[SOLVED] Wireguard: What has changed since r56409??

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 120
Location: DE

PostPosted: Mon Jul 15, 2024 11:48    Post subject: [SOLVED] Wireguard: What has changed since r56409?? Reply with quote
Hi all,

very weird isue, and it seems I am the only one. Asus RT-AC88U.

Since r56490 I can't use wireguard any more: no internet, wired and wireless. I just tried r57200 (even from scratch), no internet with wireguard enabled. As soon as I flash r56409 (pulled), all is fine.
Config is as simple as it could be: router (192.168.2.101, cascaded behind gateway 192.168.2.1), connection-type: disabled, IPv4 only, no SFE, no FA, no killswitch, no watchdog, no PBR, no obfuscation. 'Allow Clients WAN Access' is enabled.
Switch config (VLANs) disabled, seems normal when enabled.

Status in wireguard is normal, eg.
Code:
  endpoint: 193.32.xxx.xx:51820
  latest handshake: 2 seconds ago
  transfer: 2.40 KiB received, 9.18 KiB sent


Also egc's wireguard-companion script looks normal:
Code:
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:07 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
Jul 15 13:21:07 DD-WRT user.info root: Enable WireGuard interface oet1 on port 51820
Jul 15 13:21:07 DD-WRT user.info root: Establishing WireGuard tunnel with peer endpoint 193.32.xxx.xx:51820
Jul 15 13:21:07 DD-WRT user.info root: WireGuard experimental endpoint routing for oet1 to endpoint 193.32.xxx.xx:51820 is IPv4: [193.32.xxx.xx]
Jul 15 13:21:07 DD-WRT user.info root: WireGuard 10.67.199.119/32 added to oet1
Jul 15 13:21:07 DD-WRT user.info root: WireGuard no wan_gateway detected, assuming WAP
Jul 15 13:21:08 DD-WRT user.info root: WireGuard acquiring /tmp/oet-raip.lock for raip 6240
Jul 15 13:21:08 DD-WRT user.info root: WireGuard /tmp/oet-raip.lock acquired for raip 6240
Jul 15 13:21:08 DD-WRT user.info root: WireGuard waited 1 seconds to set routes for oet
Jul 15 13:21:08 DD-WRT user.info root: WireGuard route 0.0.0.0/1 added via oet1
Jul 15 13:21:08 DD-WRT user.info root: WireGuard route 128.0.0.0/1 added via oet1
Jul 15 13:21:08 DD-WRT user.info root: WireGuard DNS server 10.64.0.1 routed via oet1
Jul 15 13:21:09 DD-WRT user.info root: WireGuard waited 0 sec. for DNSMasq
Jul 15 13:21:09 DD-WRT user.info root: WireGuard released /tmp/oet-raip.lock for 6240
Jul 15 13:21:09 DD-WRT user.info root: WireGuard Killswitch for WAP on br0 only!, oet
Jul 15 13:21:09 DD-WRT user.info root: WireGuard acquiring /tmp/oet-fw.lock for firewall 6418
Jul 15 13:21:09 DD-WRT user.info root: WireGuard /tmp/oet-fw.lock acquired for 6418
Jul 15 13:21:09 DD-WRT user.info root: WireGuard NAT via oet1 for 10.67.199.119 enabled
Jul 15 13:21:09 DD-WRT user.info root: WireGuard IPv4 internet access for 10.67.199.119/32 enabled
Jul 15 13:21:09 DD-WRT user.info root: WireGuard released /tmp/oet-fw.lock for firewall 6418


Now as soon as I disable the tunnel (on r57200), clients have internet. [Sidenote: For some reason there was even no internet with wireguard disabled on on r57200 UNTIL I started from scratch.]

Routing-table:
Code:
Destination LAN NET   Gateway   Table   Scope   Metric   IF   Source
0.0.0.0/1      default   link   0   oet1 - de-ber-wg-006   
default   192.168.2.1   default      0   LAN & WLAN   
10.64.0.1      default   link   0   oet1 - de-ber-wg-006   
127.0.0.0/8      default   link   0   lo   
128.0.0.0/1      default   link   0   oet1 - de-ber-wg-006   
192.168.2.0/24      default   link   0   LAN & WLAN   192.168.2.101
193.32.xxx.xx   192.168.2.1   default      0   LAN & WLAN



According to svn nothing has changed regarding wireguard since r56409, so it must be something else.

I have no idea where to start, and why NO ONE ELSE reported this (as far as I can see, several are running even the wireguard-server without issues on newer builds).

Tnx for all ideas and looking into this!

