Wireguard/BGP not installing into route table

neilbriscoe · October 13, 2021, 10:57pm

Hi all,

After reading an existing/closed thread (BGP prefixes accepted, but not installed into routing table), I am having the same issue, but a reboot is not solving it!

I have a WG0 VPN up and running, with eBGP running across it (quagga/bgpd) and they are all seeing the routes in the BGP table at both ends, as expected - however, the routes will not get installed into the routing table for the clients to use on my OpenWRT box.

I have built the same on a non OpenWRT box and appears to work fine - although I am having to insert a parameter which is related, but I don't think would solve this issue. It appears that the "table = off" is not used in WG version on openwrt.

[Interface]
Address = 10.0.0.4/24
ListenPort = 41194
PrivateKey = yD1kvcXeocmUdJp44jsdf32fd33vFVjFOryty3BlU=
Table = off

mikma · October 13, 2021, 11:05pm

Shouldn't "routing allowed IPs" have the same effect?

Knogle · October 14, 2021, 6:33am

Can you provide "show run" from your vtysh?

neilbriscoe · October 14, 2021, 7:51am

GL-AR750# sh run
Building configuration...

Current configuration:
!
bgp config-type cisco
!
service advanced-vty
!
password zebra
!
router bgp 65002
 no synchronization
 bgp router-id 10.0.0.4
 neighbor 10.0.0.1 remote-as 65000
 neighbor 10.0.0.1 update-source wg0
 neighbor 10.0.0.1 send-community both
 no auto-summary
!
 address-family ipv6
 exit-address-family
 exit
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
line vty
 access-class vty
!
end

GL-AR750# sh ip bgp 
BGP table version is 0, local router ID is 10.0.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
              i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.0.0.0/24      10.0.0.1                 0              0 65000 ?
*> 192.168.0.0/25   10.0.0.1                 0              0 65000 ?
*> 192.168.0.128/25 10.0.0.1                 0              0 65000 i

Displayed  3 out of 3 total prefixes
GL-AR750#

So, BGP is configured correctly, the prefixes are being learned and in the RIB, however, as seen below, never get into the FIB/kernel routing tables:

root@GL-AR750:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         128.0.0.0       U     0      0        0 wg0
0.0.0.0         10.4.10.1       0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.4.10.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
18.133.174.29   10.4.10.1       255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       0.0.0.0         128.0.0.0       U     0      0        0 wg0
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
root@GL-AR750:~#

neilbriscoe · October 14, 2021, 7:52am

Here is the /etc/config/wireguard:

root@GL-AR750:/etc/config# cat wireguard

config proxy
	option main_server 'vLink02'
	option enable '1'
	option host '18.133.174.29'

config peers 'wg_peer_3676'
	option name 'vLink02'
	option address '10.0.0.4/24'
	option listen_port '41194'
	option private_key 'yD1kvcXeocmUdJSTUFFFVjFONWEvBlU='
	option end_point '18.133.x.y:41194'
	option public_key 'x1fYq7fb5GSTUFF+Dt4EFk='
	option allowed_ips '0.0.0.0/0,::/0'
	option persistent_keepalive '25'
	option preshared_key '4G/teuwxsSTUFFQwbU6fmQcK2nLM1bT4='

neilbriscoe · October 14, 2021, 8:23am

Adding a little more. It was suggested to install/run ZEBRA as well as QUAGGA/BGPD and now seeing a little more and expected - i.e. BGP routes in the BGP table but now now showing "*>" and not installing into the main table.

I am thinking this is a quagga issue and nothing to do with WIREGUARD!

GL-AR750# sh ip bgp
BGP table version is 0, local router ID is 10.0.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
              i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
   10.0.0.0/24      10.0.0.1                 0              0 65000 ?
   192.168.0.0/25   10.0.0.1                 0              0 65000 ?
   192.168.0.128/25 10.0.0.1                 0              0 65000 i

Displayed  3 out of 3 total prefixes
GL-AR750#

neilbriscoe · October 14, 2021, 9:37am

Partially solved!

router bgp 65002
 no synchronization
 bgp router-id 10.0.0.4
 redistribute connected
 neighbor 10.0.0.1 remote-as 65000
 neighbor 10.0.0.1 disable-connected-check
 neighbor 10.0.0.1 update-source wg0
 neighbor 10.0.0.1 next-hop-self
 neighbor 10.0.0.1 send-community both
 no auto-summary
!

Notice that "neighbor 10.0.0.1 disable-connected-check" is a new line.
Once this was committed, the BGP prefixes appeared in the kernel table!

Now, trying to figure out how the get Wireguard to send traffic down the tunnel but ONLY to the routes learned via the BGP!

Knogle · October 24, 2021, 11:06pm

If it helps, i can share my config on Wireguard and BGP.

neilbriscoe · October 25, 2021, 1:56pm

Thanks for the offer. I realised I was trying to use the gi.net modified openwrt and quagga. In the end, I ended up going for a clean openwrt build on the ar750 and using FRR.

Now, everything works as I expect. It appears that the gi.net build want the same and acted oddly.

Thanks.

system · November 4, 2021, 1:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.