Development discussion of WireGuard
 help / color / mirror / Atom feed
* lineageos 17.1after autostart on boot tunnel not functioning
       [not found] <mailman.0.1601114111.20018.wireguard@lists.zx2c4.com>
@ 2020-09-26 10:40 ` Chris
  2020-10-01 14:42   ` Chris
  2021-07-14  5:49   ` Android: more than one tunnel Chris
  2020-10-01 15:24 ` lineageos 17.1 no incoming Chris
  2020-10-05 13:51 ` wg-quick up (on linux) fails in case of several default routes Chris
  2 siblings, 2 replies; 15+ messages in thread
From: Chris @ 2020-09-26 10:40 UTC (permalink / raw)
  To: wireguard

I'm running the f-droid repo of the wireguard client on lineageos 17.1
When set auto autostart on boot, it does run.
The wireguard process is running and the tun0 interface is up with its setup ip 
address.

However the tunnel is not working. I can't ping the server.
After manually disabling and re-enabling the client everything is fine.
BR
Chris


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: lineageos 17.1after autostart on boot tunnel not functioning
  2020-09-26 10:40 ` lineageos 17.1after autostart on boot tunnel not functioning Chris
@ 2020-10-01 14:42   ` Chris
  2021-07-14  5:49   ` Android: more than one tunnel Chris
  1 sibling, 0 replies; 15+ messages in thread
From: Chris @ 2020-10-01 14:42 UTC (permalink / raw)
  To: wireguard

In answer to my own conribution and to further clarify the problem:
The server address was given as a DNS Name rather than an ip number.
Replacing it with the ip number, it works.
This probably means that wireguard tries to contact the server before DNS is 
functioning.
And this does not change!!
I never had this problem with openvpn.
Chris


On 26/09/2020 12:40, Chris wrote:
> I'm running the f-droid repo of the wireguard client on lineageos 17.1
> When set auto autostart on boot, it does run.
> The wireguard process is running and the tun0 interface is up with its setup 
> ip address.
>
> However the tunnel is not working. I can't ping the server.
> After manually disabling and re-enabling the client everything is fine.
> BR
> Chris
>


^ permalink raw reply	[flat|nested] 15+ messages in thread

* lineageos 17.1 no incoming
       [not found] <mailman.0.1601114111.20018.wireguard@lists.zx2c4.com>
  2020-09-26 10:40 ` lineageos 17.1after autostart on boot tunnel not functioning Chris
@ 2020-10-01 15:24 ` Chris
  2020-10-05 13:51 ` wg-quick up (on linux) fails in case of several default routes Chris
  2 siblings, 0 replies; 15+ messages in thread
From: Chris @ 2020-10-01 15:24 UTC (permalink / raw)
  To: wireguard

I'm running the f-droid repo of the wireguard client on lineageos 17.1
After the tunnel is up:
I can ping the wireguard client, and I can initiate an outgoing connection 
through the tunnel.

However, a process binding on all interfaces will not see any incoming traffic 
on tun0.
The same process works fine with incoming traffic on wlan0.

Sending the TCP SYN from the wireguard server through the tunnel, never receives 
an ACK.

Openvpn does not show this behaviour.

As the tun0 interface successfully reacts to pings, I guess it may be an 
iptables problem.
I.e. the traffic on tun0 is differently firewalled than the traffic on wlan0.

Chris



^ permalink raw reply	[flat|nested] 15+ messages in thread

* wg-quick up (on linux) fails in case of several default routes
       [not found] <mailman.0.1601114111.20018.wireguard@lists.zx2c4.com>
  2020-09-26 10:40 ` lineageos 17.1after autostart on boot tunnel not functioning Chris
  2020-10-01 15:24 ` lineageos 17.1 no incoming Chris
@ 2020-10-05 13:51 ` Chris
  2020-10-06 12:20   ` Jason A. Donenfeld
  2 siblings, 1 reply; 15+ messages in thread
From: Chris @ 2020-10-05 13:51 UTC (permalink / raw)
  To: wireguard

In case there is more than one default route (with different metrics):

wg-quick tries to set the route to the wg server through the default gateway.
However, in case there is more than one default route it
fails setting the route to server correctly.

