Wireguard fails on latest Turris Omnia (18.06rc2) openwrt

The Turris Omnia uses the same CPU and chipset as WRT32x, and other devices. Wireguard fails on the turris omnia but works fine on WRT32x and others. There is no error message but no connection is formed.
Someone speculated that the DSA is wrong on the Turris Omnia.

Have you found out anything in the meantime?
Looks like it it is still not working...

I have tried to compile 18.06.0 without DSA to see if that could really be the cause.
But I was not fully successful. I think the switch device worked, but there were errors:

[   49.394909] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=67
[   50.384251] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=67
[   50.497724] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=67
[   51.386945] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=67
[   51.394885] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=66
[   52.384157] mvneta f1030000.ethernet eth1: bad rx status 0cc10000 (crc error), size=67

Maybe someone can tell what's wrong? Here are my changes:

As of today, Wireguard still fails on the development version of OpenWRT for the Turris Omnia.

I had the same problem. I am bringing down and then up the interface as a workaround and it connects.

ifdown wg0 && ifup wg0

Edit: I am on kernel
Linux OpenWrt 4.14.78 #0 SMP Fri Oct 26 15:23:38 2018 armv7l GNU/Linux

Doesn’t work for me.
I’m on same kernel as you are, with today’s dev update.
I have a wireguard config that works fine on other openwrt devices.
On Turris Omnia OpenWRT, no matter what I try I get 0 packets sent and received.
If there is a protocol problem, I usually get 0 packets received, but nonzero sent, so that’s confusing, in that the wg interface doesn’t appear to be even trying to send packets.
What ports are you using? If use the normal wan port (closest to the on/off switch), the router routes, but the WAN light doesn’t flash (as it does on other OpenWRT devices).
If I use the other wan port (second from on/off) the WAN port flashes, but the WAN is unreachable and wg0 say “Network Device is Unreachable”.
Either way, wg0 never connects.
I don’t understand how yours is working and mine isn’t.
Is anyone else having the same problem?

  • By any chance, do you lack an Atheros WiFi card in your devices?
  • Can you provide the results of cat /proc/sys/kernel/random/entropy_avail

Perhaps the interface doesn't come up due to low entropy. Enabled Atheros WiFi cards can provide entropy from radio noise, so most users don't notice as long as their wireless is enabled.

The suspicion I have is that the wireguard version supplied by Turris isn't compatible with the version in openwrt. Wireguard is a moving target, not quite yet in the kernel, so version interoperability isn't guaranteed.

The wireguard list https://lists.zx2c4.com/mailman/listinfo/wireguard might be the place to ask.

I may well have misunderstood the situation completely so apologies if that's the case.

Thank you, a lack of entropy was indeed the problem.

I Installed haveged and the wireguard interface came right up.

A note to the wireguard developers: maybe the wireguard interface could log some sort of error when the interface can't start due to a lack of entropy?

Thanks for the fix.

1 Like

I noticed the problem in a device with WiFi disabled, I did not experience the issue in an identical device when its WiFi card was enabled (even when unassociated and unconnected). My device posses a RNG, so I installed rngd to solve the problem myself. Otherwise, I don't attempt setup of VPNs on a device - unless the it has an Atheros WiFi or an RNG.

Entropy issues are common in embedded devices. Glad you got it working!

(BTW, the Wireguard devs are reachable directly via email at: team AT wireguard.com)

I do not want to hijack the topic but I am experiencing a strange issue on Turris Omnia and wireguard. I have setup wireguard and ping works fine as well as ssh but I can't reach luci (I tried also masquerading). Also when I connect trough ssh and I try to issue htop or e.g. cat /etc/config/firewall the connection hangs. I would appreciate any guidance on how to resolve this. I am on OpenWrt SNAPSHOT, r8381-4056be5 but I have experinced the problem also on Turris OS.

Next time, you should consider creating a new topic, then.

  • Did you check entropy, if so can you post the results?
  • :point_right: If entropy is low, have you attempted installation of haveged??? :point_left:

@farmwald, BTW, https://omnia.turris.cz/en/ states:

Apart from that, Turris Omnia also has SIM card slot, RTC with battery backup, crypto chip for secure random number generation, dimmable RGB LEDs and more.

Are you sure there's not a device at /dev/hwrng

Do you see random data if you enter:

cat /dev/hwrng

If so, you can install rngd and edit /etc/config/system:

config rngd
option enabled '1'
option device '/dev/hwrng'

Thank you for your reply. I installed haveged (entropy was 670) but the problem persists.

root@Turris:~# sysctl kernel.random.entropy_avail
kernel.random.entropy_avail = 1868
root@Turris:~# cat /dev/hwrng
cat: read error: No such device

  • This is still somewhat low, are you running multiple WG interfaces and peers???
  • Do you have Software or Hardware NAT offloading enabled?
  • Do your firewall rules permit access to this port over the WG interface?

I disabled the second peer and now:

sysctl kernel.random.entropy_avail
kernel.random.entropy_avail = 2104

No I did not have hardware nat, now I enabled it. The problem still persists

Hm, just masquerading, but I do connect via ssh from both wireguard ends to each other.

ok, it seems that I have pinpointed the issue. It happens only on qmi-wan interface with wireguard. Direct ssh works fine. I will try to change from qmi-wan to 3g protocol and see what happens.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.