OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Erdem U. Altinyurt - 06.02.2019

FS#2104 - wireguard: adds endpoint host to routing list. ( without need )

Environment: ramips, OpenWrt 18.06.[1-2], MediaTek MT7621, Xiaomi Mi Router 3G

Description:
I tried to setup router as WG client for a while. But it doesn’t work on my setup.
After research, I realized that licu-wireguard application adds a static route somehow.
Also after terminating the wireguard connection, that static routing record does not removed. After removal of non needed record of endpoint from routing table (51.x.x.x in my setup) by hand, Wireguard starts working proper.

root@MainRouter:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0.2
10.0.2.0        *               255.255.255.0   U     0      0        0 wg0
51.x.x.x        MainRouter.lan  255.255.255.255 UGH   0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.2

PS: MainRouter.lan is name of the router. (192.168.1.1)

Erdem U. Altinyurt commented on 06.02.2019 14:26

Issue is rise from proto_add_host_dependency routine.
Deactivating it make it working again.

--- wireguard.sh.org	2019-02-06 17:19:22.000000000 +0300
+++ wireguard.sh	2019-02-06 17:22:18.000000000 +0300
@@ -180,7 +180,7 @@
     sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
     while IFS=$'\t ' read -r key address port; do
     [ -n "${port}" ] || continue
-    proto_add_host_dependency "${config}" "${address}"
+    #proto_add_host_dependency "${config}" "${address}"
   done
Admin
Jo-Philipp Wich commented on 06.02.2019 14:32

Do you have multiple default routes on your system? Did you set a `gateway` option on lan by any chance? If so, remove it.

Erdem U. Altinyurt commented on 07.02.2019 00:22

Multiple default routes? What does it mean? As you can see on my routing table, there are only one default route, which is 192.168.2.1 on wan (eth0.2) port at router.

Also I don't know how can I set a "gateway" option on lan. Lan IP: 192.168.1.1 is a gateway for our local LAN as it need to be. 192.168.2.1 is modem.

Anyway, I don't understand what "proto_add_host_dependency" routine does and why it necessary and why it doesn't removed at termination of connection.

THanks.

Bluse-Blue commented on 20.02.2019 00:44

Hi Erdem,

For a similar issue on my side I hacked this patch to solve the issue of Wireguard calling proto_add_host_dependency just in such cases, where the address is a remote IP with a routing table entry. Can you apply this patch the check weather it fixes the problem on your side, so it might be a relevant issue to fix in general ?


commit 9530b0803ffe1dfa57f714d961cdfc3932e71825
Author: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Date:   Sun Feb 18 21:59:21 2018 +0100

    wireguard: add distinction for remote and local endpoint ip

    This patch fixes a bug when someone tries to set up a Wireguard tunnel
    to an endpoint where its ip belongs to a local subnet, e.g. in a Freifunk
    olsr mesh. The call of proto_add_host_dependency() is just needed in cases
    where the endpoint is reachable via a default gateway but not in such cases
    where the endpoint is part of a local subnet.

    Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>

diff --git a/package/network/services/wireguard/files/wireguard.sh b/package/network/services/wireguard/files/wireguard.sh
index 96fa7215ffc8..fbde0fdb2c5e 100644
--- a/package/network/services/wireguard/files/wireguard.sh
+++ b/package/network/services/wireguard/files/wireguard.sh
@@ -16,6 +16,10 @@ fi
   init_proto "$@"
 }

+is_remote_ip() {
+     ip route get $1 | grep "via $(ip route | grep -m1 default | cut -d" " -f3)"
+}
+

 proto_wireguard_init_config() {
   proto_config_add_string "private_key"
@@ -180,7 +184,10 @@ proto_wireguard_setup() {
     sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
     while IFS=$'\t ' read -r key address port; do
     [ -n "${port}" ] || continue
-    proto_add_host_dependency "${config}" "${address}"
+    is_remote_ip ${address} && {
+      logger -t Wireguard "no local route to endpoint - call proto_add_host_dependency()"
+      proto_add_host_dependency "${config}" "${address}"
+    }
   done

   proto_send_update "${config}"


Greetings Thomas

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing