[SOLVED] Wireguard issue again!

lampra1 · February 9, 2019, 8:49pm

since this topic I upgraded to 19.02 on turris omnia and again I cant reach luci trough wireguard (though I can reach any server from turris through wireguard).

I would appreciate some guidance to resolve this.

Here is the physical setup
wg server ---| --- lan1 router -----internet ---- qmi 4g ----- Turris omnia
client ---------|

Setup is provided below along with tcpdump files from one trial to connect from client to luci on turris.

Summary

root@Turris:~# ip r
default via 212.152.xx.xxx dev wwan0 proto static src 212.152.xx.xxx 
10.0.0.0/24 via 10.0.10.253 dev br-lan proto static 
10.0.10.0/24 dev br-lan proto kernel scope link src 10.0.10.1 
10.200.200.0/24 dev wg0 proto static scope link 
154.xx.xx.xxx via 212.152.xx.xxx dev wwan0 proto static 
192.168.10.0/24 dev wg0 proto static scope link 
212.152.xx.xxx/27 dev wwan0 proto kernel scope link src 212.152.xx.xxx 

root@Turris:~# sysctl kernel.random.entropy_avail
kernel.random.entropy_avail = 2617


root@Turris:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option dns '1.1.1.1 8.8.8.8'
	option ifname 'lan0 lan1 lan2 lan3'
	option ip6assign '64'

config interface 'wan4'
	option proto 'dhcp'
	option ifname 'lan4'
	option delegate '0'
	option metric '20'
	option auto '0'

config route
	option interface 'lan'
	option target '10.0.0.0'
	option netmask '255.255.255.0'
	option gateway '10.0.10.253'
	option metric '0'

config interface 'Lte'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'apn'
	option auth 'none'
	option plmn '12345'
	option delay '15'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'private'
	option listen_port '8490'
	list addresses '10.200.200.4'

config wireguard_wg0
	option endpoint_host 'endhost.mynetname.net'
	option endpoint_port '8389'
	option persistent_keepalive '25'
	option public_key 'public'
	option description 'MyServer'
	list allowed_ips '10.200.200.0/24'
	list allowed_ips '192.168.10.0/24'
	option route_allowed_ips '1'




root@Turris:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option input 'REJECT'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'
	option log '1'
	option log_limit '10/minute'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option network 'Lte wan4'
	option mtu_fix '1'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '8589'
	option dest_ip '10.0.10.1'
	option dest_port '22'
	option name 'ssh'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '8490'
	option name 'Allow-Wireguard-Inbound'
	option family 'ipv4'

config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option output 'ACCEPT'
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0'
	option family 'ipv4'



ping from server

# ping -c3 10.200.200.4
PING 10.200.200.4 (10.200.200.4) 56(84) bytes of data.
64 bytes from 10.200.200.4: icmp_seq=1 ttl=64 time=33.5 ms
64 bytes from 10.200.200.4: icmp_seq=2 ttl=64 time=377 ms
64 bytes from 10.200.200.4: icmp_seq=3 ttl=64 time=589 ms

--- 10.200.200.4 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 33.512/333.398/589.384/229.047 ms

# ping -c3 10.0.10.1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=64 time=33.8 ms
64 bytes from 10.0.10.1: icmp_seq=2 ttl=64 time=244 ms
64 bytes from 10.0.10.1: icmp_seq=3 ttl=64 time=198 ms

--- 10.0.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 33.836/159.127/244.594/90.533 ms


ping from client

ping -c3 10.0.10.1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=63 time=1033 ms
From 192.168.10.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.10.7)
64 bytes from 10.0.10.1: icmp_seq=2 ttl=63 time=73.0 ms
From 192.168.10.1: icmp_seq=3 Redirect Host(New nexthop: 192.168.10.7)
64 bytes from 10.0.10.1: icmp_seq=3 ttl=63 time=401 ms

--- 10.0.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2016ms
rtt min/avg/max/mdev = 73.080/502.627/1033.186/398.417 ms, pipe 2


ping from Turris to the client

root@Turris:~# ping -c3 192.168.10.4
PING 192.168.10.4 (192.168.10.4): 56 data bytes
64 bytes from 192.168.10.4: seq=0 ttl=63 time=35.645 ms
64 bytes from 192.168.10.4: seq=1 ttl=63 time=111.121 ms
64 bytes from 192.168.10.4: seq=2 ttl=63 time=134.377 ms

