Wireguard - changes the default route although not configured

chemical1979 · April 29, 2020 at 9:20 PM

Hello Team,

Thanks for implementing wireguard in the latest release of LibreElec!

I followed the example from here and here

I tried to replace my site-to-site VPN from the addon tinc to wg, but somehow it keeps replacing the default route from eth0 to wg0 even though the AllowedIPs is limited to the remote subnet. If I connmanctl disconnect <vpnname> it properly restores the former default route.

I'm not sure where to look. This is the config file ~/.config/wireguard/wireguard.config:

Code

[provider_wireguard]
Type = WireGuard
Name = WireGuard VPN Tunnel
Host = xy.myfritz.net
Domain = myname
WireGuard.Address = 10.0.0.1/24
WireGuard.ListenPort = 61820
WireGuard.PrivateKey = kNf1...wk0Q=
WireGuard.PublicKey = 1yj3Tam...QWbeHo=
WireGuard.AllowedIPs = 192.168.2.0/24
WireGuard.EndpointPort = 61820
WireGuard.PersistentKeepalive = 25

Display More

I understood from the docs, that wg would only set the default route to the tunnel, if AllowedIPs would be 0.0.0.0/0 - but it isn't.

After connmanctl connect, the route table looks like this (the other side of the wg-end is not yet configured, so don't mind the missing route for the target subnet):

Code

~/.config/wireguard # ip route
default dev wg0 scope link
10.0.0.0/24 dev wg0 scope link  src 10.0.0.1
192.168.110.0/24 dev eth0 scope link  src 192.168.110.15
192.168.110.100 dev eth0 scope link
255.255.255.255 via 192.168.110.100 dev eth0

~/.config/wireguard # wg
interface: wg0
  public key: mIrfDDWUv....mzKH0A=
  private key: (hidden)
  listening port: 61820

peer: 1yj3Tamu....1yQWbeHo=
  endpoint: 84.x.y.z:61820
  allowed ips: 192.168.2.0/24
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

Display More

The output of wg correctly limits to the configured target subnet.

After "connmanctl disconnect <vpnname>" the ip route looks like this:

Code

~/.config/wireguard # ip route
default via 192.168.110.100 dev eth0
192.168.110.0/24 dev eth0 scope link  src 192.168.110.15
192.168.110.100 dev eth0 scope link
255.255.255.255 via 192.168.110.100 dev eth0

I do not understand why it replaced the default route to wg0, the config file does not tell it to do so. Is this maybe a temporary state until the tunnel is established? Because that is not the case at this moment.

Can someone give me a hint where to look?

EDIT: I found there is a file ~/.cache/connman/<vpnname>/settings, which contains this line:

SplitRouting=false

This probably has something to do with it. I can not set it to "true", because it gets overwritten automatically by some other mechanism as soon as I "connmanctl connect <vpnname>". This mechanism probably is hardcoded to forcetunnel (route 0.0.0.0/0) into wireguard, isn't it?

**chewitt** · May 7, 2020 at 5:41 AM Official Post

The issue has been raised a couple of times. I've flagged it to the connman developers. We have to see what they say..

**chewitt** · May 26, 2020 at 9:24 AM Official Post

I've been told the AllowedIP setting is for internal WireGuard logic and WireGuard is not controlling the routing table. However, the WG connection is higher in the list of connman services (as it was created most recently) which means it becomes the primary service and default route. To change this we can change the service order via connmanctl, e.g.

Code

connmanctrl move-after vpn_138_116_14_12_wg_domain_tld ethernet_1cf05e0b93f0_cable
Moved vpn_138_116_14_12_wg_domain_tld after ethernet_1cf05e0b93f0_cable

So syntax is: connmanctl move-after <service_to_move> <service_to_move_it_after>

So for scenarios where you want to connect via WireGuard to access content on a remote server, but otherwise still want/need the Internet connection to be as-normal from the local network, we can add another ExecStart in the connman.service file, e.g.

Code

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/connmanctl connect vpn_138_116_14_12_wg_domain_tld
ExecStart=/usr/bin/connmanctl move-after vpn_138_116_14_12_wg_domain_tld ethernet_1cf05e0b93f0_cable
ExecStop=/usr/bin/connmanctl disconnect vpn_138_116_14_12_wg_domain_tld

NB: I haven't tested this, but it makes sense to me, so please have a play and report back.

