OSPF with WireGuard Route Inactive in VyOS 1.3

tjjh89017 · January 14, 2020, 8:11am

Hi All

I have tested OSPF with Wireguard in VyOS 1.2-rolling-201912180217, it worked fine.
But when I upgrade to VyOS 1.3-rolling (every version after 1.3)
All OSPF route is shown as inactive in route table

If anyone could help me, thanks a lot!
Bug might be in FRR or VyOS
I’m not sure about that

config shown as below,
and some OSPF status shown as below

vyos@R1:~$ show configuration
interfaces {
    ethernet eth0 {
        address dhcp
    }
    ethernet eth1 {
        address 172.31.101.1/24
    }
    loopback lo {
        address 10.0.0.1/32
    }
    wireguard wg01 {
        address 10.0.0.1/32
        description to-R2
        ip {
            ospf {
                authentication {
                    md5 {
                        key-id 1 {
                            md5-key ****************
                        }
                    }
                }
                dead-interval 10
                hello-interval 5
                network point-to-point
                priority 2
                retransmit-interval 5
                transmit-delay 1
            }
        }
        peer R2 {
            allowed-ips 10.0.0.0/8
            allowed-ips 224.0.0.0/8
            allowed-ips 172.31.0.0/16
            endpoint 172.31.0.186:10000
            persistent-keepalive 15
            pubkey ****************
        }
        port 10000
    }
    wireguard wg02 {
        address 10.0.0.1/32
        description to-R3
        ip {
            ospf {
                authentication {
                    md5 {
                        key-id 1 {
                            md5-key ****************
                        }
                    }
                }
                bfd
                dead-interval 10
                hello-interval 5
                network point-to-point
                priority 10
                retransmit-interval 5
                transmit-delay 1
            }
        }
        peer R3 {
            allowed-ips 10.0.0.0/8
            allowed-ips 224.0.0.0/8
            allowed-ips 172.31.0.0/16
            endpoint 172.31.0.183:10000
            persistent-keepalive 15
            pubkey ****************
        }
        port 10001
    }
}
protocols {
    ospf {
        area 0 {
            authentication md5
            network 10.0.0.1/32
        }
        parameters {
            abr-type cisco
            router-id 10.0.0.1
        }
        redistribute {
            connected {
                metric-type 2
            }
        }
    }
    static {
        interface-route 10.0.0.2/32 {
            next-hop-interface wg01 {
            }
        }
        interface-route 10.0.0.3/32 {
            next-hop-interface wg02 {
            }
        }
    }
}
service {
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name R1
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

vyos@R1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

S>* 0.0.0.0/0 [210/0] via 172.31.0.1, eth0, 00:24:51
O   10.0.0.1/32 [110/0] is directly connected, lo, 00:24:45
C * 10.0.0.1/32 is directly connected, wg01, 00:24:49
C * 10.0.0.1/32 is directly connected, wg02, 00:24:49
C>* 10.0.0.1/32 is directly connected, lo, 00:24:54
O   10.0.0.2/32 [110/10] via 10.0.0.2, wg01 inactive, 00:24:42
S>* 10.0.0.2/32 [1/0] is directly connected, wg01, 00:24:49
O   10.0.0.3/32 [110/10] via 10.0.0.3, wg02 inactive, 00:24:42
S>* 10.0.0.3/32 [1/0] is directly connected, wg02, 00:24:48
O   10.0.0.4/32 [110/20] via 10.0.0.2, wg01 inactive, 00:24:42
                         via 10.0.0.3, wg02 inactive, 00:24:42
O   172.31.0.0/24 [110/20] via 10.0.0.2, wg01 inactive, 00:24:41
                           via 10.0.0.3, wg02 inactive, 00:24:41
C>* 172.31.0.0/24 is directly connected, eth0, 00:24:52
C>* 172.31.101.0/24 is directly connected, eth1, 00:24:54
O   172.31.102.0/24 [110/20] via 10.0.0.2, wg01 inactive, 00:24:41
O   172.31.103.0/24 [110/20] via 10.0.0.3, wg02 inactive, 00:24:41
O   172.31.104.0/24 [110/20] via 10.0.0.2, wg01 inactive, 00:24:41
                             via 10.0.0.3, wg02 inactive, 00:24:41

vyos@R1:~$ show ip ospf database

       OSPF Router with ID (10.0.0.1)

