Wireguard on 1.4 not working

joolli · February 9, 2021, 11:40am

Hi,

I have been using Vyos 1.3 rolling release up until this point and wireguard has been working well. Since the website isn’t offering 1.3 anymore, I decided to try 1.4 but with the same config… Wireguard is not working. Wireguard is the basis of the use of Vyos in this case.

So, here is the relevant config:

wireguard wg01 {
    address 10.11.19.1/32
    peer wg.valka.is {
        address <endpointIP>
        allowed-ips 10.11.0.0/24
        persistent-keepalive 25
        port 443
        pubkey ****************
    }
}
nat {
source {
    rule 50 {
        outbound-interface eth0
        translation {
            address masquerade
        }
    }
}
protocols {
static {
    route 10.11.0.0/24 {
        interface wg01 {
        }
    }
}

$ show interfaces wireguard 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
wg01             10.11.19.1/32                     u/u  
$ show interfaces wireguard detail 
wg01: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.11.19.1/32 scope global wg01
       valid_lft forever preferred_lft forever
    inet6 fe80::f588:4ff:fe11:5044/64 scope link 
       valid_lft forever preferred_lft forever

    RX:    bytes  packets  errors  dropped  overrun       mcast
              92        1       0        0        0           0
    TX:    bytes  packets  errors  dropped  carrier  collisions
         1403656     9490       0      485        0           0
$ sudo wg
interface: wg01
  public key: 95xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2C/q2o=
  private key: (hidden)
  listening port: 48404

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6EQ=
  endpoint: <endpointIP>:443
  allowed ips: 10.11.0.0/24
  latest handshake: 16 hours, 39 minutes, 30 seconds ago
  transfer: 92 B received, 1.34 MiB sent
  persistent keepalive: every 25 seconds

Like you can see, the handshake has not been renewed for over 16 hours… that’s when the OS was last restarted. For some reason the initial handshake gets established and then nothing. No traffic gets passed through the tunnel.

Viacheslav · February 9, 2021, 4:00pm

Which ip address do you trying to ping from the client?
I can’t confirm the bug. VyOS 1.4-rolling-202102060218
Server-side

set interfaces dummy dum0 address '10.11.0.111/24'
set interfaces wireguard wg01 address '10.11.19.254/24'
set interfaces wireguard wg01 description 'RoadWarrior'
set interfaces wireguard wg01 peer PEER allowed-ips '10.11.19.1/32'
set interfaces wireguard wg01 peer PEER persistent-keepalive '25'
set interfaces wireguard wg01 peer PEER pubkey 'Bx0='
set interfaces wireguard wg01 port '443'

Client-side:

set interfaces wireguard wg01 address '10.11.19.1/32'
set interfaces wireguard wg01 description 'Server-wg.valka.is-198.51.100.1'
set interfaces wireguard wg01 peer wg.valka.is address '198.51.100.1'
set interfaces wireguard wg01 peer wg.valka.is allowed-ips '10.11.0.0/24'
set interfaces wireguard wg01 peer wg.valka.is persistent-keepalive '25'
set interfaces wireguard wg01 peer wg.valka.is port '443'
set interfaces wireguard wg01 peer wg.valka.is pubkey 'uQ0='
set nat source rule 50 outbound-interface 'eth1'
set nat source rule 50 translation address 'masquerade'
set protocols static route 10.11.0.0/24 interface wg01

Dump on client site

vyos@r4-roll:~$ sudo tcpdump -nnti wg01
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg01, link-type RAW (Raw IP), capture size 262144 bytes
IP 10.11.19.1 > 10.11.0.111: ICMP echo request, id 11252, seq 1, length 64
IP 10.11.0.111 > 10.11.19.1: ICMP echo reply, id 11252, seq 1, length 64

joolli · February 9, 2021, 6:10pm

Thanks for looking into this. I’m pinging 10.11.0.1. The two clients are not in the same subnet.

Server: 10.11.0.1/24
Client 10.11.19.1/32

Wireguard doesn’t require client’s to be on same subnet… same behavior as ppp connections.

I added a 1.3 image to the installation and booted from it… Didn’t get it to work. Took same image and installed from scratch and then in started working. I have made myself a checklist and maybe some configuration got lost when I applied some configuration to 1.4 that I didn’t notice that got lost, don’t know. But routes and keys were fine. Could be order of operation in 1.4 but I don’t know how to debug.

Viacheslav · February 9, 2021, 6:35pm

Try to re-generate wireguard keys.
And dump the traffic.

sudo tcpdump -nnti eth0 port 443

Do you see any packet to wg server? Do you have access to the server-site?

joolli · February 9, 2021, 8:10pm

It only worked for a very short while (few seconds) on 1.3 and then stopped working. The local network seems to be doing something unexpected. I tried the same setup in a different location using 1.4 and it worked fine. This issue is invalid. Sorry for wasting your time.

Viacheslav · February 9, 2021, 8:32pm

No problems.
Let us know if you find anything else