Instead it should run through the list of default gateways and set routes to the
wg server through ALL default gateways with a metric of the corresponding 
default route.
Chris

P.S.: Shall one report bugs here or rather at gitlab or both?





^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-05 13:51 ` wg-quick up (on linux) fails in case of several default routes Chris
@ 2020-10-06 12:20   ` Jason A. Donenfeld
  2020-10-06 13:33     ` Chris
  0 siblings, 1 reply; 15+ messages in thread
From: Jason A. Donenfeld @ 2020-10-06 12:20 UTC (permalink / raw)
  To: Chris; +Cc: WireGuard mailing list

On Mon, Oct 5, 2020 at 3:51 PM Chris <wireguard@spam-free.eu> wrote:
> wg-quick tries to set the route to the wg server through the default gateway.

On Linux? It shouldn't be iterating default gateways at all, but
rather using suppress_prefix. Can you provide more technical
information about what you're seeing and maybe a patch to fix the
issue?

Jason

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-06 12:20   ` Jason A. Donenfeld
@ 2020-10-06 13:33     ` Chris
  2020-10-06 13:47       ` Jason A. Donenfeld
  0 siblings, 1 reply; 15+ messages in thread
From: Chris @ 2020-10-06 13:33 UTC (permalink / raw)
  To: wireguard

Hello Jason,

setup is
two default routes with diffenrent metrics (the second being the failover in 
case the lower metric connection goes down).
For good reasons wg-quick will setup an individual route to the wg server (for 
the possibility of changing th default route afterwards).
However wg-quick fails:

******log follows***********
wg-quick up wg_client
[#] ip link add wg_client type wireguard
[#] wg setconf wg_client /dev/fd/63
[#] ip -4 address add 10.0.129.200/24 dev wg_client
[#] ip link set mtu 1420 up dev wg_client
[#] GATEW=$(ip route list 0.0.0.0/0|sed -n 's/.* via \(.*\) dev.*/\1/p');route 
add s1.spam-free.eu gw $GATEW
SIOCADDRT: No such device
[#] ip link delete dev wg_client
******log  end  ***********

The point is, that GATEW is NOT a single address but rather a list of ip 
addresses and the command setting the route fails.

Instead one should always run through ALL default gateways and set individual 
routes to the server through ALL the default gateways with the same metric as 
the respective default route.
This will then also work in case the failover route is in operation.

Of course, tearing down the client should delete ALL individual routes to the 
server.
Hope this clarifies is a bit.

Cheers,
Chris

On 06/10/2020 14:20, Jason A. Donenfeld wrote:
> On Mon, Oct 5, 2020 at 3:51 PM Chris <wireguard@spam-free.eu> wrote:
>> wg-quick tries to set the route to the wg server through the default gateway.
> On Linux? It shouldn't be iterating default gateways at all, but
> rather using suppress_prefix. Can you provide more technical
> information about what you're seeing and maybe a patch to fix the
> issue?
>
> Jason



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-06 13:33     ` Chris
@ 2020-10-06 13:47       ` Jason A. Donenfeld
  2020-10-06 13:54         ` Chris
  0 siblings, 1 reply; 15+ messages in thread
From: Jason A. Donenfeld @ 2020-10-06 13:47 UTC (permalink / raw)
  To: Chris; +Cc: wireguard

On 10/6/20, Chris <wireguard@spam-free.eu> wrote:
> Hello Jason,
>
> setup is
> two default routes with diffenrent metrics (the second being the failover in
>
> case the lower metric connection goes down).
> For good reasons wg-quick will setup an individual route to the wg server
> (for
> the possibility of changing th default route afterwards).
> However wg-quick fails:
>
> ******log follows***********
> wg-quick up wg_client
> [#] ip link add wg_client type wireguard
> [#] wg setconf wg_client /dev/fd/63
> [#] ip -4 address add 10.0.129.200/24 dev wg_client
> [#] ip link set mtu 1420 up dev wg_client
> [#] GATEW=$(ip route list 0.0.0.0/0|sed -n 's/.* via \(.*\)
> dev.*/\1/p');route
> add s1.spam-free.eu gw $GATEW
> SIOCADDRT: No such device

Where did you get your wg-quick? I would never name a variable 'GATEW'
or print out an expression like that to the console. IOW, I don't
recognize what's happening here because this doesn't seem to be code
I've shipped.