                Router Link States (Area 0.0.0.0)

Link ID         ADV Router      Age  Seq#       CkSum  Link count
10.0.0.1        10.0.0.1        1547 0x80000006 0x1fb9 3
10.0.0.2        10.0.0.2        1552 0x800003e6 0x5a97 3
10.0.0.3        10.0.0.3        1548 0x80000008 0x1bb5 3
10.0.0.4        10.0.0.4        1633 0x800003c1 0x8c84 3

                AS External Link States

Link ID         ADV Router      Age  Seq#       CkSum  Route
172.31.0.0      10.0.0.1        1550 0x80000001 0x11d6 E2 172.31.0.0/24 [0x0]
172.31.0.0      10.0.0.2        1655 0x800002f4 0x1dd3 E2 172.31.0.0/24 [0x0]
172.31.0.0      10.0.0.3        1649 0x80000001 0x05e0 E2 172.31.0.0/24 [0x0]
172.31.0.0      10.0.0.4        1638 0x800002f4 0x11dd E2 172.31.0.0/24 [0x0]
172.31.101.0    10.0.0.1        1550 0x80000001 0xb5cc E2 172.31.101.0/24 [0x0]
172.31.102.0    10.0.0.2        1655 0x800002f4 0xb6d3 E2 172.31.102.0/24 [0x0]
172.31.103.0    10.0.0.3        1649 0x80000001 0x93ea E2 172.31.103.0/24 [0x0]
172.31.104.0    10.0.0.4        1638 0x800002f4 0x94f1 E2 172.31.104.0/24 [0x0]

vyos@R1:~$ show ip ospf interface
lo is up
  ifindex 1, MTU 65536 bytes, BW 0 Mbit <UP,LOOPBACK,RUNNING>
  Internet Address 10.0.0.1/32, Broadcast 10.0.0.1, Area 0.0.0.0
  MTU mismatch detection: enabled
  Router ID 10.0.0.1, Network Type LOOPBACK, Cost: 10
  Transmit Delay is 1 sec, State Loopback, Priority 1
  No backup designated router on this network
  Multicast group memberships: <None>
  Timer intervals configured, Hello 10s, Dead 40s, Wait 40s, Retransmit 5
    Hello due in inactive
  Neighbor Count is 0, Adjacent neighbor count is 0
wg01 is up
  ifindex 5, MTU 1420 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,NOARP>
  This interface is UNNUMBERED, Area 0.0.0.0
  MTU mismatch detection: enabled
  Router ID 10.0.0.1, Network Type POINTOPOINT, Cost: 10
  Transmit Delay is 1 sec, State Point-To-Point, Priority 2
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 5s, Dead 10s, Wait 10s, Retransmit 5
    Hello due in 4.456s
  Neighbor Count is 1, Adjacent neighbor count is 1
wg02 is up
  ifindex 4, MTU 1420 bytes, BW 0 Mbit <UP,POINTOPOINT,RUNNING,NOARP>
  This interface is UNNUMBERED, Area 0.0.0.0
  MTU mismatch detection: enabled
  Router ID 10.0.0.1, Network Type POINTOPOINT, Cost: 10
  Transmit Delay is 1 sec, State Point-To-Point, Priority 10
  No backup designated router on this network
  Multicast group memberships: OSPFAllRouters
  Timer intervals configured, Hello 5s, Dead 10s, Wait 10s, Retransmit 5
    Hello due in 4.456s
  Neighbor Count is 1, Adjacent neighbor count is 1
  BFD: Detect Multiplier: 3, Min Rx interval: 300, Min Tx interval: 300

