toltec icon indicating copy to clipboard operation
toltec copied to clipboard
verified publisher icon toltec-dev

WireGuard: wg-quick error for some configs

Open matteodelabre opened this issue 5 years ago • 2 comments

Running wg-quick up <config> for configs containing the following keys causes errors:

  • DNS = …: the wg-quick script tries to call resolvconf, which is not available on the base system nor on Entware. The system’s DNS seems to be managed by systemd, so we would need to have resolvectl installed and symlink resolvconf to resolvectl for this to work.
  • AllowedIPs = …/0: using a wildcard in the AllowedIPs field causes the script to try using some tricks relying on policy-based routing to make all packets go through the WireGuard interface. I’m not sure why this is needed. In any case, the ip command bundled in BusyBox does not seem to be able to configure policy-based routing, which is what causes the error we’re seeing.

To fix these issues, we could:

  • Patch the wg-quick script to inform users that the said keys are not supported.
  • Patch the wg-quick to use a workaround for honoring those keys.
  • Provide the missing utilities in some Toltec package.

matteodelabre avatar Mar 29 '21 23:03 matteodelabre

The ip-full package from Entware provides a full-featured ip command supporting policy based routing. The following command, issued by wg-quick, fails, though (which suggests that the kernel does not support it).

[#] ip -4 rule add not fwmark 51820 table 51820
RTNETLINK answers: Operation not supported

matteodelabre avatar Mar 29 '21 23:03 matteodelabre

Continuing the investigation around wildcards in the AllowedIPs field: before it was changed to rely on policy based routing, the script used to create two /1 routes and invoke an utility called tungate to enforce the routing of packets through these routes. Note that this is IPv4 only, but the comments say it should be easy to adapt to IPv6.

matteodelabre avatar Mar 30 '21 09:03 matteodelabre