> [#] ip link delete dev wg_client
> ******log  end  ***********
>
> The point is, that GATEW is NOT a single address but rather a list of ip
> addresses and the command setting the route fails.
>
> Instead one should always run through ALL default gateways and set
> individual
> routes to the server through ALL the default gateways with the same metric
> as
> the respective default route.
> This will then also work in case the failover route is in operation.
>
> Of course, tearing down the client should delete ALL individual routes to
> the
> server.
> Hope this clarifies is a bit.
>
> Cheers,
> Chris
>
> On 06/10/2020 14:20, Jason A. Donenfeld wrote:
>> On Mon, Oct 5, 2020 at 3:51 PM Chris <wireguard@spam-free.eu> wrote:
>>> wg-quick tries to set the route to the wg server through the default
>>> gateway.
>> On Linux? It shouldn't be iterating default gateways at all, but
>> rather using suppress_prefix. Can you provide more technical
>> information about what you're seeing and maybe a patch to fix the
>> issue?
>>
>> Jason
>

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-06 13:47       ` Jason A. Donenfeld
@ 2020-10-06 13:54         ` Chris
  2020-10-06 13:58           ` Jason A. Donenfeld
  0 siblings, 1 reply; 15+ messages in thread
From: Chris @ 2020-10-06 13:54 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: wireguard

Oh, this is veeery suprising, I did not expect that:
It is the standard recent ubuntu repo:

*************************
dpkg -S `which wg-quick`
wireguard-tools: /usr/bin/wg-quick

apt-cache policy wireguard-tools
wireguard-tools:
   Installed: 1.0.20200513-1~20.04.2
   Candidate: 1.0.20200513-1~20.04.2
   Version table:
  *** 1.0.20200513-1~20.04.2 500
         500 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages
         100 /var/lib/dpkg/status
      1.0.20200319-1ubuntu1 500
         500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
**************************


On 06/10/2020 15:47, Jason A. Donenfeld wrote:
> On 10/6/20, Chris <wireguard@spam-free.eu> wrote:
>> Hello Jason,
>>
>> setup is
>> two default routes with diffenrent metrics (the second being the failover in
>>
>> case the lower metric connection goes down).
>> For good reasons wg-quick will setup an individual route to the wg server
>> (for
>> the possibility of changing th default route afterwards).
>> However wg-quick fails:
>>
>> ******log follows***********
>> wg-quick up wg_client
>> [#] ip link add wg_client type wireguard
>> [#] wg setconf wg_client /dev/fd/63
>> [#] ip -4 address add 10.0.129.200/24 dev wg_client
>> [#] ip link set mtu 1420 up dev wg_client
>> [#] GATEW=$(ip route list 0.0.0.0/0|sed -n 's/.* via \(.*\)
>> dev.*/\1/p');route
>> add s1.spam-free.eu gw $GATEW
>> SIOCADDRT: No such device
> Where did you get your wg-quick? I would never name a variable 'GATEW'
> or print out an expression like that to the console. IOW, I don't
> recognize what's happening here because this doesn't seem to be code
> I've shipped.
>
>
>> [#] ip link delete dev wg_client
>> ******log  end  ***********
>>
>> The point is, that GATEW is NOT a single address but rather a list of ip
>> addresses and the command setting the route fails.
>>
>> Instead one should always run through ALL default gateways and set
>> individual
>> routes to the server through ALL the default gateways with the same metric
>> as
>> the respective default route.
>> This will then also work in case the failover route is in operation.
>>
>> Of course, tearing down the client should delete ALL individual routes to
>> the
>> server.
>> Hope this clarifies is a bit.
>>
>> Cheers,
>> Chris
>>
>> On 06/10/2020 14:20, Jason A. Donenfeld wrote:
>>> On Mon, Oct 5, 2020 at 3:51 PM Chris <wireguard@spam-free.eu> wrote:
>>>> wg-quick tries to set the route to the wg server through the default
>>>> gateway.
>>> On Linux? It shouldn't be iterating default gateways at all, but
>>> rather using suppress_prefix. Can you provide more technical
>>> information about what you're seeing and maybe a patch to fix the
>>> issue?
>>>
>>> Jason


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-06 13:54         ` Chris
@ 2020-10-06 13:58           ` Jason A. Donenfeld
  2020-10-06 17:51             ` Chris
  0 siblings, 1 reply; 15+ messages in thread
From: Jason A. Donenfeld @ 2020-10-06 13:58 UTC (permalink / raw)
  To: Chris; +Cc: wireguard

Sounds like you put something silly into PostUp, then? Check your config file.

