Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ER-4 router using Wireguard seems to stop working after pc/laptop tries to connect next day. #160

Closed
ngtw16a opened this issue Jan 25, 2025 · 14 comments

Comments

@ngtw16a
Copy link

ngtw16a commented Jan 25, 2025

Hello all. I installed Wireguard on my ER-4 a few weeks ago (yes firmware is current) and it was working perfectly....that day.
It seems every time I shut off or sleep a device that connects to the address range wireguard is looking at...it just stops working
the next time I goto use it. Now all my devices are STATIC ip's...so I know that isnt the issue.

I was looking for a detailed ubnt/wireguard flow diagram (like the standard one) ...so I could try and see where it is getting stuck. It feels like a firewall issue maybe,
as it works perfectly when I first use it. If I reboot the router it works fine again....for that ONE session.

Image

The only other thing I noticed was only wg was installed NOT the wg-quick cmd. Maybe due to the tiny flash on the ER?
Anyway--hope someone has seen this before. I'm sure it is something simple I am missing...I just cant see it yet :(
Thank you all for your great work on these open source products.

~Pat (aka ngtw16a from my ancient days on Prodigy)

Here are my config steps taken:

ER-4 Wireguard for EdgeOS V2

curl -0L https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb

sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb

=- create and activate interface -=

configure
set interfaces wireguard wg0 address 192.168.140.2/32
set interfaces wireguard wg0 description VPN
set interfaces wireguard wg0 listen-port 37728
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer description vpn
set interfaces wireguard wg0 peer endpoint vpn:443
set interfaces wireguard wg0 peer persistent-keepalive 25
set interfaces wireguard wg0 private-key /config/auth/tz.key
set interfaces wireguard wg0 route-allowed-ips false
commit

sudo wg show --> stats on link
sudo wg showconf wg0 --> shows config setup (like .conf files)

=- create SNAT (last step before leaving router) rule for VPN interface -=

set service nat rule 5020 description 'masquerade for wg0/VPN'
set service nat rule 5020 log disable
set service nat rule 5020 outbound-interface wg0
set service nat rule 5020 protocol all
set service nat rule 5020 type masquerade
commit

=- allow incoming VPN traffic -=

set firewall name WAN_LOCAL rule 15 action accept
set firewall name WAN_LOCAL rule 15 description 'Allow incoming WireGuard'
set firewall name WAN_LOCAL rule 15 destination port 37728
set firewall name WAN_LOCAL rule 15 protocol udp
commit

show firewall

=- create table to reroute traffic to VPN -=
set protocols static table 1 description 'Route out via wg0/VPN'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255
commit

show protocols

=- create VPN ip group -=
set firewall group address-group LOCAL_VPN description 'Hosts in LOCAL that route out via wg0/VPN'
set firewall group address-group LOCAL_VPN address 192.168.1.32/28
commit

show firewall group

=- apply custom routing table for VPN ips -=
set firewall modify PBR_MODIFY description 'Set routing tables selectively based on source address'
set firewall modify PBR_MODIFY rule 200 action modify
set firewall modify PBR_MODIFY rule 200 description 'Modify all traffic coming from LOCAL_VPN address group'
set firewall modify PBR_MODIFY rule 200 modify table 1
set firewall modify PBR_MODIFY rule 200 source group address-group LOCAL_VPN
commit

=- apply modify rules to all incoming LAN traffic =-
set interfaces ethernet eth1 firewall in modify PBR_MODIFY
commit
save
exit

@azagramac
Copy link

Have you noticed or restarted the router after the configuration?

There is an open ticket #157 that after a restart, the configuration is lost, check that it is there after the restart.

@ngtw16a
Copy link
Author

ngtw16a commented Jan 28, 2025

Good point. I just rechecked. Everything survives a reboot/restart and it will start working again (for awhile).
show configuration shows everything intact. At least we can rule that out.

@azagramac
Copy link

Interesting.

I had my configuration deleted after a reboot. I find the behavior curious considering the same router and firmware.

In your case, although it keeps the configuration after the reboot, it stops working after a few hours... it could be that I changed the IP, you have some DDNS service configured?

regards

@boteman
Copy link

boteman commented Jan 29, 2025

I found that my ER-X would not remember the endpoint when it was specified as a DNS name, but would remember it when it was specified with an ipv4 address. This was with the 2.0.9 firmware using the add-on Wireguard package, but I understand the built-in Wireguard in v3 is basically the same package, it's just included so you don't have to go out and get it.

@ngtw16a
Copy link
Author

ngtw16a commented Jan 29, 2025

Thanks guys. [azagramac] no DDNS setup and I checked public IP has been static for months (cable modem) and everything inside is static..I dont even run a DHCP server :)

[boteman] My ER-4 is running on the 2.0.9 (fix 7) firmware...no V3 available yet for me. since I DID use a DNS name for the endpoint, I will give that a try...and see if it keeps working with an ipv4 address coded. Good tip! :)

@ngtw16a
Copy link
Author

ngtw16a commented Feb 4, 2025

[boteman] Thank you so much. 3 days and several pc sleep cycles and so far everything is working just fine.
So I'm good till my VPN switches out a server and the IP changes :) I'll have to write a script to auto-check it.
thankx again.

