Enabling Wireguard for a 10.x.x.x network only breaks all internet access

  • Hi All!

    Awesome project! I've successfully set up LibreElec on a Raspberry Pi 4 with wireguard to route 10.x.x.x. traffic only: WireGuard.AllowedIPs = 10.x.x.x/24

    It works perfectly, wireguard is elegant and amazing and I love it. Except, it breaks normal internet access:

    ping Google:

    ping: sendto: Required key not available

    Accessing livestream via plugin

    URLError: <urlopen error [Errno 113] No route to host>

    -->End of Python script error report<--

    2020-04-13 22:43:02.776 T:2546455408 ERROR: GetDirectory - Error getting plugin://plugin.video.livestream

    Error Contents: <urlopen error [Errno 113] No route to host>

    Disabling wireguard fixes everything immediately.

    connmanctl disconnect my_10_x_x_x_domain
    If I understand how this works, connman should perform a simple online check using EnableOnlineCheck, which is enabled by default, curling the URL below at startup

    Code
    http://ipv4.connman.net/online/status.html

    curl fails too, so I'm puzzled why connman seems to be preferring Wireguard to eth0.

    Any help appreciated!

  • Thanks chewitt!

    http://ix.io/2i1A

    It looks like a route is created on wg0 for 0.0.0.0

    So the wireguard config is being interpreted as if AllowedIPs = 0.0.0.0/0 it seems?

    [provider_wireguard]

    Type = WireGuard

    Name = WireGuardTVC

    Host = 192.168.1.45

    Domain = zzz

    WireGuard.Address = 10.2.2.10/24

    WireGuard.PrivateKey = xxxx

    WireGuard.PublicKey = yyyy

    WireGuard.AllowedIPs = 10.2.2.0/24

    WireGuard.EndpointPort = 443

    WireGuard.PersistentKeepalive = 25

  • With Wireguard Enabled:

    # route

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref Use Iface

    default * 0.0.0.0 U 0 0 0 wg0

    10.2.2.0 * 255.255.255.0 U 0 0 0 wg0

    88.31.205.51 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

    192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

    192.168.1.1 * 255.255.255.255 UH 0 0 0 wlan0

    192.168.1.1 * 255.255.255.255 UH 0 0 0 eth0

    # ifconfig

    eth0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CB

    inet addr:192.168.1.44 Bcast:192.168.1.255 Mask:255.255.255.0

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    RX packets:1693 errors:0 dropped:0 overruns:0 frame:0

    TX packets:1443 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:349318 (341.1 KiB) TX bytes:142329 (138.9 KiB)

    lo Link encap:Local Loopback

    inet addr:127.0.0.1 Mask:255.0.0.0

    inet6 addr: ::1/128 Scope:Host

    UP LOOPBACK RUNNING MTU:65536 Metric:1

    RX packets:672 errors:0 dropped:0 overruns:0 frame:0

    TX packets:672 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:73851 (72.1 KiB) TX bytes:73851 (72.1 KiB)

    wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

    inet addr:10.2.2.10 P-t-P:10.2.2.10 Mask:255.255.255.0

    UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1

    RX packets:70 errors:0 dropped:0 overruns:0 frame:0

    TX packets:99 errors:600 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:37372 (36.4 KiB) TX bytes:12740 (12.4 KiB)

    wlan0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CD

    inet addr:192.168.1.41 Bcast:192.168.1.255 Mask:255.255.255.0

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    RX packets:224 errors:0 dropped:0 overruns:0 frame:0

    TX packets:56 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:20428 (19.9 KiB) TX bytes:16667 (16.2 KiB)

    With Wireguard Disabled:

    # route

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref Use Iface

    default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

    88.31.205.51 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0

    192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

    192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

    192.168.1.1 * 255.255.255.255 UH 0 0 0 wlan0

    192.168.1.1 * 255.255.255.255 UH 0 0 0 eth0

    # ifconfig

    eth0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CB

    inet addr:192.168.1.44 Bcast:192.168.1.255 Mask:255.255.255.0

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    RX packets:2223 errors:0 dropped:0 overruns:0 frame:0

    TX packets:1616 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:445482 (435.0 KiB) TX bytes:164836 (160.9 KiB)

    lo Link encap:Local Loopback

    inet addr:127.0.0.1 Mask:255.0.0.0

    inet6 addr: ::1/128 Scope:Host

    UP LOOPBACK RUNNING MTU:65536 Metric:1

    RX packets:824 errors:0 dropped:0 overruns:0 frame:0

    TX packets:824 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:86398 (84.3 KiB) TX bytes:86398 (84.3 KiB)

    wlan0 Link encap:Ethernet HWaddr DC:A6:32:0C:7F:CD

    inet addr:192.168.1.41 Bcast:192.168.1.255 Mask:255.255.255.0

    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    RX packets:524 errors:0 dropped:0 overruns:0 frame:0

    TX packets:69 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:64925 (63.4 KiB) TX bytes:17662 (17.2 KiB)

    Did some research and decided to try blacklisting eth0 in /etc/connman/main.conf as a test after reading an unrelated stackexchange post. debian - How to prevent an unwanted default gateway to be added during reboot - Unix & Linux Stack Exchange

    Added: NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-.eth0

    This did not resolve the issue, and as one might expect, broke the wired connection. Interestingly ssh did not work over wifi -- not sure if that is by design, a known issue, or might be related somehow. Had to eject the SD card and manually edit the conf file to get networking back up.

    Thanks again!

  • More digging:

    1. With wireguard up, I am able to ssh in on 192.168.1.xx:

    INFO: Accepted publickey for root from 192.168.1.xx port 55512 ssh2: RSA SHA256...

    2. At that time, syncthing cannot perform DNS queries out to a local pihole on the wifi connection - 192.168.1.40

    INFO: Couldn't fetch release information: Get https://upgrades.syncthing.net/meta.json: dial tcp: lookup upgrades.syncthing.net on 192.168.1.40:53: read udp 192.168.1.50:37xxx->192.168.1.4x:53: i/o timeout

    3. If I disable wifi, curl meta.json still fails with "no route to host" rather than "i/o timeout'

    4. Configuring wireguard to route all packets works, but isn't ideal

    Edited once, last by mseu (April 21, 2020 at 9:04 PM).

  • Found a workaround:

    ip route replace default via 192.168.1.1 dev eth0

    default via 192.168.1.1 dev eth0

    10.2.2.0/24 dev wg0 scope link src 10.2.2.10

    88.31.205.51 via 192.168.1.1 dev eth0

    192.168.1.0/24 dev eth0 scope link src 192.168.1.44

    192.168.1.1 dev eth0 scope link

    Pinging google.com works

    Pinging wireguard IPs also works

    Everything is great!

    Except, in less than a minute, it gets overwritten automatically :(

    default dev wg0 scope link

    10.2.2.0/24 dev wg0 scope link src 10.2.2.10

    88.31.205.51 via 192.168.1.1 dev eth0

    192.168.1.0/24 dev eth0 scope link src 192.168.1.44

    192.168.1.1 dev eth0 scope link

    How can I prevent that? Tried blacklisting wg0 in connman_main.conf, no luck. I guess I need to blacklist eth0, but in a way that doesn't break networking entirely. I'm stuck!

    Edited once, last by mseu (April 26, 2020 at 7:45 PM).