How should I configure this command line in Luci or /etc/config/network?
ip addr add 172.21.95.1/32 peer 172.20.53.97/32 dev kioubit
Note the "peer 172.20.53.96" part.
This isn't syntax to configure a Wireguard interface.
And your peer's IP wouldn't be in the same subnet as the tunnel IP scheme. And one peer usually has a subnet larger than /32.
The peer's outside the tunnel IP is endpoint_host, which also almost always requires specifying the endpoint_port. The peer's inside the tunnel IP must be entered as an allowed_ip. These are configured on the Peers tab in Luci or in a config wireguard_<ifname> section in /etc/config/network.
1 Like
I'm a beginner with Wireguard. I can only get it to work if a ran the command line.
Remote Tunnel IP: 172.20.53.97 & IPv6: fe80::ade0
My subnet: 172.21.95.0/27, so I pinned the first IP to wireguard. Perhaps wrong?
In allowed IPs for the wireguard peer I have 0.0.0.0/0
config interface 'kioubit'
option proto 'wireguard'
option private_key '.....'
option listen_port '43869'
option defaultroute '0'
option delegate '0'
list addresses 'fe80::ade1/64'
list addresses 'fdce:fc25:21::1/48'
config wireguard_kioubit
option description 'Kioubit'
option public_key '....'
option endpoint_host 'de2.g-load.eu'
option endpoint_port '21036'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
Then after interfaces is up and I run
ip addr add 172.21.95.1/32 peer 172.20.53.97/32 dev kioubit
Everything starts to work and BGP routes everything for DN42 network.
What does this mean?
Did you forget to tell us something important?
DN42 is a decentralized peer-to-peer network which I am testing now to get some more knowledge. Uses BGP among others. https://dn42.eu/Home
But that asides, if I kill FR/R and only focus on Wireguard part. The info I got about Wireguard peer is above. Only way I can contact the remote tunnel IP is to add it with ip addr add as peer.
But that is lost when rebooting.
1 Like
If you set a peer especially with /32 then Linux gives a shit about subnet because it sees a host route and as long as this route is directly reachable everything is fine.
1 Like
Yes, [FYI] we now know the Wireguard peer is a BGP endpoint the OP intends to router other traffic thru. 
Try removing list addresses 'fdce:fc25:21::1/48' and add list address '172.21.95.1/32'
also disable route_allowed_ips
It did not change anything.
Can't you add an extra route? Be it with UCI/Luci or as a static route within frr?
As general debug process.
Ensure you can ping the external address.
Setup the tunnel and confirm that each peer is reachable.
Establish bgp and ensure it's connected.
Then add import and export rules and filters if needed.
And yes with wireguard you have to disable this route allowed IP and set ::/0 as well as 0.0.0.0/0 as allowed IP. Or at least rfc1918 and ULA space...
Thank you all for your patience and support on this. I could not get it to work with routes, but only by setting peer on the interface.
DN42 Wireguard guide also has this
# choose the first ip from your subnet and the second one from the peer
$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>
For now I hacked a small hotplug script to fix it. Indeed very ugly and will probably give me some headaches later on when I have forgotten that it is there 
# cat /etc/hotplug.d/iface/50-kioubit
[ ifup = "$ACTION" ] && [ "$INTERFACE" = "kioubit" ] && {
# fix peer
ip addr add 172.21.95.1/32 peer 172.20.53.97/32 dev kioubit
}
Could perhaps improve it to take IPs and interface from a custom UCI config option to make it more generic.
https://docs.frrouting.org/en/latest/static.html
ip route ${peer_addr} ${interface}
Did not worked?
@Joachim btw, is there a reason why you don't just peer via an ipv6 address and use multi protocol extensions to enable ipv4-via-ipv6 transport?
I don't see that frr is capable of setting a static v4 route with the "onlink"flag, but for v6 it's possible.
Edit: uff onlink can only be set for routes with a gateway address. But v6 peering with Link local addresses on a tunnel interface is anyway a more easier solution. Or you could use bird2
1 Like