vyos@R1:~$ show ip ospf neighbor

Neighbor ID     Pri State           Dead Time Address         Interface                        RXmtL RqstL DBsmL
10.0.0.2          1 Full/DROther       9.944s 10.0.0.2        wg01:10.0.0.1                        0     0     0
10.0.0.3          1 Full/DROther       7.592s 10.0.0.3        wg02:10.0.0.1                        0     0     0

vyos@R1:~$ show ip ospf route
============ OSPF network routing table ============
N    10.0.0.1/32           [0] area: 0.0.0.0
                           directly attached to lo
N    10.0.0.2/32           [10] area: 0.0.0.0
                           via 10.0.0.2, wg01
N    10.0.0.3/32           [10] area: 0.0.0.0
                           via 10.0.0.3, wg02
N    10.0.0.4/32           [20] area: 0.0.0.0
                           via 10.0.0.2, wg01
                           via 10.0.0.3, wg02

============ OSPF router routing table =============
R    10.0.0.2              [10] area: 0.0.0.0, ASBR
                           via 10.0.0.2, wg01
R    10.0.0.3              [10] area: 0.0.0.0, ASBR
                           via 10.0.0.3, wg02
R    10.0.0.4              [20] area: 0.0.0.0, ASBR
                           via 10.0.0.2, wg01
                           via 10.0.0.3, wg02

============ OSPF external routing table ===========
N E2 172.31.0.0/24         [10/20] tag: 0
                           via 10.0.0.2, wg01
                           via 10.0.0.3, wg02
N E2 172.31.102.0/24       [10/20] tag: 0
                           via 10.0.0.2, wg01
N E2 172.31.103.0/24       [10/20] tag: 0
                           via 10.0.0.3, wg02
N E2 172.31.104.0/24       [20/20] tag: 0
                           via 10.0.0.2, wg01
                           via 10.0.0.3, wg02

vyos@R1:~$

rob · January 14, 2020, 10:56pm

Hello @tjjh89017,

i don’t figure out yet why this happen, but i can confirm this in my lab.

Your config but with only 2 Routers, all worked if both are on version: 1.2.3

vyos@R1# run show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route

O   10.0.0.1/32 [110/0] is directly connected, lo, 00:10:08
C * 10.0.0.1/32 is directly connected, wg01, 00:10:09
C>* 10.0.0.1/32 is directly connected, lo, 00:10:10
O   10.0.0.2/32 [110/10] via 10.0.0.2, wg01 onlink, 00:06:46
S>* 10.0.0.2/32 [1/0] is directly connected, wg01, 00:10:09
O>* 172.31.103.0/24 [110/20] via 10.0.0.2, wg01 onlink, 00:00:07
O   192.168.0.0/24 [110/20] via 10.0.0.2, wg01 onlink, 00:06:45
C>* 192.168.0.0/24 is directly connected, eth0, 00:10:07

after update the R2 to 1.3-rolling-202001140217 R1 installed the routes correctly.
after update the R1 to 1.3-rolling-202001140217 R1 don’t active the routes.

vyos@R1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

O   10.0.0.1/32 [110/0] is directly connected, lo, 00:24:54
C * 10.0.0.1/32 is directly connected, wg01, 00:24:55
C>* 10.0.0.1/32 is directly connected, lo, 00:24:58
O   10.0.0.2/32 [110/10] via 10.0.0.2, wg01 inactive, 00:04:49
S>* 10.0.0.2/32 [1/0] is directly connected, wg01, 00:24:55
O   172.31.103.0/24 [110/20] via 10.0.0.2, wg01 inactive, 00:04:48
O   192.168.0.0/24 [110/20] via 10.0.0.2, wg01 inactive, 00:04:48
C>* 192.168.0.0/24 is directly connected, eth0, 00:24:57

frr running config 1.2.3:

vyos@R1:~$ vtysh -c "show runnin"
Building configuration...

