Wireguard config not applied on reboot


#1

I have 5 wireguard interfaces and 4 of them come up fine but one which is configured exactly the same as the rest (other than the specific tunnel configurations) is not being configured properly on restart of the router. It shows up under the wg command as having a random port but that is it and the “show interfaces” command in operational mode shows this same config but looking at the config file with “show configuration” shows the proper config details.

Deleting and re-setting an attribute of the interface and then committing it seems to resolve the problem. This sounds like a bug but I’m not sure where in the system it’d be ?


#3

Hi @TrueTechy,

can you please clarify, I tested the config below and everything works just as it is supposed to be.

set interfaces wireguard wg01 address ‘10.100.100.1/29’
set interfaces wireguard wg01 peer test allowed-ips ‘10.1.1.1/32’
set interfaces wireguard wg01 peer test pubkey ‘1uhXKCo4vq4ZHBcD/Iq9ZM4cDTmpMSrWt7DFnUksbB4=’
set interfaces wireguard wg02 address ‘10.101.100.1/29’
set interfaces wireguard wg02 peer test allowed-ips ‘10.1.1.2/32’
set interfaces wireguard wg02 peer test pubkey ‘1uhXKCo4vq4ZHBcD/Iq9ZM4cDTmpMSrWt7DFnUksbB4=’
set interfaces wireguard wg03 address ‘10.102.100.1/29’
set interfaces wireguard wg03 peer test allowed-ips ‘10.1.1.3/32’
set interfaces wireguard wg03 peer test pubkey ‘1uhXKCo4vq4ZHBcD/Iq9ZM4cDTmpMSrWt7DFnUksbB4=’
set interfaces wireguard wg04 address ‘10.103.100.1/29’
set interfaces wireguard wg04 peer test allowed-ips ‘10.1.1.4/32’
set interfaces wireguard wg04 peer test pubkey ‘1uhXKCo4vq4ZHBcD/Iq9ZM4cDTmpMSrWt7DFnUksbB4=’
set interfaces wireguard wg05 address ‘10.104.100.1/29’
set interfaces wireguard wg05 peer test allowed-ips ‘10.1.1.4/32’
set interfaces wireguard wg05 peer test pubkey ‘1uhXKCo4vq4ZHBcD/Iq9ZM4cDTmpMSrWt7DFnUksbB4=’


#4

Hi @TrueTechy,

can you please tell me how to reproduce your issue?


#5

Hi @hagbard

I’ve used this config and when I restart the router wg04 does not come up properly. It will come up if I set and unset the port and commit, comes up with no problem. This is the config I’m using

set interfaces wireguard wg01 address ‘fe80::1/128’
set interfaces wireguard wg01 address ‘172.20.142.33’
set interfaces wireguard wg01 peer graffen allowed-ips ‘::/0’
set interfaces wireguard wg01 peer graffen allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg01 peer graffen endpoint ‘XXX:22673’
set interfaces wireguard wg01 peer graffen pubkey ‘otrJdMkh2Bfoq1P8ytcXPlLegXrsK7E/p93WbV6Y9AY=’
set interfaces wireguard wg01 port ‘22673’
set interfaces wireguard wg02 address ‘172.20.142.33’
set interfaces wireguard wg02 description ‘Burble Uk-Lon1’
set interfaces wireguard wg02 peer burble allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg02 peer burble endpoint ‘XXXX:31743’
set interfaces wireguard wg02 peer burble pubkey ‘5MjdQE30lC0QaFkowJqbpXORcc7fcyA2FkZwugiqjGE=’
set interfaces wireguard wg02 port ‘31743’
set interfaces wireguard wg03 address ‘172.20.142.33/32’
set interfaces wireguard wg03 address ‘fe80::42:4/128’
set interfaces wireguard wg03 description ‘Zhaofeng - lil1’
set interfaces wireguard wg03 peer lil1 allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg03 peer lil1 allowed-ips ‘::/0’
set interfaces wireguard wg03 peer lil1 endpoint ‘XXXX:22673’
set interfaces wireguard wg03 peer lil1 pubkey ‘ECLk/X4ciNHnTcXxn2sO5OLnYu6NiyrTexzlfDd+QBo=’
set interfaces wireguard wg03 port ‘22674’
set interfaces wireguard wg04 address ‘172.20.142.33/32’
set interfaces wireguard wg04 address ‘fe80::42:5/128’
set interfaces wireguard wg04 description ‘Ags131 - fr01’
set interfaces wireguard wg04 peer fr01 allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg04 peer fr01 allowed-ips ‘::/0’
set interfaces wireguard wg04 peer fr01 endpoint ‘URL:22673’
set interfaces wireguard wg04 peer fr01 pubkey ‘XbKVL63O8+L5XrDz080DbKnAJb90e1VkDUdI4NPpW1Q=’
set interfaces wireguard wg04 port ‘20131’
set interfaces wireguard wg100 address ‘192.168.0.250’
set interfaces wireguard wg100 description ‘Mi Max 2’
set interfaces wireguard wg100 peer phone allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg100 peer phone persistent-keepalive ‘10’
set interfaces wireguard wg100 peer phone pubkey ‘bbAdc06rlNk/5QbjcR1/lke+aYO2KCAZ4/gHqi4TmR0=’
set interfaces wireguard wg100 port ‘58520’

So in copying that in, I remembered that the problem peer is using a URL instead of an IP for the endpoint like the rest. Maybe this is the root of the issue?


#6

An URL? You can use DNS resolvable names, but an URL?
Also make sure that your DNS is resolving on vyos already when loading it.


#7

The rest of your config looks ok.