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710


Last edited by kooper2013 on Mon Jul 15, 2024 12:46; edited 1 time in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15513
Location: Texas, USA

PostPosted: Mon Jul 15, 2024 12:25    Post subject: Reply with quote
Are you sure you don't have build numbers confused? 56490 wasn't pulled, 56409 was. I don't see anything glaringly obvious in the sticky or elsewhere:

Sticky: WireGuard guides and documentation

https://svn.dd-wrt.com/search?q=egc

https://svn.dd-wrt.com/search?q=wireguard

I'm not looking through release logs...

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net


Last edited by kernel-panic69 on Mon Jul 15, 2024 14:20; edited 1 time in total
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 120
Location: DE

PostPosted: Mon Jul 15, 2024 13:01    Post subject: Reply with quote
Hi kp,
you are right, r56409 was pulled (but working for me). Downloaded and archived locally and flashed before it was pulled.
r56490 is the first build not working for me, not pulled.

OP edited.

I know the stickes, and usually egc edits them if something has changed. Nothing there, and nothing directly related to wg on svn. That's why I'm puzzled.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 15513
Location: Texas, USA

PostPosted: Mon Jul 15, 2024 14:23    Post subject: Reply with quote
Clients have WAN access, yet WAN is disabled as I re-read through the OP. Wireguard on a WAP is not the same as on a default configuration where the WAN is enabled.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13530
Location: Netherlands

PostPosted: Mon Jul 15, 2024 14:47    Post subject: Reply with quote
I think what is broken and I know the perpetrator Evil or Very Mad
Please post:
Quote:
iptables -vnL -t raw

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 120
Location: DE

PostPosted: Mon Jul 15, 2024 15:20    Post subject: Reply with quote
wg disabled:

Code:
root@DD-WRT:~# iptables -vnL -t raw
Chain PREROUTING (policy ACCEPT 1625 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1625  192K CT         all  --  *      *       0.0.0.0/0            0.0.0.0/0            NOTRACK

Chain OUTPUT (policy ACCEPT 668 packets, 407K bytes)
 pkts bytes target     prot opt in     out     source               destination
root@DD-WRT:~#


wg enabled (after save, then apply I even lost the wired connection to router, had to turn it off):

Code:
root@DD-WRT:~# iptables -vnL -t raw
Chain PREROUTING (policy ACCEPT 736 packets, 87463 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  !oet1  *       0.0.0.0/0            10.67.199.119        ADDRTYPE match src-type !LOCAL
  758 94101 CT         all  --  *      *       0.0.0.0/0            0.0.0.0/0            NOTRACK

Chain OUTPUT (policy ACCEPT 1015 packets, 881K bytes)
 pkts bytes target     prot opt in     out     source               destination
root@DD-WRT:~#


hth.
Thanks once again, @egc!

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13530
Location: Netherlands

PostPosted: Mon Jul 15, 2024 15:37    Post subject: Reply with quote
Are beloved main developer in his infinite wisdom, has decided to disable connection tracking when the wan is disabled.
This breaks a lot of things, you are not the first one who is bitten by this.

Normally connection tracking was only disabled if you choose router mode but now also when you disable the wan.

I asked to revert this situation, but and I quote/paraphrase "you are an idiot if you do these kind of stupid things"

Luckily there is an easy solution:
see paragraph about VAP on a WAP: https://raw.githubusercontent.com/egc112/ddwrt/main/DDWRT%20Virtual%20Access%20Point-8.pdf

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kooper2013
DD-WRT User


Joined: 10 Jan 2013
Posts: 120
Location: DE

PostPosted: Mon Jul 15, 2024 21:37    Post subject: Reply with quote
Quote:
I asked to revert this situation, but and I quote/paraphrase "you are an idiot if you do these kind of stupid things"


Well, so this was working, but it was wrong for ~15 years. Right? Or what?

The set of workarounds is ill, stretching over 2 pages. I haven't tried it yet, so this is what I get:

-set the dd-wrt router behind the gateway/primary router into 'gateway' mode (considering that the real gateway/primary router is doing things like DECT station, answering machine, a guest-net, etc).
-disable DHCP server, but keep dnsmasq enabled (I WANT dd-wrt to distribute IPs in my home-net, NOT the real gateway/primary router), and I WANT dnsmasq to do the DNS, not the primary router)
-enable firewall, but not use it, BUT set an extra-rule, and/or (depending on the build) MORE rules
-on SOME dd-wrt routers the WAN-port can not be used (on which and how to find out?)
-probably there will be more hiccups, preventing dd-wrt to JUST WORK and SERVE

(I do not post what I wanted on the first impulse.)

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xAsus RT-AC87U
1xAsus RT-AC88U
1xTP710
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum