Wireguard problem; does not start

Hey,

everything worked good with wireguard, I changed nothing except rebooted my router.
Now, wg is supposed to be up, but no connection.

Sat Apr 20 10:56:35 2024 daemon.notice netifd: Interface 'wg0' is setting up now
Sat Apr 20 10:56:36 2024 daemon.notice netifd: Interface 'wg0' is now up
Sat Apr 20 10:56:36 2024 daemon.notice netifd: Network device 'wg0' link is up
Sat Apr 20 10:56:36 2024 user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)
Sat Apr 20 10:56:36 2024 user.notice pbr [16015]: Reloading routing for 'wg0/0.0.0.0' [✓]
Sat Apr 20 10:56:37 2024 user.notice pbr: Sending reload signal to pbr due to firewall action: includes
Sat Apr 20 10:56:37 2024 user.notice pbr: Reusing the fw4 nft file.
Sat Apr 20 10:56:38 2024 user.notice pbr [16516]: Reloading routing for 'wg0/10.14.0.2' [✓]
Sat Apr 20 10:57:28 2024 daemon.notice netifd: Network device 'wg0' link is down
Sat Apr 20 10:57:28 2024 daemon.notice netifd: Interface 'wg0' is now down
Sat Apr 20 10:57:29 2024 user.notice pbr [17587]: Reloading routing for 'wg0/0.0.0.0' [✓]
Sat Apr 20 10:57:31 2024 user.notice pbr [18099]: Reloading routing for 'wg0/0.0.0.0' [✓]
Sat Apr 20 10:57:41 2024 daemon.notice netifd: Interface 'wg0' is setting up now
Sat Apr 20 10:57:41 2024 daemon.notice netifd: Interface 'wg0' is now up
Sat Apr 20 10:57:41 2024 daemon.notice netifd: Network device 'wg0' link is up
Sat Apr 20 10:57:41 2024 user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)
Sat Apr 20 10:57:42 2024 user.notice pbr [18575]: Reloading routing for 'wg0/x.xx.xx.x' [✓]
Sat Apr 20 10:57:42 2024 user.notice pbr: Sending reload signal to pbr due to firewall action: includes
Sat Apr 20 10:57:43 2024 user.notice pbr: Reusing the fw4 nft file.
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda4:8ce3:3d07::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option metric '5'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxx'
	list addresses 'xx.xxx.xxx/16'
	option mtu '1390'
	option metric '10'

config wireguard_wg0
	option description 'ca-mon.conf'
	option public_key 'xxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'ca-mon.prod.surfshark.com'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

root@OpenWrt:~# 


root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

also, my internet works great but problem during opkg update

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/snapshots/targets/ipq806x/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/snapshots/targets/ipq806x/generic/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/luci/Packages.gz

Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/packages/Packages.gz

Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/telephony/Packages.sig
Signature check passed.
Collected errors:
 * xsystem: wget: Child killed by signal 6.
 * opkg_download: Failed to download https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/luci/Packages.gz, wget returned -1.
 * xsystem: wget: Child killed by signal 6.
 * opkg_download: Failed to download https://downloads.openwrt.org/snapshots/packages/arm_cortex-a15_neon-vfpv4/packages/Packages.gz, wget returned -1.
root@OpenWrt:~# 


I'm not familiar with PBR (and you didn't show the PBR configuration), but I can answer the second part: You are on a snapshot build, not on a stable OpenWrt release. Using opkg to install packages is only recommended for a short time after the snapshot was built. Afterwards, kernel dependencies start to fail and then other stuff breaks due to updates to the packages and underlying system.

If you can, switch to a stable build.

1 Like

Yep but I have my own build so I choose what I want.

Then make a new build with the packages you want :slight_smile:

PBR also has seen a couple of updates so a new build with new PBR might solve your problem.

But it could well be a race condition e.g. the wg interface is up before dnsmasq and the endpoint cannot be resolved or some race condition with PBR

After a reboot try with :
ifdown wg0 && ifup wg0
and / or
service pbr restart

If this works you can add it to startup (/etc/rc.local) and precede it with e.g.: sleep 10

1 Like

I don't think the problem is about pbr

it is what I do,

sleep 10, how to dot it for wg? sleep 10 is in schedule task?

