ER-4 router using Wireguard seems to stop working after pc/laptop tries to connect next day. #160
Comments
|
Have you noticed or restarted the router after the configuration? There is an open ticket #157 that after a restart, the configuration is lost, check that it is there after the restart. |
|
Good point. I just rechecked. Everything survives a reboot/restart and it will start working again (for awhile). |
|
Interesting. I had my configuration deleted after a reboot. I find the behavior curious considering the same router and firmware. In your case, although it keeps the configuration after the reboot, it stops working after a few hours... it could be that I changed the IP, you have some DDNS service configured? regards |
|
I found that my ER-X would not remember the endpoint when it was specified as a DNS name, but would remember it when it was specified with an ipv4 address. This was with the 2.0.9 firmware using the add-on Wireguard package, but I understand the built-in Wireguard in v3 is basically the same package, it's just included so you don't have to go out and get it. |
|
Thanks guys. [azagramac] no DDNS setup and I checked public IP has been static for months (cable modem) and everything inside is static..I dont even run a DHCP server :) [boteman] My ER-4 is running on the 2.0.9 (fix 7) firmware...no V3 available yet for me. since I DID use a DNS name for the endpoint, I will give that a try...and see if it keeps working with an ipv4 address coded. Good tip! :) |
Hello all. I installed Wireguard on my ER-4 a few weeks ago (yes firmware is current) and it was working perfectly....that day.
It seems every time I shut off or sleep a device that connects to the address range wireguard is looking at...it just stops working
the next time I goto use it. Now all my devices are STATIC ip's...so I know that isnt the issue.
I was looking for a detailed ubnt/wireguard flow diagram (like the standard one) ...so I could try and see where it is getting stuck. It feels like a firewall issue maybe,
as it works perfectly when I first use it. If I reboot the router it works fine again....for that ONE session.
The only other thing I noticed was only wg was installed NOT the wg-quick cmd. Maybe due to the tiny flash on the ER?
Anyway--hope someone has seen this before. I'm sure it is something simple I am missing...I just cant see it yet :(
Thank you all for your great work on these open source products.
~Pat (aka ngtw16a from my ancient days on Prodigy)
Here are my config steps taken:
ER-4 Wireguard for EdgeOS V2
curl -0L https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb
sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb
=- create and activate interface -=
configure
set interfaces wireguard wg0 address 192.168.140.2/32
set interfaces wireguard wg0 description VPN
set interfaces wireguard wg0 listen-port 37728
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer description vpn
set interfaces wireguard wg0 peer endpoint vpn:443
set interfaces wireguard wg0 peer persistent-keepalive 25
set interfaces wireguard wg0 private-key /config/auth/tz.key
set interfaces wireguard wg0 route-allowed-ips false
commit
sudo wg show --> stats on link
sudo wg showconf wg0 --> shows config setup (like .conf files)
=- create SNAT (last step before leaving router) rule for VPN interface -=
set service nat rule 5020 description 'masquerade for wg0/VPN'
set service nat rule 5020 log disable
set service nat rule 5020 outbound-interface wg0
set service nat rule 5020 protocol all
set service nat rule 5020 type masquerade
commit
=- allow incoming VPN traffic -=
set firewall name WAN_LOCAL rule 15 action accept
set firewall name WAN_LOCAL rule 15 description 'Allow incoming WireGuard'
set firewall name WAN_LOCAL rule 15 destination port 37728
set firewall name WAN_LOCAL rule 15 protocol udp
commit
show firewall
=- create table to reroute traffic to VPN -=
set protocols static table 1 description 'Route out via wg0/VPN'
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 1 route 0.0.0.0/0 blackhole distance 255
commit
show protocols
=- create VPN ip group -=
set firewall group address-group LOCAL_VPN description 'Hosts in LOCAL that route out via wg0/VPN'
set firewall group address-group LOCAL_VPN address 192.168.1.32/28
commit
show firewall group
=- apply custom routing table for VPN ips -=
set firewall modify PBR_MODIFY description 'Set routing tables selectively based on source address'
set firewall modify PBR_MODIFY rule 200 action modify
set firewall modify PBR_MODIFY rule 200 description 'Modify all traffic coming from LOCAL_VPN address group'
set firewall modify PBR_MODIFY rule 200 modify table 1
set firewall modify PBR_MODIFY rule 200 source group address-group LOCAL_VPN
commit
=- apply modify rules to all incoming LAN traffic =-
set interfaces ethernet eth1 firewall in modify PBR_MODIFY
commit
save
exit
The text was updated successfully, but these errors were encountered: