Page MenuHomePhabricator

Wireguard interfaces gone after reboot
Closed, ResolvedPublicBUG

Description

I‘ve three Wireguard interfaces setup on my test router and the configuration of the specific interfaces get dropped after reboot.
The configuration is still present in the „/config/config.boot“ file but not in „show configuration“.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc4
Why the issue appeared?
Will be filled on close
MrXermon created this task.Sun, Oct 28, 4:56 AM
syncer triaged this task as Normal priority.
syncer assigned this task to hagbard.
hagbard changed the task status from Open to In progress.Sun, Oct 28, 4:40 PM

Hi @MrXermon ,
can you please share your configuration? At least the set interface wireguard ... ones would be interesting, so I can test it.

Hi @hagbard,

this is the configuration which i need to set again after each reboot (and i remove the ip address from the interface and set it again as ip + peer address as there is no configuration option at the moment). I removed some unimportant information.

set interfaces wireguard wg0 address 'fe80::ccf8:96/64'
set interfaces wireguard wg0 address '172.20.178.96/32'
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips 'fe80::/64'
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '172.20.170.194/32'
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '::/0'
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer dn42-uk-lon1 endpoint 'removed'
set interfaces wireguard wg0 peer dn42-uk-lon1 pubkey 'removed'
set interfaces wireguard wg0 port 'removed'
set interfaces wireguard wg1 address 'fe80::ccf8:96/64'
set interfaces wireguard wg1 address '172.20.178.96/32'
set interfaces wireguard wg1 peer dn42-fr01 allowed-ips 'fe80::/64'
set interfaces wireguard wg1 peer dn42-fr01 allowed-ips '172.22.169.1/32'
set interfaces wireguard wg1 peer dn42-fr01 allowed-ips '::/0'
set interfaces wireguard wg1 peer dn42-fr01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer dn42-fr01 endpoint 'removed'
set interfaces wireguard wg1 peer dn42-fr01 pubkey 'removed'
set interfaces wireguard wg1 port 'removed'
set interfaces wireguard wg2 address 'fe80::ccf8:96/64'
set interfaces wireguard wg2 address '172.20.178.96/32'
set interfaces wireguard wg2 peer dn42-gw allowed-ips 'fe80::/64'
set interfaces wireguard wg2 peer dn42-gw allowed-ips '172.20.175.195/32'
set interfaces wireguard wg2 peer dn42-gw allowed-ips '::/0'
set interfaces wireguard wg2 peer dn42-gw allowed-ips '0.0.0.0/0'
set interfaces wireguard wg2 peer dn42-gw endpoint 'removed'
set interfaces wireguard wg2 peer dn42-gw pubkey 'removed'
set interfaces wireguard wg2 port 'removed'

sudo ip a d 172.20.178.96/32 dev wg0
sudo ip a a 172.20.178.96/32 peer 172.20.170.194/32 dev wg0
sudo ip a d 172.20.178.96/32 dev wg1
sudo ip a a 172.20.178.96/32 peer 172.22.169.1/32 dev wg1
sudo ip a d 172.20.178.96/32 dev wg2
sudo ip a a 172.20.178.96/32 peer 172.20.175.195/32 dev wg2

If you need logfiles or any further information fromthe system, feel free to get to me again.

I've tested your setup and can't find any issue with the interfaces in -rc4. However your routes won't survive a reboot, please use 'set protocols static interface-route <destination-net> next-hop-interface wg0'.
If that doesn't solve your issue, please check 'show interfaces' and check if the wg interfaces is setup after reboot there.
Also please provide the output of the following:
'grep wireguard /var/log/messages'

MrXermon added a comment.EditedMon, Oct 29, 5:03 PM

That's intresting. I rebooted the system a few seconds ago and the tunnels dom't become active.

