Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#2104 - wireguard: adds endpoint host to routing list. ( without need ) #7134

Closed
openwrt-bot opened this issue Feb 6, 2019 · 8 comments
Closed

FS#2104 - wireguard: adds endpoint host to routing list. ( without need ) #7134

openwrt-bot opened this issue Feb 6, 2019 · 8 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

EUA:

Environment: ramips, OpenWrt 18.06.[1-2], MediaTek MT7621, Xiaomi Mi Router 3G

Description:
I tried to setup router as WG client for a while. But it doesn't work on my setup.
After research, I realized that licu-wireguard application adds a static route somehow.
Also after terminating the wireguard connection, that static routing record does not removed.
After removal of non needed record of endpoint from routing table (51.x.x.x in my setup) by hand, Wireguard starts working proper.

root@MainRouter:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0.2
10.0.2.0 * 255.255.255.0 U 0 0 0 wg0
51.x.x.x MainRouter.lan 255.255.255.255 UGH 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0.2

PS: MainRouter.lan is name of the router. (192.168.1.1)
@openwrt-bot
Copy link
Author

EUA:

Issue is rise from proto_add_host_dependency routine.
Deactivating it make it working again.

--- wireguard.sh.org 2019-02-06 17:19:22.000000000 +0300
+++ wireguard.sh 2019-02-06 17:22:18.000000000 +0300
@@ -180,7 +180,7 @@
sed -E 's/[?([0-9.:a-f]+)]?:([0-9]+)/\1 \2/' |
while IFS=$'\t ' read -r key address port; do
[ -n "${port}" ] || continue

  • proto_add_host_dependency "${config}" "${address}"
  • #proto_add_host_dependency "${config}" "${address}"
    done

@openwrt-bot
Copy link
Author

jow-:

Do you have multiple default routes on your system? Did you set a gateway option on lan by any chance? If so, remove it.

@openwrt-bot
Copy link
Author

EUA:

Multiple default routes? What does it mean? As you can see on my routing table, there are only one default route, which is 192.168.2.1 on wan (eth0.2) port at router.

Also I don't know how can I set a "gateway" option on lan. Lan IP: 192.168.1.1 is a gateway for our local LAN as it need to be. 192.168.2.1 is modem.

Anyway, I don't understand what "proto_add_host_dependency" routine does and why it necessary and why it doesn't removed at termination of connection.

THanks.

@openwrt-bot
Copy link
Author

Bluse:

Hi Erdem,

For a similar issue on my side I hacked this patch to solve the issue of Wireguard calling proto_add_host_dependency just in such cases, where the address is a remote IP with a routing table entry. Can you apply this patch the check weather it fixes the problem on your side, so it might be a relevant issue to fix in general ?

commit 9530b0803ffe1dfa57f714d961cdfc3932e71825
Author: Thomas Huehn thomas@net.t-labs.tu-berlin.de
Date: Sun Feb 18 21:59:21 2018 +0100

wireguard: add distinction for remote and local endpoint ip

This patch fixes a bug when someone tries to set up a Wireguard tunnel
to an endpoint where its ip belongs to a local subnet, e.g. in a Freifunk
olsr mesh. The call of proto_add_host_dependency() is just needed in cases
where the endpoint is reachable via a default gateway but not in such cases
where the endpoint is part of a local subnet.

Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>

diff --git a/package/network/services/wireguard/files/wireguard.sh b/package/network/services/wireguard/files/wireguard.sh
index 96fa7215ffc8..fbde0fdb2c5e 100644
--- a/package/network/services/wireguard/files/wireguard.sh
+++ b/package/network/services/wireguard/files/wireguard.sh
@@ -16,6 +16,10 @@ fi
init_proto "$@"
}

+is_remote_ip() {

  • ip route get $1 | grep "via $(ip route | grep -m1 default | cut -d" " -f3)"

+}
+

proto_wireguard_init_config() {
proto_config_add_string "private_key"
@@ -180,7 +184,10 @@ proto_wireguard_setup() {
sed -E 's/[?([0-9.:a-f]+)]?:([0-9]+)/\1 \2/' |
while IFS=$'\t ' read -r key address port; do
[ -n "${port}" ] || continue

  • proto_add_host_dependency "${config}" "${address}"
  • is_remote_ip ${address} && {
  •  logger -t Wireguard "no local route to endpoint - call proto_add_host_dependency()"

  •  proto_add_host_dependency "${config}" "${address}"
  • }
    done

proto_send_update "${config}"

Greetings Thomas

@openwrt-bot
Copy link
Author

hatramatra:

I must chip in, that the use of proto_add_host_dependency makes very little sense here. What is the use case for it, please? What problem is it trying to solve? The only scenario I can think of, where it would make remotely any sense, is if remote allowed-ips contain 0.0.0.0/0, or simply any less specific route for the remote endpoint. But isn't then better to solve it with fwmark and lookups in dedicated routing table?

Because then there are all those use cases where the path to the remote endpoint changes (primary/secondary wan links) and one absolutely wants the wireguard tunnel to re-route the encrypted packets via new uplink. In my case, there is floating static route pointing to the backup connectivity and primary line with bgp routing. I had to get rid of proto_add_host_dependency line from the wireguard.sh script altogether for the wireguard interface to be even created under such setup.

/Martin

@openwrt-bot
Copy link
Author

tve:

Ditto here. I want to second hatramatra's comment. I use wireguard on a Gl.Inet router and the proto_add_host_dependency locks in the route. Problem is it locks to an ethernet route, which comes up first, but I actually want the tunnel to go via a cellular route, which takes time to come up. The preferred default route is via the cellular and a second higher-metric default route goes via ethernet.
What is the proto_add_host_dependency trying to achieve?

@openwrt-bot
Copy link
Author

jow-:

The proto_add_host_dependency call ensures that a host route towards the remote endpoint IP is installed. Without such a route, the tunnel would collapse eventually when the defaultroute is redirected through the tunnel.

This is intended to cover the default use case of a VPN where all traffic is tunneled. If you do not require such a host route, or if you manage the routing manually, set option nohostroute 1 in the interface section.

@openwrt-bot
Copy link
Author

jow-:

The nohostroute option has been introduced with https://git.openwrt.org/28920330f86d628a287f00f2596f4aaead8e2e19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot