Is WireGuard broken on Armbian?


Recommended Posts

Hi,

 

I run a wireguard server in my home. I have a Mac and a couple of iOS devices that can successfully connect to the server, my internet traffic is routed via the home wireguard server and I can access devices in my home network using an address like 192.168.178.200. No problem.

 

Now I want to connect my cubitruck running Armbian Ubuntu 18.04 to my home network. I created a similar configuration as for all of the other devices, wireguard connects after I say `wg-quick up $configname`, with `ip a` I can see a new interface with an IP that corresponds to my configuration, there is a route set (Dst 10.9.0.0 -> Iface $configuration_wg0) BUT

 

  • when I try to ping the IP of the WG server (in my case 10.9.0.1): no response
  • when I try to ping a device in the home network (192.168.178.*): no response
  • when I try to access the Internet: nope.

 

Interestingly, on server side, when I say `wg show`, I notice that there is no sign that the client is/was connected.

 

Here's my client conf:

[Interface]

PrivateKey = xx

Address = 10.9.0.7/24

DNS = 1.1.1.1,1.0.0.1

[Peer]

PublicKey = yy

AllowedIPs = 0.0.0.0/0, ::/0

Endpoint = foo.bar.baz:10815

PersistentKeepalive = 25

 

And here the server.conf:
 

[Interface]

Address = 10.9.0.1/24

ListenPort = 10815

PrivateKey = aa

SaveConfig = false

# iphone

[Peer]

PublicKey = bb

AllowedIPs = 10.9.0.4/32

# ipad

[Peer]

PublicKey = cc

AllowedIPs = 10.9.0.5/32

# macpro

[Peer]

PublicKey = dd

AllowedIPs = 10.9.0.6/32

# backuptruck

[Peer]

PublicKey = ee

AllowedIPs = 10.9.0.7/32

I am actually pretty confident, that the configuration is correct. So I tested what happens when I run the same configuration on a Ubuntu notebook and here the configuration works.

 

So my conclusion is that there might be something broken/incompatible/ with wireguard on Armbian.

Link to post
Share on other sites
Donate and support the project!

6 minutes ago, drscheme said:

So my conclusion is that there might be something broken/incompatible/ with wireguard on Armbian.


I might give you some hints if you show me logs and WG module version. But you can just try to switch to nightly repository (current kernel). That includes up to date driver.

Link to post
Share on other sites

Hello!

 

I'm investigating a similar issue and found this thread. I'm trying to run wireguard on my banana pi pro. 

I have the following setup (as simple as possible for debugging the problem, left in the keys on purpose):

Quote

#Banana pi running armbian on 192.168.0.11

[Interface]
Address = 10.200.200.1/24
SaveConfig = true
ListenPort = 51822
PrivateKey = qAQNv75Hbfa6Spoe6lx0Y71h509ftMmqcnWhf2EDY2U=

[Peer]
PublicKey = Z2fGG/610nuIg58X0MGBXTwGR9bgqdvjQsUvfqrPhic=
AllowedIPs = 10.200.200.2/32
#Endpoint = 192.168.0.101:51822
 

#My notebook running Ununtu on 192.168.0.101

[Interface]
Address = 10.200.200.2/24
PrivateKey = YJOifAYRt0WojFAFvideTCVSr5OE4PtQCxMri0s4mHY=
ListenPort = 51822

[Peer]
PublicKey = tAotXUDO1HLLjDN1Ovq3R16DG/JgmNN71YvfBrPYFFQ=
Endpoint = 192.168.0.11:15822
AllowedIPs = 10.200.200.0/24
 

 

 

I found that bpi is having problem accepting connections, I can see the packets received in tcpdump but there is no wg handshake.

If I uncomment the Endpoint line in BPI config wireguard can establish connection with my desktop, even if I remove the endpoint address from my notebooks configuration.

 

The situation is same with 4.19.62-sunxi #5.92,  5.4.28-sunxi #20.02.7 and 5.5.13-sunxi #trunk.088.

 

Quotemodinfo wireguard
filename:       /lib/modules/5.5.13-sunxi/kernel/drivers/net/wireguard/wireguard.ko
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.0
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     00F219E9700C1A81A851666
depends:        libcurve25519,libblake2s,udp_tunnel,libchacha20poly1305,curve25519-neon,ip6_udp_tunnel
intree:         Y
name:           wireguard
vermagic:       5.5.13-sunxi SMP mod_unload ARMv7 thumb2 p2v8 

 

I didn't find any related error message in the logs.

 

Please let me know if you have some idea debugging this issue.

 

Thanks,
Peter

 

Link to post
Share on other sites
3 hours ago, Peter P said:

I didn't find any related error message in the logs.

 

Please let me know if you have some idea debugging this issue.

 

Below Linux kernel 5.5.y is a legacy out of the tree version, this: https://git.zx2c4.com/wireguard-linux-compat Starting from 5.6.y WG is a part of the mainline kernel. Reports those errors / problems directly to WG authors and when they fix this, apt update and upgrade will solve it ...

Link to post
Share on other sites

root@w2:~# apt update
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://security.debian.org buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Hit:4 http://deb.debian.org/debian buster-backports InRelease
Hit:5 https://apt.armbian.com buster InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
root@w2:~# apt install wireguard
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 wireguard : Depends: wireguard-tools (>= 1.0.20200513-1~bpo10+1) but 1.0.20200319-1~bpo10+1 is to be installed
E: Unable to correct problems, you have held broken packages.
root@w2:~# uname -a
Linux w2 5.4.43-sunxi64 #20.05.2 SMP Tue Jun 2 17:20:17 CEST 2020 aarch64 GNU/Linux

 

Link to post
Share on other sites

We host wireguard-tools package since they are not a part of a standard Debian. They have been updated now ... but you don't need this package because Wireguard is build into the kernel. Debian "apt install wireguard" is written badly:

root@odroidc4:/home/igorp# apt install wireguard
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  dkms linux-image-4.19.0-9-rt-arm64 linux-image-rt-arm64 wireguard-dkms
Suggested packages:
  python3-apport menu linux-doc-4.19 debian-kernel-handbook
Recommended packages:
  fakeroot linux-headers-686-pae | linux-headers-amd64 | linux-headers-generic | linux-headers firmware-linux-free apparmor
The following NEW packages will be installed:
  dkms linux-image-4.19.0-9-rt-arm64 linux-image-rt-arm64 wireguard wireguard-dkms
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 40.9 MB of archives.
After this operation, 228 MB of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.

On Armbian you only need to configure Wireguard. You don't need any of those packages and 228MB of waste.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...