admin@rt-1:~$ grep wireguard /var/log/messages
Oct 29 17:52:23 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/wireguard.py
Oct 29 17:52:24 rt-1 /wireguard.py: loading wirguard kmod
Oct 29 17:52:24 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/modprobe wireguard
Oct 29 17:52:24 rt-1 kernel: [   39.016114] wireguard: no symbol version for module_layout
Oct 29 17:52:24 rt-1 kernel: [   39.016117] wireguard: loading out-of-tree module taints kernel.
Oct 29 17:52:24 rt-1 kernel: [   39.017681] wireguard: WireGuard 0.0.20181007 loaded. See www.wireguard.com for information.
Oct 29 17:52:24 rt-1 kernel: [   39.017682] wireguard: Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg2 fe80::ccf8:96/64
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg2 172.20.178.96/32
Oct 29 17:52:24 rt-1 /wireguard.py: sudo wg set wg2 listen-port <removed> private-key /config/auth/wireguard/private.key peer OxX4oGg6XCefMLKqC3T9wmQfwvvkVg1O9PRx5quLrXA= preshared-key /dev/null allowed-ips fe80::/64,172.20.175.195/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/wg set wg2 listen-port <removed> private-key /config/auth/wireguard/private.key peer OxX4oGg6XCefMLKqC3T9wmQfwvvkVg1O9PRx5quLrXA= preshared-key /dev/null allowed-ips fe80::/64,172.20.175.195/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg1 fe80::ccf8:96/64
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg1 172.20.178.96/32
Oct 29 17:52:24 rt-1 /wireguard.py: sudo wg set wg1 listen-port <removed> private-key /config/auth/wireguard/private.key peer XbKVL63O8+L5XrDz080DbKnAJb90e1VkDUdI4NPpW1Q= preshared-key /dev/null allowed-ips fe80::/64,172.22.169.1/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/wg set wg1 listen-port <removed> private-key /config/auth/wireguard/private.key peer XbKVL63O8+L5XrDz080DbKnAJb90e1VkDUdI4NPpW1Q= preshared-key /dev/null allowed-ips fe80::/64,172.22.169.1/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg0 fe80::ccf8:96/64
Oct 29 17:52:24 rt-1 /wireguard.py: ip a a dev wg0 172.20.178.96/32
Oct 29 17:52:24 rt-1 /wireguard.py: sudo wg set wg0 listen-port <removed> private-key /config/auth/wireguard/private.key peer otrJdMkh2Bfoq1P8ytcXPlLegXrsK7E/p93WbV6Y9AY= preshared-key /dev/null allowed-ips fe80::/64,172.20.170.194/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/wg set wg0 listen-port <removed> private-key /config/auth/wireguard/private.key peer otrJdMkh2Bfoq1P8ytcXPlLegXrsK7E/p93WbV6Y9AY= preshared-key /dev/null allowed-ips fe80::/64,172.20.170.194/32,::/0,0.0.0.0/0 endpoint <removed> persistent-keepalive 0
Oct 29 17:52:24 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/wireguard.py
Oct 29 17:52:25 rt-1 sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/wireguard.py


admin@rt-1:~$ sudo wg
interface: wg2
  listening port: 32932

interface: wg1
  listening port: 36842

interface: wg0
  listening port: 42400

The wireguard command shows wrong listening ports, peers and ip addresses are missing.

Maybe that happens because i updated the system from rc-1 -> rc-2 -> rc-3 -> rc-4. I'll try rebasing the system next. Maybe that solves the problem.

I rebased the router with the rc-4 image. After importing the configuration and rebooting the router a similar error occurs. The boot screen shows the error message "vyos-config[1708]: Configuration error". Looking into the configuration using 'show configuration' only shows the configuration of the wg2 interface but 'cat /config/config.boot' shows all three interfaces with correct configurations. The wireguard tool shows threee interfaces similar to the output before without any configuration.

I integrated the interface-routes to my configuration so i don't need the ip commands anymore.

Can i send you anymore logfiles?

Since I don't know your listen ports I can't verify, if the ports you've set are correct or not. What I see in the logs, looks all ok, please keep in mind that your tunnel shows onl;y active if at least one packet passed the wg interface, otherwise you won't see anything.
So as far as i see from the above your wg interfaces are being created (you can bind multiple different peers to one interface by the way) and active.

The following doesn't make much sense:

set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips 'fe80::/64'
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '172.20.170.194/32' <---
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '::/0' <---
set interfaces wireguard wg0 peer dn42-uk-lon1 allowed-ips '0.0.0.0/0' <---

So, you define that any ipv4 and any ipv6 address can pass, why do you list specific ones as well?

Can you please make the following output available:

show interfaces (I just wanna see if the wg interfaces are listed after the reboot here)
show ip route ( I want to check if you route anything to the wg interfaces)

Feel free to open a pm in slack.vyos.io if you feel uncomfortable to share those information here.

MrXermon added a comment.EditedMon, Oct 29, 6:00 PM

Listing the specific ip addresses was my legacy configuration. I removed it in the current configuration. I played a little with the interface routes and the seem to work properly on the technical side of things as i am able to ping the opposit device. But somehow the routing daemon lists routes to the peers as 'inactive' which makes the configuration unusable for me.

I'll contact you via slack, maybe we can have a look at the system together.

So far so good. Traffic works when using endpoint IPs a instead of the name, still looking into that, but in general no problem with wireguard found.

DNS issue, not wireguard related. Using the endpoint IPs is working correctly.

hagbard closed this task as Resolved.Mon, Oct 29, 8:49 PM