NOTE: I have subsequently been told that the move-after changes are persistent, so would only need to be done once.

chemical1979 · May 28, 2020 at 9:00 PM

Thanks for getting back. The move-after has to be executed twice to work for me:

Code

openelec-roland:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
10.0.0.0        *               255.255.255.0   U     0      0        0 wg0
192.168.110.0   *               255.255.255.0   U     0      0        0 eth0
192.168.110.100 *               255.255.255.255 UH    0      0        0 eth0
255.255.255.255 fritzbox.privat 255.255.255.255 UGH   0      0        0 eth0
openelec-roland:~ # connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
Moved vpn_X_klaus after ethernet_b827eb10c45a_cable
openelec-roland:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
10.0.0.0        *               255.255.255.0   U     0      0        0 wg0
192.168.110.0   *               255.255.255.0   U     0      0        0 eth0
192.168.110.100 *               255.255.255.255 UH    0      0        0 eth0
255.255.255.255 fritzbox.privat 255.255.255.255 UGH   0      0        0 eth0
openelec-roland:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
10.0.0.0        *               255.255.255.0   U     0      0        0 wg0
192.168.110.0   *               255.255.255.0   U     0      0        0 eth0
192.168.110.100 *               255.255.255.255 UH    0      0        0 eth0
255.255.255.255 fritzbox.privat 255.255.255.255 UGH   0      0        0 eth0
openelec-roland:~ # connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
Moved vpn_X_klaus after ethernet_b827eb10c45a_cable
openelec-roland:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritzbox.privat 0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 wg0
192.168.110.0   *               255.255.255.0   U     0      0        0 eth0
192.168.110.100 *               255.255.255.255 UH    0      0        0 eth0
255.255.255.255 fritzbox.privat 255.255.255.255 UGH   0      0        0 eth0

Display More

As you can see, the second move-after actually changed the Interface of the default route. So I adopted the service-file:

Code

openelec-roland:~ # cat .config/system.d/wireguard.service
[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman-vpn.service
Wants=network-online.target nss-lookup.target connman-vpn.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/connmanctl connect vpn_X_klaus
ExecStart=/usr/bin/connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
ExecStart=/usr/bin/connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
ExecStop=/usr/bin/connmanctl disconnect vpn_X_klaus

[Install]
WantedBy=multi-user.target

Display More

This way, it works. But I'm not sure why.

Anyway, the service does not come up during boot. How can I troubleshoot this? systemctl status wireguard shows some weird errors (the wrong timestamps seem to be the case as this service gets started before the time was fixed - maybe this is also the problem here, it gets started too early?):

Code

â wireguard.service - WireGuard VPN Service
   Loaded: loaded (/storage/.config/system.d/wireguard.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2019-04-11 16:28:40 UTC; 1 years 1 months ago
  Process: 360 ExecStart=/usr/bin/connmanctl connect vpn_X_klaus (code=exited, status=0/SUCCESS)
  Process: 388 ExecStart=/usr/bin/connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable (code=exited, status=0/SUCCESS)
  Process: 392 ExecStart=/usr/bin/connmanctl move-after vpn_Xt_klaus ethernet_b827eb10c45a_cable (code=exited, status=0/SUCCESS)
 Main PID: 392 (code=exited, status=0/SUCCESS)

Apr 11 16:28:40 openelec-roland systemd[1]: Starting WireGuard VPN Service...
Apr 11 16:28:40 openelec-roland connmanctl[360]: Error /net/connman/service/vpn_X_klaus: Method "Connect" with signature "" on interface "net.connman.Service" doesn't exist
Apr 11 16:28:40 openelec-roland connmanctl[388]: Error /net/connman/service/vpn_X_klaus: Invalid service
Apr 11 16:28:40 openelec-roland connmanctl[392]: Error /net/connman/service/vpn_X_klaus: Invalid service
Apr 11 16:28:40 openelec-roland systemd[1]: Started WireGuard VPN Service.

Display More

If I login with root and "systemctl stop wireguard" and "systemctl start wireguard" it seems to work.

Any ideas?

