I had Wireguard/Wireshark working on an older router (Netgear R6300) with a slightly earlier version of DD-WRT (don't remember what version). Upgraded the router and used a new DD-WRT version and I can't get it to work anymore.
Wireguard tunnel settings page shows that that Wireguard is handshaking.
-----------
endpoint: 104.129.56.132:1194
latest handshake: 5 seconds ago
transfer: 304 B received, 304 B sent
------------
But all traffic still gets routed directly to my ISP instead of going through the tunnel. To the best of my recollection, on the earlier router a route to oet1 was setup, but I don't see one anymore, instead the VPN endpoint address (104.129.56.4:1194) seems to be routed to vlan2 which is my WAN:
I changed the IP to /24 and rebooted the router. That added a route for oet1 to the routing table. So that may be progress, but unfortunately ipleak.net still shows my IP address as that of my ISP, not a VPN. I waited a few minutes in case it took a while for the VPN to setup, but ipleak.net still shows my ISP. The config page for DD-WRT tunnels shows that the VPN is still handshaking.
Thank you for looking at this.
Here are outputs you requested:
=============
root@Netgear R9000:~# wg
interface: oet1
public key: KF6+rIhIzscOC9fozD7f8Zk6nPwebNCML0hzECcUiFc=
private key: (hidden)
listening port: 51820
peer: 89DUtbYYyXcAktaB2cnCVA/YiZQEddYHuOz2K0vBAn4=
preshared key: (hidden)
endpoint: 104.129.56.132:1194
allowed ips: 0.0.0.0/1, 128.0.0.0/1
latest handshake: 19 seconds ago
transfer: 696 B received, 552 B sent
persistent keepalive: every 25 seconds
root@Netgear R9000:~# ip route show
default via 71.236.228.1 dev vlan2
71.236.228.0/22 dev vlan2 scope link src 71.236.228.176
100.104.252.0/24 dev oet1 scope link src 100.104.252.39
104.129.56.132 via 71.236.228.1 dev vlan2
127.0.0.0/8 dev lo scope link
192.1.1.0/24 dev br0 scope link src 192.1.1.250
-------------
root@Netgear R9000:~# grep -E -i 'oet|wireguard' /var/log/messages
Dec 31 16:00:24 Netgear R9000 user.info root: WireGuard number of non failed tunnels in fail set: 0
Dec 31 16:00:24 Netgear R9000 user.info root: Enable WireGuard interface oet1 on port 51820
Dec 31 16:00:24 Netgear R9000 user.info root: Establishing WireGuard tunnel with peer endpoint sea-290-wg.whiskergalaxy.com:1194
Dec 31 16:00:29 Netgear R9000 user.info root: WireGuard setting route for oet1 to endpoint sea-290-wg.whiskergalaxy.com:1194 via 0.0.0.0 dev vlan2
Dec 31 16:00:29 Netgear R9000 user.info root: WireGuard 100.104.252.39/24 added to oet1
Dec 31 16:00:29 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
Dec 31 16:00:31 Netgear R9000 user.info root: WireGuard number of non failed tunnels in fail set: 0
Dec 31 16:00:31 Netgear R9000 user.warn root: WireGuard: Could not delete endpoint route from oet1 peer0 to from sea-290-wg.whiskergalaxy.com
Dec 31 16:00:32 Netgear R9000 user.info root: Flush delete PBR interface oet1, table : 21
Dec 31 16:00:32 Netgear R9000 user.info root: Enable WireGuard interface oet1 on port 51820
Dec 31 16:00:32 Netgear R9000 user.info root: Establishing WireGuard tunnel with peer endpoint sea-290-wg.whiskergalaxy.com:1194
Dec 31 16:00:32 Netgear R9000 user.info root: WireGuard setting route for oet1 to endpoint sea-290-wg.whiskergalaxy.com:1194 via 71.236.228.1 dev vlan2
Dec 31 16:00:32 Netgear R9000 user.info root: WireGuard 100.104.252.39/24 added to oet1
Dec 31 16:00:32 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard waited 5 seconds to set routes for oet
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 0.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 128.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard DNS server 10.255.255.2 routed via oet1
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard number of non failed tunnels in fail set: 0
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard: Deleted endpoint route to 104.129.56.68 from sea-290-wg.whiskergalaxy.com
Aug 6 01:43:19 Netgear R9000 user.info root: Flush delete PBR interface oet1, table : 21
Aug 6 01:43:19 Netgear R9000 user.info root: Enable WireGuard interface oet1 on port 51820
Aug 6 01:43:19 Netgear R9000 user.info root: Establishing WireGuard tunnel with peer endpoint sea-290-wg.whiskergalaxy.com:1194
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard setting route for oet1 to endpoint sea-290-wg.whiskergalaxy.com:1194 via 71.236.228.1 dev vlan2
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard 100.104.252.39/24 added to oet1
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
root@Netgear R9000:~#
If I manually add those routes, then ipleak.net shows that my IP is now the IP of the VPN host as desired! And it appears that I can still access the internet as always.
