Wireguard crash


#1

I've got a crash with wireguard that causes the router to reboot.

This happens when I try to ping a non-existent IP address, eg: 10.13.37.11, inside the tunnel subnet.

/var/log/lastlog is empty


#2
ubus call system board

#3
root@UGH-R7800:~# ubus call system board
{
        "kernel": "4.14.63",
        "hostname": "UGH-R7800",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.1",
                "revision": "r7258-5eb055306f",
                "target": "ipq806x\/generic",
                "description": "OpenWrt 18.06.1 r7258-5eb055306f"
        }
}

#4

https://openwrt.org/toh/netgear/r7800
Your device should support OpenWrt 18.06.2, try to upgrade the firmware.


#5

I noticed my outdated shit right after posting as my stick is running .2, will upgrade and test again.

Weird thing is, it had been working without reboots fine for over 75 days up til yesterday when I added a client and had "Route allowed IPs" unchecked.


#6

This contains the logins into the device. I am not sure if it used though.
What you need to read the logs is logread

Other than that, post the configuration in /etc/config/network


#7
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:744d:246f::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.1.1'
        option dns '10.0.1.1'
        option ifname 'eth1.2'
        option delegate '0'
        option stp '1'

config interface 'wan'
        option proto 'dhcp'
        option delegate '0'
        option broadcast '1'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'
        option ifname 'eth0.1'
        option force_link '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 6t'
        option vid '2'

config interface 'hotspot'
        option type 'bridge'
        option _orig_ifname 'hotspot0 hotspot1'
        option _orig_bridge 'true'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth1.3'
        option stp '1'
        option ipaddr '10.0.4.1'
        option dns '10.0.4.1'
        option delegate '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '4 6t'

config interface 'IoT'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth1.4'
        option netmask '255.255.255.0'
        option ipaddr '10.0.2.1'
        option dns '10.0.2.1'
        option stp '1'
        option delegate '0'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'
        option dns '10.0.3.1'
        option delegate '0'
        option stp '1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 5'
        option vid '1'

config interface 'VPN'
        option proto 'wireguard'
        option listen_port '1337'
        list addresses '10.13.37.1/24'
        option private_key 'xxx'
        option delegate '0'
        option force_link '1'

config wireguard_VPN
        option public_key 'xxx'
        option persistent_keepalive '0'
        option route_allowed_ips '1'
        list allowed_ips '10.13.37.30/32'

config wireguard_VPN
        option public_key 'xxx'
        option persistent_keepalive '0'
        option route_allowed_ips '1'
        list allowed_ips '10.13.37.20/32'

config wireguard_VPN
        option public_key 'xxx
        option persistent_keepalive '0'
        option route_allowed_ips '1'
        list allowed_ips '10.13.37.10/32'

#8

This is how I make it reboot from my phone, logread shows nothing of value at that time only that a minute after it brings the interfaces back up.

I upgraded to .2 today.


#9

From interface VPN remove

option force_link '1'

From peers remove
option route_allowed_ips '1'
and make keepalive 25.
Restart network or reboot and let us know how it went.


#10

Keep alive is only for clients behind NAT, this device isn't behind a NAT.

The disabling the force link checkbox solved the reboot on pressing restart on the interface panel.

Route allowed IPs is enabled by default, but I guess it only makes sense on clients accessing my local networks.

Anyway, tried your proposed settings and pinged the non-existent host the R7800 still reboots!


#11

Alright, keep it off then.

In your case it doesn't matter. The router already has the 10.13.37.1/24 in wireguard interface. If you had another subnet behind some peer it would make sense.

  1. Do you have the same behavior if you ping the non existing IP from the router?
  2. Can you let the logs run (logread -f) and try again to see if anything gets logged before reboot?
  3. ip -a addr; ip -4 ro; ip -4 ru; ip neigh show | grep 10.13.37.11

I wasn't able to reproduce your issue.