**chewitt** · May 30, 2020 at 7:49 AM Official Post

From what I've read WireGuard requires monotonic time, i.e. time can change but must always move forwards, so it shouldn't be affected by the time-jump seen when NTP kicks in (unlike TLS certs which are invalid until current time is greater than cert start dateTime) as time starts from libc compile time (some date in April?) but I'm not an expert in these things. I suspect the timing/sequencing for WireGuard in the .service file could be improved as I'm a novice with systemd things.

chemical1979 · May 31, 2020 at 11:07 AM

Thanks, I managed to work around with that issue by just sleeping for 5 seconds before starting with wireguard stuff upon boot. This works for me. I also tried with some other dependencies (connman.service, bluetooth.service), but that did not help. I guess I could restore the defaults there ...

Code

[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman.service connman-vpn.service bluetooth.service
Wants=network-online.target nss-lookup.target connman.service connman-vpn.service bluetooth.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sleep 5
ExecStart=/usr/bin/connmanctl connect vpn_X_klaus
ExecStart=/usr/bin/connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
ExecStart=/usr/bin/connmanctl move-after vpn_X_klaus ethernet_b827eb10c45a_cable
ExecStart=/usr/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
ExecStop=/usr/bin/connmanctl disconnect vpn_X_klaus

[Install]
WantedBy=multi-user.target

Display More

I am still wondering why this move-after has to be executed twice (for me). On the other side of the LibreElec this also not helps in every case, he sometimes need to stop / start wireguard.service several times until it works.

**chewitt** · June 1, 2020 at 11:25 AM Official Post

Having done a bit more reading I have a suspicion we need to start using systemd to handle NTP as this adds a new systemd .target for when the initial NTP sync has completed, which would be useful in this scenario. That's something for the master branch though, I wouldn't risk that kind of change being backported to 9.2 at this stage in the release lifecycle.

**mglae** · June 1, 2020 at 3:12 PM

Quote from chewitt

Having done a bit more reading I have a suspicion we need to start using systemd to handle NTP as this adds a new systemd .target for when the initial NTP sync has completed, which would be useful in this scenario.

Or conman start to support /run/systemd/timesync/synchonized for reliability ...

On RPIs (or any other devices without RTC) time-sync.target already may work today. Start enabling the needed service:

Code

systemctl enable systemd-time-wait-sync

Reboot a few times and check:

Code

systemctl status systemd-time-wait-sync
systemctl status time-sync.target

If time-sync.target is always reached the dependency can be added to the wireguard unit.

**chewitt** · June 2, 2020 at 5:03 AM Official Post

mglae some early testing is positive. I've enabled systemd-time-wait-sync and added time-sync.target to "After" in wireguard.service. If we see a few more positive reports I'll push some changes.

**mglae** · June 2, 2020 at 10:28 PM

chewitt systemd-time-wait-sync does hang randomly on Generic because ntp slew adjusts are not detected. There has to be a jump adjust in the beginning (only be used if the time error is >0.5sec).

Assuming the initial RTC value is always "good enough" we can disable systemd-time-wait-sync on this platform with a drop-in file:

Code

[Unit]
ConditionArchitecture=!x86-64

ninze · September 9, 2021 at 5:50 PM

As far as I understand, the suggested solution needs a specific service (such as ethernet) that can be used as "move-after" target. But what happens if the ethernet cable is unplugged and the device is using wifi to access the internet? Is there a solution that works for both wifi and cable?

nativemad · January 8, 2022 at 10:44 AM

I tried to make it a bit more resilient to changes and different scenarios.

I found it to be not reliable when started through systemd. therefore i used autoexec.py in /storage/.kodi/userdata/autoexec.py with the following content:

Python

from subprocess import call
call("/storage/connect_vpn.sh")

And for the actual connection if have this in /storage/connect_vpn.sh:

Bash

#!/bin/bash
VPN=`connmanctl vpnconnections | awk '{print $NF}'`
if route -n | grep wg0 >/dev/null; then 
        connmanctl disconnect $VPN
        sleep 2s
fi
if [[ ! -z $1 ]] && [[ $1 == "stop" ]]; then
        exit 0;
fi
LIF=`route -n | grep ^0.0.0.0 | awk '{print $NF}'`
OR=`route -n | grep ^0.0.0.0 | awk '{print $2}'`
if [[ ! -z "$OR" ]]; then
        LIFT="wifi";
        if [[ "$LIF" == "eth0" ]]; then
                LIFT="cable";
        fi
        LOC=`connmanctl services | grep '^\*' | grep $LIFT | awk '{print $NF}'`
        connmanctl connect $VPN
        sleep 2s
        connmanctl move-after $VPN $LOC
        #sometimes it just reset VPN.. we keep trying... and trying...
        while true; do
                GIF=`route -n | grep ^0.0.0.0 | awk '{print $NF}'`
                if [[ $GIF == "wg0" ]]; then
                        connmanctl move-after $VPN $LOC
                else
                        sleep 5s
                fi
        done
fi

Display More

Hth. A fix in connman would certainly be nicer!

reyqn · February 19, 2022 at 4:17 AM

This is quite hard to use reliably. Even with nativemad's script when I'm trying to connect to my rpi from an external network using the external ip (not through wireguard), I have multiple "connmanctl move-after" commands every five seconds. This makes the connection really unstable.