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: wg-quick up (on linux) fails in case of several default routes
  2020-10-06 13:58           ` Jason A. Donenfeld
@ 2020-10-06 17:51             ` Chris
  0 siblings, 0 replies; 15+ messages in thread
From: Chris @ 2020-10-06 17:51 UTC (permalink / raw)
  To: wireguard

Your right, it was a stupid config file.
Sorry for any inconveniences.


On 06/10/2020 15:58, Jason A. Donenfeld wrote:
> Sounds like you put something silly into PostUp, then? Check your config file.



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Android: more than one tunnel
  2020-09-26 10:40 ` lineageos 17.1after autostart on boot tunnel not functioning Chris
  2020-10-01 14:42   ` Chris
@ 2021-07-14  5:49   ` Chris
  2021-07-14  9:06     ` Simon McNair
  2021-07-14 22:09     ` Eric Light
  1 sibling, 2 replies; 15+ messages in thread
From: Chris @ 2021-07-14  5:49 UTC (permalink / raw)
  To: wireguard

I have two distinct tunnels defined on Android.
However, I can only toggle between the two. I cannot have both activated at the 
same time.
I need both connections.
Am I missing anything?
Why not several tunnels with several wg servers???
Why is this being prevented?

BR
Chris


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Android: more than one tunnel
  2021-07-14  5:49   ` Android: more than one tunnel Chris
@ 2021-07-14  9:06     ` Simon McNair
  2021-07-14 22:09     ` Eric Light
  1 sibling, 0 replies; 15+ messages in thread
From: Simon McNair @ 2021-07-14  9:06 UTC (permalink / raw)
  To: Chris; +Cc: wireguard

I think this is a limitation of android, not wireguard.


https://developer.android.com/guide/topics/connectivity/vpn 
<https://developer.android.com/guide/topics/connectivity/vpn>

"
There’s only one active service per user or profile. Starting a new 
service, automatically stops an existing service"

Sent again due to being formatted as HTML rather than text and/or 
forgetting to cc the list.

Simon


On Wed, 14 Jul 2021, 06:54 Chris, <wireguard@spam-free.eu 
<mailto:wireguard@spam-free.eu>> wrote:

    I have two distinct tunnels defined on Android.
    However, I can only toggle between the two. I cannot have both
    activated at the
    same time.
    I need both connections.
    Am I missing anything?
    Why not several tunnels with several wg servers???
    Why is this being prevented?

    BR
    Chris


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Android: more than one tunnel
  2021-07-14  5:49   ` Android: more than one tunnel Chris
  2021-07-14  9:06     ` Simon McNair
@ 2021-07-14 22:09     ` Eric Light
  2021-07-14 23:55       ` iiiiiiiiiiii
  2021-07-15  6:25       ` Chris
  1 sibling, 2 replies; 15+ messages in thread
From: Eric Light @ 2021-07-14 22:09 UTC (permalink / raw)
  To: wireguard

Hi Chris!

I don't have any experience with the Android implementation specifically... but most likely, your two tunnels have overlapping AllowedIPs ranges.  When this happens, bringing up the second interface will override the routing created by the first interface.

Most commonly, this happens when someone configures both interfaces with AllowedIPs = 0.0.0.0/0.  To fix this problem, make sure there's no overlap of AllowedIPs in your tunnel definitions.

I hope this helps  :)

(my apologies if the problem is something Android-specific that I don't know about)

E

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

On Wed, 14 Jul 2021, at 17:49, Chris wrote:
> I have two distinct tunnels defined on Android.
> However, I can only toggle between the two. I cannot have both activated at the 
> same time.
> I need both connections.
> Am I missing anything?
> Why not several tunnels with several wg servers???
> Why is this being prevented?
> 
> BR
> Chris
> 
> 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Android: more than one tunnel
  2021-07-14 22:09     ` Eric Light
@ 2021-07-14 23:55       ` iiiiiiiiiiii
  2021-07-15  6:25       ` Chris
  1 sibling, 0 replies; 15+ messages in thread
From: iiiiiiiiiiii @ 2021-07-14 23:55 UTC (permalink / raw)
  To: wireguard

I have experienced the same issue without overlapping AllowedIPs
subnets, so I believe it is Android-specific.

