list addresses '10.69.78.222/24'
	list dns '2a07:e340::3'
	list dns '194.242.2.3'
	option ip4table '100'
	option disabled '1'       <<<<< disabled at this time

config wireguard_wg_mullv_se
	option description 'mullvad-se-got-wg-004.conf'
	option public_key 'veGD6/='
	option persistent_keepalive '25'
	option endpoint_host '185.213.154.69'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'

With Proton active I have this table 100 with default route via Proton:
ip route show table 100

root@DL-WRX36:~# ip ro show table 100
default dev wg_proton_nl proto static scope link
10.2.0.0/24 dev wg_proton_nl proto static scope link
root@DL-WRX36:~#

when I disable the Proton interface and enable the Mullvad interface I have this table 100:

root@DL-WRX36:~# ip ro show table 100
default dev wg_mullv_se proto static scope link
10.69.78.0/24 dev wg_mullv_se proto static scope link

So by simply disabling and enabling a tunnel I make a different table 100.

This enabling and disabling is exactly what my script does, you start with one tunnel enabled and the rest disabled if the active tunnel does not work any more the next tunnel is enabled

the only thing left is to add a rule to use this table 100, in my setup the guest interface is using the tunnel:

config rule
	option in 'guest'
	option lookup '100'

When using the watchdog script, the only things I changed is to add the names of the interfaces:

WG1="wg_mullv_se"
WG2="wg_proton_nl"

I started the script with:
/usr/share/wireguard-watchdog.sh 10 8.8.8.8 &

My guest interface showed I am connected to Mullvad's endpoint

I simulate a problem with Mullvad by blocking the endpoint address:

nft insert rule inet fw4 output ip daddr 185.213.154.69  counter reject

And about 20 seconds later the switch to Proton was made

The log also showed that

root@DL-WRX36:~# logread -e watchdog
Mon Feb 10 13:53:50 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: /usr/share/wireguard-watchdog.sh is started, waiting for services
Mon Feb 10 13:55:50 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: Available tunnels: wg_mullv_se; wg_proton_nl;
Mon Feb 10 13:55:50 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: tunnel wg_mullv_se is enabled
Mon Feb 10 13:55:50 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: started, pinging every 10 seconds to 8.8.8.8 on tunnel wg_mullv_se with endpoint 185.213.154.69
Mon Feb 10 13:59:27 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: tunnel wg_mullv_se is DOWN, starting next tunnel
Mon Feb 10 13:59:48 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: tunnel wg_proton_nl is enabled
Mon Feb 10 13:59:48 2025 user.notice wireguard-watchdog.sh[22695]: WireGuard watchdog: started, pinging every 10 seconds to 8.8.8.8 on tunnel wg_proton_nl with endpoint 217.23.3.76
root@DL-WRX36:~#

Maybe it does not suit your use case but it is a simple way of fail-over with PBR

hedzwillroll · February 10, 2025, 5:28pm

So if I don't manually create Static IPv4 Routes in Network > Routing and let the interface do that when it comes up by using option table 100, I won't have to worry about enabling/disabling the Static IPv4 Routes?

Testing so far showed that, if I have created Static IPv4 Routes in Network > Routing, I have to manually toggle them if I change VPN interface.

Next time I get the network to myself, I will try what you've suggested instead.

Just out of curiosity, what's the difference between table and ip4table? I see you're using IPv6, is it related to that?

egc · February 10, 2025, 5:43pm

Exactly

In my example I only used IPv4 as not to complicate things (it is already complicated as is).
If you also use IPv6 you have to do the same for IPv6 so also make option6table '100' and an ip -6 rule of course your VPN provider has to support this and you also have to set it up correctly (e.g. enable NAT66 on the VPN zone and use ::/1, 8000::/1 as Allowed IPs )