WireGuard doesn't come up at boot
-
@dem Next time you boot, try sending traffic across the tunnel via a ping. If one side is behind a NAT, then the tunnel has to be initiated from behind that NAT out to the remote peer. Without that kick-start, the remote peer fundamentally cant punch through the NAT.
-
@vbman213 I have WireGuard assigned to an interface with the gateway monitoring IPs set to the remote side of the tunnel, so there's lots of pinging going on.
-
This issue might be caused by the Interface Description having been left empty. Now that it is no longer empty the connection is coming up properly at boot.
However, trying to modify the Description causes a panic.
Now on 2.5.0.a.20210126.2350.
-
@dem said in WireGuard doesn't come up at boot:
This issue might be caused by the Interface Description having been left empty. Now that it is no longer empty the connection is coming up properly at boot.
An empty description wouldn't be related to that.
However, trying to modify the Description causes a panic.
Now on 2.5.0.a.20210126.2350.
Do you have the textdump from the panic? Or at least the backtrace?
-
WireGuard failed to come up again on my last boot. Perhaps there's a race somewhere.
-
What exactly do you mean by "failed to come up"?
Is the wg0 interface not present? Is it present but not configured? Is it configured but not passing traffic?
Or are you only basing it on the gateway status and nothing else?
-
@jimp I mean gateway pings to the other side of the tunnel fail and the other side does not see a WireGuard handshake.
I can see wg0 from ifconfig when in this state. At one point I tried ifconfig wg0 down and then back up but that didn't help.
And after this last boot it started working after a few minutes. I don't see any log messages associated with it starting to work except for the alarms clearing about 5.5 minutes after the boot completed.
-
What about traffic that isn't ping? Or a LAN-to-LAN ping?
What does the entry in the state table for the ping look like?
I suspect something fishy like the ping starts before the WireGuard interface is configured so it's exiting the wrong interface. And since you are trying the same ping source/dest that monitoring is trying, it's failing the same way.
-
@jimp I've got a client I'm policy routing through the WireGuard interface and when the interface isn't working running "curl icanhazip.com" on the client returns the actual external address. When WireGuard comes up properly it returns the external address of the server on the other side.
I'll see what else I can find. Or we can blame VirtualBox.
-
OK don't blame VirtualBox, blame me.
I think the issue was that I didn't have "Hardware Clock in UTC Time" set in VirtualBox so the system clock was jumping when NTP kicked in which disrupted something, perhaps crypto-related.
Sorry for my error.