Routing table looks like this now:
root@Netgear R9000:~# ip route show
0.0.0.0/1 dev oet1 scope link
default via 71.236.228.1 dev vlan2
71.236.228.0/22 dev vlan2 scope link src 71.236.228.176
100.104.252.0/24 dev oet1 scope link src 100.104.252.39
104.129.56.68 via 71.236.228.1 dev vlan2
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev oet1 scope link
192.1.1.0/24 dev br0 scope link src 192.1.1.250
root@Netgear R9000:~#
I am not using any scripts to set routes nor have I been manually adding any. I've been relying on the DD-WRT Wireguard tunnel to set them as needed. Pretty sure that worked on my older router with a slight older DD-WRT because the VPN worked without manually setting any routes.
Is this possibly a DD-WRT bug in a recent DD-WRT release?
I don't know how to automatically add routes at startup. I could research that. But I don't think I want those routes added all the time because I don't want to run with the VPN active all the time.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Aug 06, 2022 13:24 Post subject:
As I do not have your router in hand it is always difficult to trouble shoot but it could be that the script stalls on your DNS server.
This is the end of your log:
Quote:
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 0.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 128.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard DNS server 10.255.255.2 routed via oet1
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard number of non failed tunnels in fail set: 0
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard: Deleted endpoint route to 104.129.56.68 from sea-290-wg.whiskergalaxy.com
Aug 6 01:43:19 Netgear R9000 user.info root: Flush delete PBR interface oet1, table : 21
Aug 6 01:43:19 Netgear R9000 user.info root: Enable WireGuard interface oet1 on port 51820
Aug 6 01:43:19 Netgear R9000 user.info root: Establishing WireGuard tunnel with peer endpoint sea-290-wg.whiskergalaxy.com:1194
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard setting route for oet1 to endpoint sea-290-wg.whiskergalaxy.com:1194 via 71.236.228.1 dev vlan2
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard 100.104.252.39/24 added to oet1
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
Unfortunately when the router starts a lot of services start and restart multiple times, that is not something under my control.
WireGuard is usually started three times
This is from the second time it starts:
Quote:
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard waited 5 seconds to set routes for oet
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 0.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard route 128.0.0.0/1 added via oet1
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard DNS server 10.255.255.2 routed via oet1
But then it stops possibly while trying to set DNS.
Normally it would look like this:
Quote:
Aug 6 15:18:03 R7800-2 user.info root: WireGuard set /tmp/oet.lock
Aug 6 15:18:03 R7800-2 user.info root: WireGuard waited 1 seconds to set routes for oet
Aug 6 15:18:03 R7800-2 user.info root: WireGuard route 0.0.0.0/1 added via oet1
Aug 6 15:18:03 R7800-2 user.info root: WireGuard route 128.0.0.0/1 added via oet1
Aug 6 15:18:03 R7800-2 user.info root: WireGuard DNS server 9.9.9.9 routed via oet1
Aug 6 15:18:04 R7800-2 user.info root: WireGuard waited 0 sec. for DNSMasq
Aug 6 15:18:04 R7800-2 user.info root: WireGuard released /tmp/oet.lock
Note the last two lines, the first indicating that the DNS server is used (in my case 9.9.9.9) for DNSMasq and the last line releasing the lock on the script.
Those lines are missing which could indicate that the script hangs and therefore the third iteration of the script, which sets the routes is not executed because your log stops at:
Quote:
Aug 6 01:43:19 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
which is when the script is trying to acquire a lock but cannot.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Aug 06, 2022 14:18 Post subject:
WireGuard waits until NTP is updated so that is not the problem, the "waited 5 seconds line" is how long it took before ntp is working
Code:
Dec 31 16:00:32 Netgear R9000 user.info root: WireGuard set /tmp/oet.lock
Aug 6 01:43:18 Netgear R9000 user.info root: WireGuard waited 5 seconds to set routes for oet