Posted: Mon Jul 15, 2024 11:48 Post subject: [SOLVED] Wireguard: What has changed since r56409??
Hi all,
very weird isue, and it seems I am the only one. Asus RT-AC88U.
Since r56490 I can't use wireguard any more: no internet, wired and wireless. I just tried r57200 (even from scratch), no internet with wireguard enabled. As soon as I flash r56409 (pulled), all is fine.
Config is as simple as it could be: router (192.168.2.101, cascaded behind gateway 192.168.2.1), connection-type: disabled, IPv4 only, no SFE, no FA, no killswitch, no watchdog, no PBR, no obfuscation. 'Allow Clients WAN Access' is enabled.
Switch config (VLANs) disabled, seems normal when enabled.
Status in wireguard is normal, eg.
Code:
endpoint: 193.32.xxx.xx:51820
latest handshake: 2 seconds ago
transfer: 2.40 KiB received, 9.18 KiB sent
Also egc's wireguard-companion script looks normal:
Code:
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:07 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
Jul 15 13:21:07 DD-WRT user.info root: Enable WireGuard interface oet1 on port 51820
Jul 15 13:21:07 DD-WRT user.info root: Establishing WireGuard tunnel with peer endpoint 193.32.xxx.xx:51820
Jul 15 13:21:07 DD-WRT user.info root: WireGuard experimental endpoint routing for oet1 to endpoint 193.32.xxx.xx:51820 is IPv4: [193.32.xxx.xx]
Jul 15 13:21:07 DD-WRT user.info root: WireGuard 10.67.199.119/32 added to oet1
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:08 DD-WRT user.info root: WireGuard acquiring /tmp/oet-raip.lock for raip 6240
Jul 15 13:21:08 DD-WRT user.info root: WireGuard /tmp/oet-raip.lock acquired for raip 6240
Jul 15 13:21:08 DD-WRT user.info root: WireGuard waited 1 seconds to set routes for oet
Jul 15 13:21:08 DD-WRT user.info root: WireGuard route 0.0.0.0/1 added via oet1
Jul 15 13:21:08 DD-WRT user.info root: WireGuard route 128.0.0.0/1 added via oet1
Jul 15 13:21:08 DD-WRT user.info root: WireGuard DNS server 10.64.0.1 routed via oet1
Jul 15 13:21:09 DD-WRT user.info root: WireGuard waited 0 sec. for DNSMasq
Jul 15 13:21:09 DD-WRT user.info root: WireGuard released /tmp/oet-raip.lock for 6240
Jul 15 13:21:09 DD-WRT user.info root: WireGuard Killswitch for WAP on br0 only!, oet
Jul 15 13:21:09 DD-WRT user.info root: WireGuard acquiring /tmp/oet-fw.lock for firewall 6418
Jul 15 13:21:09 DD-WRT user.info root: WireGuard /tmp/oet-fw.lock acquired for 6418
Jul 15 13:21:09 DD-WRT user.info root: WireGuard NAT via oet1 for 10.67.199.119 enabled
Jul 15 13:21:09 DD-WRT user.info root: WireGuard IPv4 internet access for 10.67.199.119/32 enabled
Jul 15 13:21:09 DD-WRT user.info root: WireGuard released /tmp/oet-fw.lock for firewall 6418
Now as soon as I disable the tunnel (on r57200), clients have internet. [Sidenote: For some reason there was even no internet with wireguard disabled on on r57200 UNTIL I started from scratch.]
Routing-table:
Code:
Destination LAN NET Gateway Table Scope Metric IF Source
0.0.0.0/1 default link 0 oet1 - de-ber-wg-006
default 192.168.2.1 default 0 LAN & WLAN
10.64.0.1 default link 0 oet1 - de-ber-wg-006
127.0.0.0/8 default link 0 lo
128.0.0.0/1 default link 0 oet1 - de-ber-wg-006
192.168.2.0/24 default link 0 LAN & WLAN 192.168.2.101
193.32.xxx.xx 192.168.2.1 default 0 LAN & WLAN
According to svn nothing has changed regarding wireguard since r56409, so it must be something else.
I have no idea where to start, and why NO ONE ELSE reported this (as far as I can see, several are running even the wireguard-server without issues on newer builds).
Tnx for all ideas and looking into this! _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Last edited by kooper2013 on Mon Jul 15, 2024 12:46; edited 1 time in total
Hi kp,
you are right, r56409 was pulled (but working for me). Downloaded and archived locally and flashed before it was pulled.
r56490 is the first build not working for me, not pulled.
OP edited.
I know the stickes, and usually egc edits them if something has changed. Nothing there, and nothing directly related to wg on svn. That's why I'm puzzled. _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Joined: 08 May 2018 Posts: 15517 Location: Texas, USA
Posted: Mon Jul 15, 2024 14:23 Post subject:
Clients have WAN access, yet WAN is disabled as I re-read through the OP. Wireguard on a WAP is not the same as on a default configuration where the WAN is enabled. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 18 Mar 2014 Posts: 13530 Location: Netherlands
Posted: Mon Jul 15, 2024 15:37 Post subject:
Are beloved main developer in his infinite wisdom, has decided to disable connection tracking when the wan is disabled.
This breaks a lot of things, you are not the first one who is bitten by this.
Normally connection tracking was only disabled if you choose router mode but now also when you disable the wan.
I asked to revert this situation, but and I quote/paraphrase "you are an idiot if you do these kind of stupid things"
I asked to revert this situation, but and I quote/paraphrase "you are an idiot if you do these kind of stupid things"
Well, so this was working, but it was wrong for ~15 years. Right? Or what?
The set of workarounds is ill, stretching over 2 pages. I haven't tried it yet, so this is what I get:
-set the dd-wrt router behind the gateway/primary router into 'gateway' mode (considering that the real gateway/primary router is doing things like DECT station, answering machine, a guest-net, etc).
-disable DHCP server, but keep dnsmasq enabled (I WANT dd-wrt to distribute IPs in my home-net, NOT the real gateway/primary router), and I WANT dnsmasq to do the DNS, not the primary router)
-enable firewall, but not use it, BUT set an extra-rule, and/or (depending on the build) MORE rules
-on SOME dd-wrt routers the WAN-port can not be used (on which and how to find out?)
-probably there will be more hiccups, preventing dd-wrt to JUST WORK and SERVE
(I do not post what I wanted on the first impulse.) _________________ 3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710