Enabling Wireguard for a 10.x.x.x network only breaks all internet access

Hi All!

Awesome project! I've successfully set up LibreElec on a Raspberry Pi 4 with wireguard to route 10.x.x.x. traffic only: WireGuard.AllowedIPs = 10.x.x.x/24

It works perfectly, wireguard is elegant and amazing and I love it. Except, it breaks normal internet access:

ping Google:

ping: sendto: Required key not available

Accessing livestream via plugin

URLError: <urlopen error [Errno 113] No route to host>

-->End of Python script error report<--

2020-04-13 22:43:02.776 T:2546455408 ERROR: GetDirectory - Error getting plugin://plugin.video.livestream

Error Contents: <urlopen error [Errno 113] No route to host>

Disabling wireguard fixes everything immediately.

connmanctl disconnect my_10_x_x_x_domain
If I understand how this works, connman should perform a simple online check using EnableOnlineCheck, which is enabled by default, curling the URL below at startup

http://ipv4.connman.net/online/status.html

curl fails too, so I'm puzzled why connman seems to be preferring Wireguard to eth0.

Any help appreciated!

Thanks chewitt!

http://ix.io/2i1A

It looks like a route is created on wg0 for 0.0.0.0

Apr 14 17:52:01 TVC connmand[468]
: wg0 {add} route 10.2.2.0 gw 0.0.0.0 scope 253 <LINK>
Apr 14 17:52:01 TVC connmand[468]: rp_filter set to 2 (loose mode routing), old value was 2
Apr 14 17:52:01 TVC connmand[468]: Setting domainname to tvc
Apr 14 17:52:01 TVC connmand[468]: ipconfig state 4 ipconfig method 1
Apr 14 17:52:01 TVC connmand[468]: eth0 {add} route 88.31.205.51 gw 192.168.1.1 scope 0 <UNIVERSE>
Apr 14 17:52:01 TVC connmand[468]: eth0 {del} route 0.0.0.0 gw 192.168.1.1 scope 0 <UNIVERSE>
Apr 14 17:52:01 TVC connmand[468]: wg0 {del} route ff00:: gw :: scope 0 <UNIVERSE>
Apr 14 17:52:01 TVC connmand[468]: wg0 {add} route 0.0.0.0 gw 0.0.0.0 scope 253 <LINK>
Apr 14 17:52:01 TVC kodi.sh[539]: Removed /storage/.config/system.d/wireguard.service.
Apr 14 17:52:01 TVC systemd[1]: Reloading.
Apr 14 17:52:02 TVC systemd[1]: connman.service: Current command vanished from the unit file, execution of the command list won't be resumed.
Apr 14 17:52:02 TVC kodi.sh[539]: Failed to enable unit: Unit file /storage/.config/system.d/wireguard.service does not exist.
Apr 14 17:52:02 TVC kodi.sh[539]: Failed to start wireguard.service: Unit wireguard.service not found.

So the wireguard config is being interpreted as if AllowedIPs = 0.0.0.0/0 it seems?

[provider_wireguard]

Type = WireGuard

Name = WireGuardTVC

Host = 192.168.1.45

Domain = zzz

WireGuard.Address = 10.2.2.10/24

WireGuard.PrivateKey = xxxx

WireGuard.PublicKey = yyyy

WireGuard.AllowedIPs = 10.2.2.0/24

WireGuard.EndpointPort = 443

WireGuard.PersistentKeepalive = 25

With Wireguard Enabled:

# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default * 0.0.0.0 U 0 0 0 wg0

10.2.2.0 * 255.255.255.0 U 0 0 0 wg0

88.31.205.51 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

192.168.1.1 * 255.255.255.255 UH 0 0 0 wlan0

192.168.1.1 * 255.255.255.255 UH 0 0 0 eth0

# ifconfig

eth0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CB

inet addr:192.168.1.44 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1693 errors:0 dropped:0 overruns:0 frame:0

TX packets:1443 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:349318 (341.1 KiB) TX bytes:142329 (138.9 KiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:672 errors:0 dropped:0 overruns:0 frame:0

TX packets:672 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:73851 (72.1 KiB) TX bytes:73851 (72.1 KiB)

wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.2.2.10 P-t-P:10.2.2.10 Mask:255.255.255.0

UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1

RX packets:70 errors:0 dropped:0 overruns:0 frame:0

TX packets:99 errors:600 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:37372 (36.4 KiB) TX bytes:12740 (12.4 KiB)

wlan0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CD

inet addr:192.168.1.41 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:224 errors:0 dropped:0 overruns:0 frame:0

TX packets:56 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:20428 (19.9 KiB) TX bytes:16667 (16.2 KiB)

With Wireguard Disabled:

# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

88.31.205.51 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

192.168.1.1 * 255.255.255.255 UH 0 0 0 wlan0

192.168.1.1 * 255.255.255.255 UH 0 0 0 eth0

# ifconfig

eth0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CB

inet addr:192.168.1.44 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:2223 errors:0 dropped:0 overruns:0 frame:0

TX packets:1616 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:445482 (435.0 KiB) TX bytes:164836 (160.9 KiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:824 errors:0 dropped:0 overruns:0 frame:0

TX packets:824 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:86398 (84.3 KiB) TX bytes:86398 (84.3 KiB)

wlan0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CD

inet addr:192.168.1.41 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:524 errors:0 dropped:0 overruns:0 frame:0

TX packets:69 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:64925 (63.4 KiB) TX bytes:17662 (17.2 KiB)

Did some research and decided to try blacklisting eth0 in /etc/connman/main.conf as a test after reading an unrelated stackexchange post. debian - How to prevent an unwanted default gateway to be added during reboot - Unix & Linux Stack Exchange

Added: NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-.eth0

This did not resolve the issue, and as one might expect, broke the wired connection. Interestingly ssh did not work over wifi -- not sure if that is by design, a known issue, or might be related somehow. Had to eject the SD card and manually edit the conf file to get networking back up.

Thanks again!

More digging:

1. With wireguard up, I am able to ssh in on 192.168.1.xx:

INFO: Accepted publickey for root from 192.168.1.xx port 55512 ssh2: RSA SHA256...

2. At that time, syncthing cannot perform DNS queries out to a local pihole on the wifi connection - 192.168.1.40

INFO: Couldn't fetch release information: Get https://upgrades.syncthing.net/meta.json: dial tcp: lookup upgrades.syncthing.net on 192.168.1.40:53: read udp 192.168.1.50:37xxx->192.168.1.4x:53: i/o timeout

3. If I disable wifi, curl meta.json still fails with "no route to host" rather than "i/o timeout'

4. Configuring wireguard to route all packets works, but isn't ideal

Found a workaround:

ip route replace default via 192.168.1.1 dev eth0

default via 192.168.1.1 dev eth0

10.2.2.0/24 dev wg0 scope link src 10.2.2.10

88.31.205.51 via 192.168.1.1 dev eth0

192.168.1.0/24 dev eth0 scope link src 192.168.1.44

192.168.1.1 dev eth0 scope link

Pinging google.com works

Pinging wireguard IPs also works

Everything is great!

Except, in less than a minute, it gets overwritten automatically

default dev wg0 scope link

10.2.2.0/24 dev wg0 scope link src 10.2.2.10

88.31.205.51 via 192.168.1.1 dev eth0

192.168.1.0/24 dev eth0 scope link src 192.168.1.44

192.168.1.1 dev eth0 scope link

How can I prevent that? Tried blacklisting wg0 in connman_main.conf, no luck. I guess I need to blacklist eth0, but in a way that doesn't break networking entirely. I'm stuck!