[UnSolved] Possible BUG : Wireguard routing weirdly

AB5G · Feb 1, 2021, 2:22 AM

@jimp
A clean reinstall after a factory reset solved the issue. I did not have to specify any MTU on the interface. This closes the issue. Thank you for the time and the attention.

AB5G · Feb 5, 2021, 1:06 AM

@jimp I have hit this again. After the clean install and built everything was working fine till I noticed today that some apps that use the WG tunnel do not work - so I started checking and the same issue is back. Can't reach certain IP's - the packets are leaving the WG tunnel but not leaving the WAN interface.
Is there something you suggest or can I provide more logs to see if this is a bug ?

P.S - You were right, it does look like WireGuard cannot find peer to route the packet. As soon as I add the offending IP's in the remote peers allowed IP's - the traffic starts to flow. So that eliminates everything else as the root cause.

peer: qvsssssxxxxxxxxxxxxxxx=
endpoint: 4.xx.xx.xx:58451
allowed ips: 8.8.8.8/32, 192.168.29.0/24, 10.100.100.50/32, 0.0.0.0/0

AB5G · Feb 8, 2021, 2:19 AM

Guys anyone for this ? Should I raise a BUG report ?

jimp · Feb 8, 2021, 7:00 PM

Still not clear it's a bug here, and not a config issue, since nobody else can seem to reproduce it but you.

AB5G · Feb 9, 2021, 2:07 AM

Ok I'll wait on it. I don't have a spare/lab setup to reproduce the bug - but if someone is keen enough to test this here are the steps to trigger this (at least in my setup).

Setup a new wireguard tunnel wg0 to remote destination - In allowed IP's allow - REMOTE_LAN, Wireguard tunnel IP and 0.0.0.0/0. Everything else is default.
Setup a Wireguard Interface [WG] - Policy to allow source WG net to any any proto any
No rules for WIREGUARD group - Leave as is
Gateway set to WAN_DHCP
Create a LAN rule to route a PFSENSE_LAN_IP and set gateway to WG_WGv4 GW (Note: all LAN traffic is not being routed via the tunnel, only selected traffic)
Now trace / ping from the machine (PFSENSE_LAN_IP) to a few websites and see if you can reach. I particularly had issues with 8.8.8.8 , LinkedIn.com and a few others.

arrmo · Feb 10, 2021, 2:08 AM

@ab5g Hi. Not trying to hijack this (at all!), just wondering if this is simlar to what I have been seeing, here.

Entirely possible I'm misunderstanding - if I am, just ignore this post and move on . But if not, perhaps another example?

Thanks!

AB5G · Feb 10, 2021, 3:47 AM

@arrmo Quite possible - different symptoms with a common underlying cause. Will have to wait and see. I asked for help on reddit and until now no one else seems to come across this issue. A few days ago I did try setting up rules under WIREGUARD group to see if that'd make a difference to the lost packets and it did not :(.

arrmo · Feb 10, 2021, 3:54 AM

@ab5g OK, NP - let's see how it goes. As long as that group rule is in place, most traffic gets through (still some odd sites). But with it off, much more trouble. And I have tried adding all sorts of pass rules in LAN and WG (interface), none of them seem to be working. Dang it!

Thanks!

AB5G · Feb 10, 2021, 4:11 AM

@arrmo ping jimp here with your issue details. One more voice will help maybe.

arrmo · Feb 10, 2021, 3:21 PM

@ab5g said in [UnSolved] Possible BUG : Wireguard routing weirdly:

ping jimp here with your issue details

ping? Meaning IM? Thinking the comments above are a ping of sorts, no?

Thanks!

arrmo · Feb 10, 2021, 8:17 PM

@AB5G BTW, are you finding that a pass-all rule on the WireGuard group does help any, or not at all? I find it helps, but it's not a fix-all. Still some issues.

I checked the firewall logs, nothing there noted as blocked, so fun to debug. Any suggestions? Enabled logging on default rules? Or try tcpdump? To try to help resolve this.

Thanks!

AB5G · Feb 11, 2021, 5:12 AM

@arrmo No it doesn't work for me. The packet passes the WG filter, get Natted to the WG Tunnel IP and then gets lost - I don't see it on the WAN.

arrmo · Feb 11, 2021, 5:40 PM

@ab5g Dang it! And you have WireGuard set like this, right?

This is matching to what you recommended to me, so assuming you do - but just in case. Once I do this, and set up Hybrid Outbound NAT, then things are better (not 100%, but a lot better). Using the WG Interface causes me all sorts of grief

Thanks!

arrmo · Feb 12, 2021, 8:50 PM

@AB5G Please let me know if you have any luck. Had to tear down WireGuard, go back to OpenVPN. Just not finding it up / consistent enough. Dang it! I see the (good) potential though

Thanks!

BTW, this isn't perhaps the split routing that OpenVPN uses (on the "client" side), is it? Or are you not redirecting all traffic?

AB5G · Feb 13, 2021, 6:59 AM

Nope no luck and no one else is reporting this issue so I'm holding still.

arrmo · Feb 13, 2021, 11:46 AM

@ab5g Understood, here as well. Just yell if there is anything I can do to help!

arrmo · Feb 23, 2021, 12:45 AM

@ab5g FYI, I'm not seeing any more odd routing issues - now that I am on v2.5.0 (vs. RC I was running before). Are you on 2.5.0, and still seeing issues? If not, perhaps give it a try?

AB5G · Feb 23, 2021, 12:57 AM

@arrmo Yeah still there - I've made my peace with it though. Its only my AppleTv that routes through the VPN, so whenever things don't work - I find out the IP address of what the TV is trying to access and add it to the Wireguard peer. Because its is only a few apps on the TV - its not much hassle to add add the IP blocks once in a while.

arrmo · Feb 23, 2021, 1:01 AM

@ab5g OK, NP - just figured I'd let you know. BTW, are you adding the pass rules to the interface, or the WireGuard (group)? I'm still using the group, never did get the interface working .

Thanks!

AB5G · Feb 23, 2021, 1:01 AM

@arrmo Im using the interface. For now leave it to whatever is working for you. When things calm down around the new release maybe we can revisit this with the devs.