WG client "Network device 'wgc1' link is down"

octopus · December 7, 2024, 8:03pm

I have problem with wireguard client.
I get "link is down" all the time and RX TX Pkts is 0 (zero) don't know why though.
Anyone seen it before and know why?

Sat Dec  7 20:50:00 2024 cron.err crond[2768]: USER root pid 23671 cmd /usr/share/wginstaller/wg.sh cleanup_wginterfaces
Sat Dec  7 20:50:00 2024 daemon.notice netifd: Network device 'wgc1' link is down
Sat Dec  7 21:00:00 2024 cron.err crond[2768]: USER root pid 30641 cmd /usr/share/wginstaller/wg.sh cleanup_wginterfaces

Screenshot 2024-12-07 at 20-59-38 DEFCON - LuCI

psherman · December 7, 2024, 8:07pm

Where did this come from? Did this get installed as part of your WG package installations?

Let's see the output of:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /usr/share/wginstaller/wg.sh`

octopus · December 7, 2024, 8:26pm

ubus call system board
```root@DEFCON:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "DEFCON",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

cat /etc/config/network

root@DEFCON:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fda1:cc83:50bb::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config device
option name 'lan1'
option macaddr '94:83:c4:a5:ff:7f'

config device
option name 'lan2'
option macaddr '94:83:c4:a5:ff:7f'

config device
option name 'lan3'
option macaddr '94:83:c4:a5:ff:7f'

config device
option name 'lan4'
option macaddr '94:83:c4:a5:ff:7f'

config device
option name 'lan5'
option macaddr '94:83:c4:a5:ff:7f'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'eth1'
option macaddr '94:83:c4:a5:ff:7d'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'

config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'

config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option gateway '192.168.1.1'

config interface 'OpenVPN'
option proto 'none'
option device 'tun0'
list dns '46.227.67.134'
list dns '192.165.9.158'
list dns '2a07:a880:4601:10f0:cd45::1'
list dns '2001:67c:750:1:cafe:cd45::1'

config interface 'OpenVPN2'
option proto 'none'
option device 'tun1'
list dns '46.227.67.134'
list dns '192.165.9.158'
list dns '2a07:a880:4601:10f0:cd45::1'
list dns '2001:67c:750:1:cafe:cd45::1'
option delegate '0'

config interface 'wgc1'
option proto 'wireguard'
option private_key ''
list dns '46.227.67.134'
list dns '192.165.9.158'
list dns '2a07:a880:4601:10f0:cd45::1'
list dns '2001:67c:750:1:cafe:cd45::1'
list addresses '172.30.72.18/32'
list addresses 'fd00:0000:1337:cafe:1111:1111:766c:0537/128'
option mtu '1412'

config wireguard_wgc1
option description 'sto62.conf'
option public_key ''
option endpoint_host 'vpn62.prd.kista.ovpn.com'
option endpoint_port '9929'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'

config wireguard_wgc1
option description 'sto23.conf'
option public_key ''
option endpoint_host 'vpn23.prd.kista.ovpn.com'
option endpoint_port '9929'
option persistent_keepalive '25'
option disabled '1'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'

cat /etc/config/firewall

root@DEFCON:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option mtu_fix '1'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list device 'tun1'
list network 'wan'
list network 'wan6'
list network 'OpenVPN'
list network 'OpenVPN2'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'

config forwarding
option src 'guest'
option dest 'wan'

config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'

config zone
option name 'wgc_fw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wgc1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wgc_fw'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'

cat /usr/share/wginstaller/wg.sh

root@DEFCON:~# cat /usr/share/wginstaller/wg.sh
#!/bin/sh

next_port () {
local port_start=$1
local port_end=$2

    ports=$(wg show all listen-port | awk '{print $2}')

    for i in $(seq "$port_start" "$port_end"); do
            if ! echo "$ports" | grep -q "$i"; then
                    echo "$i"
                    return
            fi
    done

}

cleanup_wginterfaces() {
check_wg_neighbors
}

delete_wg_interface() {
ip link del dev "$1"
[ -f "/tmp/run/wgserver/$1.key" ] && rm "/tmp/run/wgserver/$1.key"
[ -f "/tmp/run/wgserver/$1.pub" ] && rm "/tmp/run/wgserver/$1.pub"
}

check_wg_neighbors() {
wg_interfaces=$(ip link | grep wg | awk '{print $2}' | sed 's/://')
for phy in $wg_interfaces; do
linklocal=$(ip -6 addr list dev "$phy" | grep "scope link" | awk '{print $2}' | sed 's//64//') 2>/dev/null
ips=$(ping ff02::1%"$phy" -w5 -W5 -c10 | awk '/from/{print($4)}' | sed 's/.$//') 2>/dev/null
delete=1
for ip in $ips; do
if [ "$ip" != "$linklocal" ] && [ "$(owipcalc $ip linklocal)" -eq 1 ]; then
delete=0
break
fi
done
if [ $delete -eq 1 ]; then
delete_wg_interface "$phy"
fi
done
}

case $1 in
next_port|
cleanup_wginterfaces)
"$@"
exit
;;
esac

octopus · December 8, 2024, 3:47pm

It working until this script executes.
After this my wg-client goes down:

Sun Dec  8 16:27:00 2024 user.notice hotplug-call[28821]: WG interface automagically set to wgc1
Sun Dec  8 16:30:00 2024 cron.err crond[2828]: USER root pid 28935 cmd /usr/share/wginstaller/wg.sh cleanup_wginterfaces

psherman · December 8, 2024, 3:57pm

I haven't had time to review your complete config, but you didn't mention where the /usr/share/wginstaller/sg.sh script came from.

And possibly more importantly, why is it being executed from cron?

Did you put it into the cron jobs?

octopus · December 8, 2024, 4:00pm

No problem
Script comes, my guess pbr routing script. I'm using "luci-app-pbr_1.1.7-r65_all.ipk" and "pbr_1.1.7-r65_all.ipk"
I haven't intalled it

psherman · December 8, 2024, 4:06pm

Ok... truth be told, I am not really knowledgeable about PBR, so I can't help with this aspect if that is the problem. However, with the number of VPN services you appear to have running, you might want to remove any that aren't used and then test and review the configs along the way.

octopus · December 8, 2024, 5:44pm

I seem to have found part of the problem. it turned out that I had installed, "wg-installer-server" and it wrote these scripts. I seems wg-client is stable for now.

But I still have the cron job, "Sun Dec 8 18:30:00 2024 cron.err crond[2828]: USER root pid 4112 cmd /usr/share/wginstaller/wg.sh cleanup_wginterfaces"
Don't know where it comes from. Is it possible to delet it from cron job?

I found these links from some threads a year ago

egc · December 8, 2024, 5:53pm

It is not related to PBR, it is the wginstaller script part of wg scripts to install server and client

It should not run as a cron job

octopus · December 8, 2024, 6:33pm

I had it installed but have uninstalled it but cron job is still there.

octopus · December 8, 2024, 6:44pm

It seems that the wg installer script work did not uninstall the cron work.

https://github.com/openwrt/packages/blob/master/net/wg-installer/wg-server/config/wgserver.init

/etc/crontabs/root

*/10 * * * *	/usr/share/wginstaller/wg.sh cleanup_wginterfaces

octopus · December 8, 2024, 9:32pm

How do I show or delete cron jobbs?

lleachii · December 10, 2024, 3:21am

Remove/edit the relevant contents of the same file you showed us?

octopus · December 10, 2024, 7:38am

I have deleted that file and remove "cron" job so that is fine now.

psherman · December 10, 2024, 7:39am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · December 20, 2024, 7:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.