Now I just need to get the DNS set correctly for VPN. Which we could set DNS per interface. I think maybe a firewall redirect rule??

thanks again all. I'll close this in a few days once I"m 100% sure we are good.

@boteman
Copy link

boteman commented Feb 4, 2025 via email

@ngtw16a
Copy link
Author

ngtw16a commented Feb 4, 2025

Well--it did it again....but...I think its (mostly) the win10 PC's. If I have a browser OPEN and put the pc into sleep--when it comes out
it will NOT connect...even tried resetting the stack, etc...even a warm boot does NOT fix...only a shutdown and cold start fixes it.
Several times I put into sleep but did NOT have a browser open and it came back up ok.... so at first I was going to say its a PC issue---but its both...because it didnt start doing this UNTIL I installed the Wireguard on the ER-4. Very Very odd--I'll have to run some ethereal snoop tests both inside and outside of the VPN subnet and see what the heck could be different. Maybe some sort of a wakeup packet or something?? The Journey continues :)

@boteman
Copy link

boteman commented Feb 5, 2025

Drill down into Device Manager and disable any power saving checkbox on the network interface.

@ngtw16a
Copy link
Author

ngtw16a commented Feb 6, 2025

Yup--I did some searches and found that as well. Seems to be working ok now...will give it more time.
The engineer in me wants to know WHY it worked fine for years in power-down, but not after installing the wireguard..
something doesn't set/clear? Maybe a packet is in flight when it powers down? Who knows...but for now...it works
and that is good enough (until I have time to figure out WHY). You are a wise man Mr. Bote man!

@ngtw16a
Copy link
Author

ngtw16a commented Feb 9, 2025

that seems to have fixed it. Now I ran into another issue. I can no longer access my cable modem at 192.168.100.1
because of my table 1....which is invoked from ALL traffic coming FROM a subnet that wants VPN. I need to split tunnel and tell it NOT to send traffic to VPN for my modem even if it came from a 'VPN subnet source ip'.

current table:
set protocols static table 1 description 'Route out via wg0/VPN'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255

would this be correct?

set protocols static table 1 description 'Route out via wg0/VPN'
set protocols static table 1 interface-route 192.168.100.1/32 next-hop-interface eth0
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255

eth0 is WAN--where the cbl modem is

not sure if I have to add another 'route' command also??

I want all traffic to goto wg0 EXCEPT the 100.1 that should goto eth0.

any thoughts anyone??? I still havnt mastered this EdgeOS lingo.

@ngtw16a
Copy link
Author

ngtw16a commented Feb 9, 2025

I GOT IT!!
Existing wireguard firewall modify and table

set protocols static table 1 description 'Route out via wg0/TrustZoneVPN'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255 <---what does this do?? drop traffic if wg0 is down????

set firewall modify PBR_MODIFY rule 200 action modify
set firewall modify PBR_MODIFY rule 200 description 'Modify all traffic coming from LOCAL_VPN address group'
set firewall modify PBR_MODIFY rule 200 modify table 1
set firewall modify PBR_MODIFY rule 200 source group address-group LOCAL_VPN

and LOCAL_VPN is 192.168.1.32/28

tried to modify the table...but I dont know if you can have multiple interface-routes pointing to different interfaces??
so I tried to modify the 'modify' logic instead.

I added the following:

set firewall group address-group LOCAL_TRAFFIC description 'Hosts in LOCAL that route out via ETH0 outside the lan subnet'
set firewall group address-group LOCAL_TRAFFIC address 192.168.100.1

set firewall modify PBR_MODIFY rule 100 action modify
set firewall modify PBR_MODIFY rule 100 description 'split local traffic outside of VPN'
set firewall modify PBR_MODIFY rule 100 modify table main
set firewall modify PBR_MODIFY rule 100 destination group address-group LOCAL_TRAFFIC

so even though my ip is 192.168.1.42 it uses the rule 100 when I try to talk to the modem.

would be so much easier if we could change the IP of the cable modem to something in 192.168.1.X but...it works.

Not sure if this is the best way to do this...but it works...scary that I'm starting to understand this now :)

Thanks again. Anyone think of a better/different way to handle this??

@boteman
Copy link

boteman commented Feb 11, 2025

Just beware that using the label "LOCAL" might confuse you later after working with EdgeRouter stuff more. By convention the label "LOCAL" refers to the router itself, whereas "LAN" refers to traffic passing from one subnet to another via the router. You might refer back to this configuration 6 months from now and wonder about that, so plan it out accordingly.

@ngtw16a
Copy link
Author

ngtw16a commented Feb 13, 2025

Great point! I'll rename before I finish documenting everything. Thanks again. Everything seems to be stable.
Couldnt get the DNS split to work (I think they call it horizon split or something)...ie want different DNS for the wireguard
interface. I'll just manually handle it at the client level. Thanks again to everyone!! :)

@ngtw16a ngtw16a closed this as completed Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants