Hi, there. I have a working Wireguard set up, in a sense that my router successfully connects to a Wireguard server and routes everything perfectly from LAN. However traffic initiated within the router on Wireguard interface doesn't go anywhere. So this times out for me:
ping -c1 -I wg0 8.8.8.8
it was not bothering me until I wanted to set up mwan3 for failback. mwan3 uses above to check if an interface is up and running, so it detects wg0 interface as down and switches routing from it.
Is there any firewall setting I need to do to make this work?( between 10.0.0.1 of the server and 10.0.0.2 of the peer). just pinging 10.0.0.1 works fine without specifying an interface...
yes, I did that on the server already, otherwise the whole tunnel would not be working. I can use internet from LAN via wg0 with no issues.
one other thing I noticed - I can't ping peer 10.0.0.2 from the server 10.0.0.1 - get "destination port unreachable" (not host), but I attribute that to firewall...
I hope I understand the question correctly (it's all a bit new to me). Currently second wan is just main wan based on eth0.2 (in the future it will be second Wireguard connection, but I haven't set it up yet).
I don't think there's an "issue" with your Wireguard configuration then. In fact, I think it's configured properly!
Simply...because the interface is not real. It has no "gateway" (in the Layer 2 sense). Your WAN physically connects to equipment on the remote-end, your Wireguard interface uses the same WAN.
You mentioned:
Well, I'm not sure if you can configure mwan3 for this....but you must use some sort of script instead to undo the routes, configs, etc. on the LEDE when it doesn't detect something on wg0 (e.g. a ping to 8.8.8.8).
I'll be honest, I hope others read; and I hope you have further success using Wireguard.
I will continue to follow this, as I'm interested. I'll admit, I have no knowledge of mmwan3, or using it with VPNs (or other tunneled interfaces); and Wireguard is my VPN of choice to use on LEDE.
Perhaps...you wish to edit the title to reflect is's an mmwan3 issue more clearly (or say this is solved and make a new thread)?
oh, well. I suppose there is always an option of hacking mwan3 - I came across mwan3track sources where it does the ping and source IP already available there for me to use. I'll recompile and see if that works
ok, so it turned out mwan3track is just a shell script, which I modified to check the interface name and replace with IP for pinging. Its obviously hardcoded with ip and interface name, but would be nice to solve this more generically (like maybe do a check if its a virtual interface and get its IP, which I don't think I have knowledge to write).
An update. I had it working perfectly with the change in the script but then dunno where exactly but things went wrong and I can no longer connect via wireguard at all. I was building my builds myself experimenting with different compilers and had to reflush my device from scratch few times... I thought my build is now wrong, so I got image builder and got everything prebuilt with it, still not working. The only things that has chnaged is that trunk revision is obviously about a week ahead of where I started initially. Can someone confirm that wireguard client is working OK for them on their own in today's/yesterdays build?
P.S. A curios thing that my wg server's IP address get blacklisted(I can't even ping it through another wan interface) as soon as I try creating a new interface for it even if I stop interface and reboot. Only if I complete delete it and reboot then it starts to work again...
Just removed mwan3 packages completely and its still not working...
In fact I had to remove all wg modules to get basic wan working again.
I then reinstalled wg and still nothing, had to remove wg modules again
P.S. I did use different private key for the peer as my configuration has gone after reflashes, same everything else though
and about pings - that is from LAN. I would have thought that if you are not using WG interface and another WAN one is active and working (for me that was possible when mwan3 was installed, otherwise I never could use another wan with WG set up, even if its not activated), then all the traffic goes through working wan and I could reach my server directly. But for some reason as soon as you specify an IP in Luci settings for WG then its blocked even if WG is not active (i.e. when wg0 interface is stopped, I can't SSH for example to my server to check things from there) - very painful.
The VPN's tunnel IP??? If that's the cause, you must be using an invalid IP (i.e. the WAN IP, the IP of another interface or network on the LEDE, or the IP of your ISP's gateway). The VPN IP should be a private network that only exists between both devices, or a public address assigned from the Server Provider.
I'm lost...why are you pinging your second WAN from LAN???
Why would the first WAN be online if you failed over to the second WAN?
Did you change the Public Key at the remote end too?
I know it sounds complicated (and may not really be related to the problem of wireguard stopped working for me) but here it is. Lets say we have two wan interfaces, wan_main over physical wan port (that on its own is a LAN in my case as I use separate vdsl modem in front of it) and wg0 over wireguard. Obviously at the start wg0 doesn't exist so we just have wan_main. All traffic from LAN/wifi is being routed through wan_main using appropriate zoning setting of firewall section of Luci (I don't use command line for anything that I do). To set up remove wireguard server host (lets say with IP x.y.z.k, a real internet IP) I obviously have to ssh to it and traffic goes via LAN->wan_main route for that connection. As soon as I set up wg0 (along with corresponding firewall zone) which list x.y.z.k IP as peer then my LAN-wan_main routing stops working and since wireguard doesn't work for me now I do not have internet access via my router at all. So at this point I install and configure mwan3 with the rules that if wan_main is working then go via it otherwise try wg0 (which is not working anyway). At this point I get internet access back as routing via wan_main is restored and I try to ssh (or even ping) to my wg server with IP x.y.z.k and can't. Access to that is not restored until I remove wireguard packages via opkg (disabling or deleting wg0 interface completely doesn't help).
And moreover I had everything working only a week ago and now its just stopped...
