Tutorial Wireguard "Configuration parsing error" and low Performance

[dieoma]

Hi there,

i hope you can help me as i saw there are a few Wireguard Users here as well.

I did setup Armbian 20.05.4 Buster on my Cubietruck and configured Wireguard. After a few mistakes the connection from outside (iOS Client) is stable but very slow. I went to the obvious roads and found the MTU setting on the client side could be an issue as well some PostUp command parameters can improve performance. But for any reason my wireguard doesn´t want to accept anything with PostUp, Safeconfig etc in my wg0.conf file: Parsing error. But without that been solved i assume i can´t work on the Performance improvement. Here a few lines of code showing the relevant config Files and the Error:

root@cubietruck:/etc/wireguard# cat wg0.conf
[Interface]
ListenPort=40404
PrivateKey=blablablaServerKey

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT


[Peer]
PublicKey=blablabla Public Key
AllowedIPs=192.168.42.100,fd00:42::100
root@cubietruck:/etc/wireguard# cat clients/omasiphone.conf 
[Interface]

      PrivateKey=blablablaclientkey
      Address=192.168.42.100/24,fd00:42::100/64
      DNS=1.1.1.1,2606:4700:4700::1111
      MTU = 1412
      PostUp = ip route add SERVER_PUBLIC_IP/32 via 192.168.1.200 dev eth0; iptables -A FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
      PostDown = ip route del SERVER_PUBLIC_IP/32 via 192.168.1.200 dev eth0; iptables -D FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
      
[Peer]
      PublicKey=blablablaclientkey
      Endpoint=ganzgeheim.myfritz.net:40404
      AllowedIPs=0.0.0.0/0,::/0
root@cubietruck:/etc/wireguard# wg setconf wg0 /etc/wireguard/wg0.conf
Line unrecognized: `PostUp=iptables-AFORWARD-iwg0-jACCEPT;iptables-tnat-APOSTROUTING-oeth0-jMASQUERADE;iptables-AFORWARD-ieth0-mstate--stateRELATED,ESTABLISHED-jACCEPT'
Configuration parsing error

Can you help me here a bit?

[Igor]

12 minutes ago, dieoma said:

I did setup Armbian 20.05.4 Buster on my Cubietruck

This tells that you probably run kernel 5.4.y ... and this means kernel module might be a bit old. That would explain why some features doesn't work, but performance wise I have no experiences. Below kernel 5.5.y there is a legacy version of Wireguard which is probably not maintained. https://github.com/armbian/build/blob/master/lib/compilation-prepare.sh#L149-L176

 

There will be an update to 5.7.y soon. If you want to try it today, you need to build an image from sources https://github.com/armbian/build

[dieoma]

Your assumtion is correct:

 

root@cubietruck:/etc/wireguard# modinfo wireguard 
filename:       /lib/modules/5.4.45-sunxi/kernel/net/wireguard/wireguard.ko
intree:         Y
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.20200611
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     D32255D92FDC92F22646179
depends:        udp_tunnel,ip6_udp_tunnel
intree:         Y
name:           wireguard
vermagic:       5.4.45-sunxi SMP mod_unload ARMv7 thumb2 p2v8 

When you say 5.7.y soon - do you know of any timeframe?

[Igor]

38 minutes ago, dieoma said:

When you say 5.7.y soon - do you know of any timeframe?

 

This week.

[lampra]

In my case,

root@cubietruck:~# uname -a
Linux cubietruck 5.4.45-sunxi #20.05.3 SMP Wed Jun 10 12:09:20 CEST 2020 armv7l GNU/Linux

root@cubietruck:~# modinfo wireguard
filename:       /lib/modules/5.4.45-sunxi/kernel/net/wireguard/wireguard.ko
intree:         Y
alias:          net-pf-16-proto-16-family-wireguard
alias:          rtnl-link-wireguard
version:        1.0.20200520
author:         Jason A. Donenfeld <Jason@zx2c4.com>
description:    WireGuard secure network tunnel
license:        GPL v2
srcversion:     A6D35023900FD470258A30E
depends:        udp_tunnel,ip6_udp_tunnel
intree:         Y
name:           wireguard
vermagic:       5.4.45-sunxi SMP mod_unload ARMv7 thumb2 p2v8 

 

the following setup works fine:

[Interface]
Address = 10.200.200.1/24
ListenPort = 5385
PrivateKey = blablablaServerkey
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = blablablaPeerkey
AllowedIPs = 10.200.200.11/32
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 24

 

[dieoma]

strange - your config fails again with Parsing Error in my system but we are running the same kernel version. What is the output of 

markus@cubietruck:~$ sudo dpkg -l|grep wireguard
ii  wireguard-tools                      1.0.20200513-1~bpo10+1              armhf        fast, modern, secure kernel VPN tunnel (userland utilities)

 

[lampra]

root@cubietruck:~# sudo dpkg -l|grep wireguard
ii  wireguard                                                   1.0.20200319-1                                                 all          fast, modern, secure kernel VPN tunnel (metapackage)
ii  wireguard-dkms                                              1.0.20200401-1                                                 all          fast, modern, secure kernel VPN tunnel (DKMS version)
ii  wireguard-tools                                             1.0.20200513-1~bpo10+1                                         armhf        fast, modern, secure kernel VPN tunnel (userland utilities)

edit:

root@cubietruck:~# apt list --installed|grep wireguard

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

wireguard-dkms/now 1.0.20200401-1 all [installed,local]
wireguard-tools/buster,now 1.0.20200513-1~bpo10+1 armhf [installed]
wireguard/now 1.0.20200319-1 all [installed,local]

[legogris]

Never seen this before. Either way on your PostUp/PostDown hooks:

 

• If the connections routes properly without it, it shouldn't make any difference for performance with or without. It's just for setting up routing.
• It looks like the spaces are stripped out. Did you copy/paste it? Sanity check can be to retype manually to make sure it's not some weird unicode space characters that just look like normal spaces. Or try quoting the entire PostUp/PostDowns (even if it shouldn't be necessary)
• You should remove them from the client config (you can't do iptables on iOS)
• You can try adding

  KeepAlive = 25

  or similar to ensure the tunnel stays up.
• MTU can make a difference depending on your network. Maybe check this also https://keremerkan.net/posts/wireguard-mtu-fixes/
• The Arch WIki page on Wireguard is also a recommended read.