On 21/07/15 10:09AM, Eric Light wrote:
> Hi Chris!
> 
> I don't have any experience with the Android implementation specifically... but most likely, your two tunnels have overlapping AllowedIPs ranges.  When this happens, bringing up the second interface will override the routing created by the first interface.
> 
> Most commonly, this happens when someone configures both interfaces with AllowedIPs = 0.0.0.0/0.  To fix this problem, make sure there's no overlap of AllowedIPs in your tunnel definitions.
> 
> I hope this helps  :)
> 
> (my apologies if the problem is something Android-specific that I don't know about)
> 
> E
> 
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
> 
> On Wed, 14 Jul 2021, at 17:49, Chris wrote:
> > I have two distinct tunnels defined on Android.
> > However, I can only toggle between the two. I cannot have both activated at the 
> > same time.
> > I need both connections.
> > Am I missing anything?
> > Why not several tunnels with several wg servers???
> > Why is this being prevented?
> > 
> > BR
> > Chris
> > 
> > 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: Android: more than one tunnel
  2021-07-14 22:09     ` Eric Light
  2021-07-14 23:55       ` iiiiiiiiiiii
@ 2021-07-15  6:25       ` Chris
  1 sibling, 0 replies; 15+ messages in thread
From: Chris @ 2021-07-15  6:25 UTC (permalink / raw)
  To: wireguard

Hi Eric,

thanks for you thoughts.
However, this is not the case. I have the same setup on many machines and 
different OSes.
Apart from that: you can still have many tunnels running with overlapping 
routeing ranges.
What will happen within the routeing tables for the routeing decision is a 
different question.

On Android switching on one tunnel just switches off the other.

I fear, Simon's reply is correct:
"
...
There’s only one active service per user or profile. Starting a new service, 
automatically stops an existing service.
...
"
So, unfortunately, that would be an unavoidable limitation of Android.

Chris

On 15/07/2021 00:09, Eric Light wrote:
> Hi Chris!
>
> I don't have any experience with the Android implementation specifically... 
> but most likely, your two tunnels have overlapping AllowedIPs ranges. When 
> this happens, bringing up the second interface will override the routing 
> created by the first interface.
>
> Most commonly, this happens when someone configures both interfaces with 
> AllowedIPs = 0.0.0.0/0. To fix this problem, make sure there's no overlap of 
> AllowedIPs in your tunnel definitions.
>
> I hope this helps :)
>
> (my apologies if the problem is something Android-specific that I don't know 
> about)
>
> E
>
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
> On Wed, 14 Jul 2021, at 17:49, Chris wrote:
>> I have two distinct tunnels defined on Android.
>> However, I can only toggle between the two. I cannot have both activated at the
>> same time.
>> I need both connections.
>> Am I missing anything?
>> Why not several tunnels with several wg servers???
>> Why is this being prevented?
>>
>> BR
>> Chris
>>
>>



^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2021-08-08 23:13 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <mailman.0.1601114111.20018.wireguard@lists.zx2c4.com>
2020-09-26 10:40 ` lineageos 17.1after autostart on boot tunnel not functioning Chris
2020-10-01 14:42   ` Chris
2021-07-14  5:49   ` Android: more than one tunnel Chris
2021-07-14  9:06     ` Simon McNair
2021-07-14 22:09     ` Eric Light
2021-07-14 23:55       ` iiiiiiiiiiii
2021-07-15  6:25       ` Chris
2020-10-01 15:24 ` lineageos 17.1 no incoming Chris
2020-10-05 13:51 ` wg-quick up (on linux) fails in case of several default routes Chris
2020-10-06 12:20   ` Jason A. Donenfeld
2020-10-06 13:33     ` Chris
2020-10-06 13:47       ` Jason A. Donenfeld
2020-10-06 13:54         ` Chris
2020-10-06 13:58           ` Jason A. Donenfeld
2020-10-06 17:51             ` Chris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).