--- 192.168.10.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 35.645/93.714/134.377 ms

ping from Turris to the server

root@Turris:~# ping -c3 192.168.10.7
PING 192.168.10.7 (192.168.10.7): 56 data bytes
64 bytes from 192.168.10.7: seq=0 ttl=64 time=34.833 ms
64 bytes from 192.168.10.7: seq=1 ttl=64 time=74.915 ms
64 bytes from 192.168.10.7: seq=2 ttl=64 time=76.639 ms

--- 192.168.10.7 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 34.833/62.129/76.639 ms


traceroute from server

# traceroute 10.200.200.4
traceroute to 10.200.200.4 (10.200.200.4), 30 hops max, 60 byte packets
 1  10.200.200.4 (10.200.200.4)  283.855 ms  283.469 ms  288.485 ms
# traceroute 10.0.10.1
traceroute to 10.0.10.1 (10.0.10.1), 30 hops max, 60 byte packets
 1  10.0.10.1 (10.0.10.1)  1042.750 ms  1042.653 ms  1042.219 ms

traceroute from client

$ traceroute 10.0.10.1
traceroute to 10.0.10.1 (10.0.10.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.10.1)  58.595 ms  58.576 ms  58.697 ms
 2  192.168.10.7 (192.168.10.7)  59.707 ms  59.706 ms  59.698 ms
 3  10.0.10.1 (10.0.10.1)  427.265 ms  427.296 ms  427.291 ms


traceroute from Turris
root@Turris:~# traceroute 192.168.10.7
traceroute to 192.168.10.7 (192.168.10.7), 30 hops max, 38 byte packets
 1  192.168.10.7 (192.168.10.7)  43.661 ms  31.023 ms  131.471 ms
root@Turris:~# traceroute 192.168.10.4
traceroute to 192.168.10.4 (192.168.10.4), 30 hops max, 38 byte packets
 1  cubie.lan (10.200.200.1)  42.728 ms  33.797 ms  38.265 ms
 2  192.168.10.4 (192.168.10.4)  38.947 ms  106.744 ms  33.349 ms

tcpdump files: https://drive.google.com/file/d/1o1ttZN1eQIbV56qPArgvlUFxULGdiCVa/view?usp=sharing

trendy · February 9, 2019, 9:25pm

Communication between client and Turris is fine.
Turris is giving the client an http 403 error (turris_tcpdump line 13)

lampra1 · February 10, 2019, 5:41pm

Thank you but, I am not sure this is the issue i am facing with.
I get the same http 403 error error on an other openwrt installation (18.06.0 on espressobin) but still luci is loading fine through wireguard tunnel.

To me it seems that communication starts and then it stops. On my browser, the first line "LuCI - Lua Configuration Interface" is loaded and just waiting, nothing else.
If I connect through wg with ssh, it works ok until I ask something that needs more flow (eg htop or logread) and the connection hangs.

Interestingly, I can connect from my android phone when I connect to my wg server and through that to turris omnia and Luci is loading fine.

Any other idea?

Mushoz · February 10, 2019, 6:11pm

Pages loading partially sounds like a MSS issue. Have you tried enabling MSS clamping on the wireguard firewall zone?

lampra1 · February 10, 2019, 6:21pm

Yes I just did but nothing changes. Still can't access Luci from the wireguard tunnel.

trendy · February 10, 2019, 10:52pm

Your pings are very inconsistent in terms of rtt.
Have you tried to ping with larger size, download something big through the tunnel to rule out mtu?

lampra1 · February 11, 2019, 12:39am

I have applied the mtu_fix option earlier today.

Summary

config zone
	option output 'ACCEPT'
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0'
	option family 'ipv4'
	option mtu_fix '1'

I just tested to upload and download from both sides.
I tried up to 50 MB and I achieved transfers up to 2 MiB/s upload to omnia but download from omnia gets stalled.
I also tried from the wg server and download also gets stalled.
what should I do now?

edit:
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
root@Turris:~# ip l show br-lan
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

lampra1 · February 11, 2019, 1:56am

ok changed wg0 interface mtu to 1380 and achieved connection.
thank you all

system · February 21, 2019, 1:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.