#8

Yes sorry, that’s what I mean, a DNS name which does resolve to an IP. When using the workaround to get the tunnel to come up, running “sudo wg show wg04” show the resolved IP and the tunnel works from then on, till it reboots. Is it maybe unable to resolve the IP at the point when the config is loaded?


#9

That’s what I suspect. Do a ‘grep wireguard’ /var/log/messages, the executed commands will be logged there.


#10

The log does show the command being executed with the DNS name in the command

COMMAND=/usr/bin/wg set wg04 listen-port 20131 private-key /config/auth/wireguard/private.key peer XbKVL63O8+L5XrDz080DbKnAJb90e1VkDUdI4NPpW1Q= preshared-key /dev/null allowed-ips 0.0.0.0/0,::/0 endpoint NAME:22673 persistent-keepalive 0


#11

Ok, so that’s because teh name can’t be resolved during boot. As a test can you please set the endpoint up in /etc/hosts? (ip hostname fqdn)
Then reboot and see if the issue persists, I will meanwhile see if I can change anything on the vyos side.


#12

This works, the interface comes up no problem on reboot


#13

Ok, so that is the same as I have tested. I see if I can find something out.


#14

I tested the prio when it’s started, appears to be just fine. I have eth0 via dhcp configured which also provides the DNS, no issued when I reboot.


#15

My eth0 address is configured statically and I have 2 DNS servers configured manually (one which won’t have the address in it, maybe the problem lies here?)


#16

I used as endpoint now just a public website (endpoint www.heise.de:80), just to check if the interface comes up, and it does. So I suppose you have DNS issues. I checked in what stage wg is configued, DNS is already working:

Dec 4 20:40:25 T1065 FNORD: Server:#011#011159.249.47.66
Dec 4 20:40:25 T1065 FNORD: Address:#011159.249.47.66#53
Dec 4 20:40:25 T1065 FNORD:
Dec 4 20:40:25 T1065 FNORD: Non-authoritative answer:
Dec 4 20:40:25 T1065 FNORD: Name:#011www.heise.de
Dec 4 20:40:25 T1065 FNORD: Address: 193.99.144.85
Dec 4 20:40:25 T1065 FNORD:
Dec 4 20:40:25 T1065 sudo: pam_unix(sudo:session): session closed for user root
Dec 4 20:40:25 T1065 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/sh -c /usr/libexec/vyos/conf_mode/wireguard.py
Dec 4 20:40:25 T1065 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 4 20:40:25 T1065 /wireguard.py: loading wirguard kmod
Dec 4 20:40:25 T1065 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/modprobe wireguard
Dec 4 20:40:25 T1065 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 4 20:40:25 T1065 sudo: pam_unix(sudo:session): session closed for user root
Dec 4 20:40:25 T1065 kernel: [ 17.535638] wireguard: loading out-of-tree module taints kernel.
Dec 4 20:40:25 T1065 kernel: [ 17.537226] wireguard: WireGuard 0.0.20181018 loaded. See www.wireguard.com for information.
Dec 4 20:40:25 T1065 kernel: [ 17.537227] wireguard: Copyright © 2015-2018 Jason A. Donenfeld Jason@zx2c4.com. All Rights Reserved.
Dec 4 20:40:25 T1065 /wireguard.py: enable interface wg01
Dec 4 20:40:25 T1065 /wireguard.py: ip a a dev wg01 10.2.1.1/24
Dec 4 20:40:25 T1065 systemd-sysctl[2106]: Overwriting earlier assignment of net/core/rmem_max in file ‘/etc/sysctl.d/99-sysctl.conf’.
Dec 4 20:40:25 T1065 /wireguard.py: sudo wg set wg01 listen-port 0 private-key /config/auth/wireguard/private.key peer K48cBHsTdz8Vj1mwnSX1D9+bz1seqHPqfyivQN2V32E= preshared-key /dev/null allowed-ips 0.0.0.0/0,::/0 endpoint test:12345 persistent-keepalive 0
Dec 4 20:40:25 T1065 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/wg set wg01 listen-port 0 private-key /config/auth/wireguard/private.key peer K48cBHsTdz8Vj1mwnSX1D9+bz1seqHPqfyivQN2V32E= preshared-key /dev/null allowed-ips 0.0.0.0/0,::/0 endpoint test:12345 persistent-keepalive 0


#17

So I thought it was an issue with having the first name server being configured not being a part of the public internet (part of the DN42 network) and so of course it doesn’t have the public DNS name. I would’ve thought it’d of checked both the specified name servers (the other being Googles 8.8.8.8) but reordering them so that Googles comes first hasn’t solved the issue. So I tried removing the other, still no luck

Using dig once the router has started show it resolving the domain just fine. No idea why the script that applys the config isn’t getting the IP


#18

Can you sniff behind vyos? So you can check if it fires off the DNS query.


#19

Yes it’s sending out the query and both A and AAAA records are returned

Dec  4 22:14:06 dnsmasq[2803]: 39641 192.168.0.250/41463 query[A] dn42-fr01.ags131.space from 192.168.0.250
Dec  4 22:14:06 dnsmasq[2803]: 39641 192.168.0.250/41463 cached dn42-fr01.ags131.space is 163.172.176.3
Dec  4 22:14:06 dnsmasq[2803]: 39642 192.168.0.250/41463 query[AAAA] dn42-fr01.ags131.space from 192.168.0.250
Dec  4 22:14:06 dnsmasq[2803]: 39642 192.168.0.250/41463 cached dn42-fr01.ags131.space is 2001:bc8:4400:2c00::4:d01

#20

That is strange. The test I’ve done aren’t real wg endpoints, just hosts which are publicly resolvable and the wg interface comes just up. What version of vyos are you currently running?


#21

This router is running VyOS 1.2.0-rolling+201812010337