Sun Apr 21 11:00:18 2024 daemon.notice netifd: Network device 'wg0' link is down
Sun Apr 21 11:00:19 2024 daemon.notice netifd: Interface 'wg0' is now down
Sun Apr 21 11:00:19 2024 daemon.notice netifd: Interface 'wg0' is setting up now
Sun Apr 21 11:00:19 2024 daemon.notice netifd: Interface 'wg0' is now up
Sun Apr 21 11:00:19 2024 daemon.notice netifd: Network device 'wg0' link is up
Sun Apr 21 11:00:19 2024 user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)
Sun Apr 21 11:00:19 2024 user.notice pbr [3910]: Removing routing for 'wan/xx.x.x.xx' [✓]
Sun Apr 21 11:00:20 2024 user.notice pbr [3910]: Removing routing for 'wg0/0.0.0.0' [✓]
Sun Apr 21 11:00:20 2024 user.notice pbr [3910]: service (nft mode) stopped [✓]
Sun Apr 21 11:00:20 2024 daemon.notice procd: /etc/rc.d/S95done: Command failed: ubus call service delete { "name": "pbr" } (Not found)
Sun Apr 21 11:00:20 2024 user.notice pbr [3910]: Using wan interface (on_start): wan
Sun Apr 21 11:00:20 2024 user.notice pbr [3910]: Found wan gateway (on_start): 24.49.243.1
Sun Apr 21 11:00:21 2024 user.notice pbr [3910]: Setting up routing for 'wan/xx.xx.x.x' [✓]
Sun Apr 21 11:00:21 2024 user.info banIP-0.9.5-r1[3692]: start banIP processing (boot)
Sun Apr 21 11:00:21 2024 daemon.info hostapd: phy1-ap0: STA 24:xxxx:xx:6d:25:1b IEEE 802.11: authenticated
Sun Apr 21 11:00:21 2024 kern.info kernel: [   75.600180] ath10k_pci 0001:01:00.0: mac flush vdev 0 drop 0 queues 0x1 ar->paused: 0x0  arvif->paused: 0x0
Sun Apr 21 11:00:21 2024 user.notice pbr [3910]: Setting up routing for 'wg0/0.0.0.0' [✗]
Sun Apr 21 11:00:21 2024 user.info banIP-0.9.5-r1[3692]: initialize banIP nftables namespace
Sun Apr 21 11:00:21 2024 user.info banIP-0.9.5-r1[3692]: start banIP download processes
Sun Apr 21 11:00:21 2024 daemon.info hostapd: phy1-ap0: STA  IEEE 802.11: authenticated
Sun Apr 21 11:00:21 2024 user.notice pbr [3910]: Routing 'pc_jim' via wg0 [✓]
Sun Apr 21 11:00:21 2024 daemon.info hostapd: phy1-ap0: STA  IEEE 802.11: associated (aid 1)
Sun Apr 21 11:00:21 2024 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED  auth_alg=open
Sun Apr 21 11:00:21 2024 daemon.info hostapd: phy1-ap0: STA WPA: pairwise key handshake completed (RSN)
Sun Apr 21 11:00:21 2024 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 2
Sun Apr 21 11:00:21 2024 user.notice pbr [3910]: Routing 'formuler' via wan [✓]
Sun Apr 21 11:00:21 2024 user.notice pbr [3910]: Installing fw4 nft file [✗]
Sun Apr 21 11:00:22 2024 user.notice pbr [3910]: service monitoring interfaces: wan wg0

When you put the commands in startup (Sytem > Startup > Local Startup or edit /etc/rc.local) precede the commands with:
sleep 10
to sleep 10 seconds before executing, to make sure everything is running

1 Like

ok it is what I did, but wg does not work.

Make sure you do not bring up the WG interface at boot, on the Interface > General settings disable (untick) Bring up on boot (option auto '0')

That is all I can think off

1 Like

ok, and bring up 10 seconds later in rc.local, right? I have the same proble with wireguard, I think the problem is with master snaphot