Current configuration:
!
frr version 7.0.1-20190820-04-g047efd6
frr defaults traditional
hostname R1
log syslog informational
service integrated-vtysh-config
!
ip route 10.0.0.2/32 wg01
!
interface wg01
 description wg01
 ip ospf authentication
 ip ospf authentication-key test
 ip ospf dead-interval 10
 ip ospf hello-interval 5
 ip ospf priority 2
!
router ospf
 ospf router-id 10.0.0.1
 redistribute connected
 network 10.0.0.1/32 area 0
 area 0 authentication message-digest
!
line vty
!
end

frr running config 1.3-rolling-202001140217:

vyos@R1:~$ vtysh -c "show runnin"
Building configuration...

Current configuration:
!
frr version 7.3-dev-20191226-00-gd7cce42cc
frr defaults traditional
hostname R1
service integrated-vtysh-config
!
ip route 10.0.0.2/32 wg01
!
interface wg01
 ip ospf authentication
 ip ospf authentication-key test
 ip ospf dead-interval 10
 ip ospf hello-interval 5
 ip ospf priority 2
!
router ospf
 ospf router-id 10.0.0.1
 redistribute connected
 network 10.0.0.1/32 area 0
 area 0 authentication message-digest
!
line vty
!
end

tjjh89017 · January 15, 2020, 1:50am

@rob Thanks for confirm
I will use Ubuntu with FRR to test (if the bug is in FRR, I will get same issue in Ubuntu)

If you figure out the bug, please update to me
thanks for help

tjjh89017 · January 15, 2020, 7:36am

Hi @rob

1.3-rolling use FRR with commit d7cce42cc78cfbe25e3cc19a612b1caee3c26809
So I test FRR stable 7.2 in Ubuntu 18.04 (FRR official build), it works fine
test FRR d7cce42cc in Ubuntu 18.04, it fails
test FRR branch dev/7.3 which is 4112bfee9f6abf8832d1f8cf9a7e4df9b29ef764 in Ubuntu 18.04, it works

I think FRR in vyos need to be upgraded to new version

Thanks

rob · January 19, 2020, 3:16pm

Hey @tjjh89017,

i create a task to update FRR you can track this here

https://phabricator.vyos.net/T1969

tjjh89017 · January 19, 2020, 4:15pm

@rob
Great thanks!

Date

rob · January 20, 2020, 9:47pm

Hey, would please test again with latest rolling. the frr package is rebuild yesterday

thank you

tjjh89017 · January 21, 2020, 2:20am

unfortunately
I use vyos-1.3-rolling-202001200217-amd64.iso
But OSPF is still dead
Same status

Thanks

tjjh89017 · February 13, 2020, 8:22am

Hi @rob

I have tested vyos 1.3-rolling-202002130217 (FRR version 7.4-dev-20200118-04-g9e1ecdbaa-0), it failed.

I tested ubuntu with frr master brnach(60092db3fdead2a72e9368aaaa1e789c741c7ce8) and dev/7.3 (df80bf16869314ec9455fb7e4db63dcf1fdba2c2). It worked.

I tested ubuntu with frr 9e1ecdbaa, It failed.

There is a commit 9c0cbabb42de562e32b33e72e11f4570e73a7857 or (54bea4e5379e6b4e9fd7db52d5e5a3780aae349c) (because of different branch with rebase)
This commit fixed this issue.

Please update the branch that contains this commit.
Thanks a lot

commit 9c0cbabb42de562e32b33e72e11f4570e73a7857
Author: Donald Sharp <sharpd@cumulusnetworks.com>
Date:   Mon Jan 20 16:53:34 2020 -0500

    zebra: Re-add onlink flag due to loss in earlier commit

    commit: 0eb97b860dc94329cf9add9f8f3d3a2c7f539568

    Removed this chunk of code in zebra:
    -       if (ifp)
    -               if (connected_is_unnumbered(ifp))
    -                       SET_FLAG(nexthop->flags, NEXTHOP_FLAG_ONLINK);

    Effectively if we had a NEXTHOP_TYPE_IPV4_IFINDEX we would
    auto set the onlink flag.  This commit dropped it for some reason.

    Add it back in an intelligent manner.

    Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

tjjh89017 · February 29, 2020, 5:38pm

I tested vyos-1.3-rolling-202002200217-amd64.iso
It works now.
Thanks for help!

system · March 2, 2020, 5:38pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.