On a different but related note, I've also tried using a docker container as a wireguard client (since it works very well for a wireguard server), but apparently LibreElec doesn't include the iptables_raw kernel module so it's not possible to set AllowedIps as 0.0.0.0/0.

I'm not really good with networking, but is there any way to actually load this module, or to force the metric of the vpn as really high so the route will have a low priority? I'm kind of stuck here.

Edit: In the end I just configured wireguard manually with wg. Not ideal but it works...

knedlyk · September 26, 2022 at 12:58 PM

After a few days I managed to solve default route issue. Below there are my scripts with descriptions.

WG configuration:

/storage/.config/wireguard/wg0.conf

Code

[Interface]
ListenPort = <port>
PrivateKey = <privkey>

[Peer]
PublicKey = <publkey>
AllowedIPs = 0.0.0.0/0
Endpoint = <endpoint hostname>:<port>

Wireguard startup script:

/storage/.config/wgconnect.sh

Bash

#!/bin/bash

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.2/24
wg setconf wg0 /storage/.config/wireguard/wg0.conf
ip link set up dev wg0

sleep 5

ip route flush 0.0.0.0/1
ip route flush 128.0.0.0/1
ip route add <first ip which should be routed> via 10.0.0.1
ip route add <second ip which should be routed> via 10.0.0.1
ip route add <third ip which should be routed> via 10.0.0.1

Display More

Stop Wireguard connection:

/storage/.config/wgdisconnect.sh

Bash

#!/bin/bash
ip link set down dev wg0

Systemd service:

/storage/.config/system.d/wireguard.service

Code

[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman-vpn.service time-sync.target
Wants=network-online.target nss-lookup.target connman-vpn.service time-sync.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sleep 5

ExecStart=/storage/.config/wgconnect.sh
ExecStop=/storage/.config/wgdisconnect.sh

[Install]
WantedBy=multi-user.target

Display More

Then all traffic routes via default eth0 interface and several ip's via wg0. Routes look as follows:

Code

$ ip route

default via 192.168.1.1 dev eth0 
10.0.0.0/24 dev wg0 scope link  src 10.0.0.2 
62.179.1.62 via 192.168.1.1 dev eth0 
62.179.1.63 via 192.168.1.1 dev eth0 
<first routed ip> via 10.0.0.1 dev wg0 
192.168.1.0/24 dev eth0 scope link  src 192.168.1.19 
192.168.1.1 dev eth0 scope link 
<second routed ip> via 10.0.0.1 dev wg0 
<third routed ip> via 10.0.0.1 dev wg0

Display More

At least, it works for me.

loopy123 · October 25, 2022 at 1:33 AM

In case anyone else is looking for a solution. I got this working to add a network "lock" with iptables to ensure all non-LAN internet traffic goes over wireguard by adding the following in /storage/.config/iptables/rules.v4

Code

*filter
:INPUT DROP [12:909]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A INPUT -s WG_CONFIG_IP/32 -j ACCEPT
-A INPUT -p udp -m udp --dport PORT_FROM_WG_CONFIG -j ACCEPT
-A OUTPUT -s 192.168.0.0/16 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wg0 -p icmp -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -d WG_CONFIG_IP/32 -j ACCEPT
-A OUTPUT -p udp -m udp --dport PORT_FROM_WG_CONFIG -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
COMMIT

Display More

I believe you need to also first allow custom firewall rules in Kodi with:

1) Set kodi's network/firewall config to custom
2) Reboot

laurent734 · November 29, 2022 at 2:10 PM

hello,

I need help with my wireguard configuration..

I have subscribed to a paid subscription at protonvpn and I have the possibility of creating wireguard configs..

I will try to describe my problem.

I created a file with nano in storage/.config/wireguard/wireguard.config

I have replaced the necessary information with that of my supplier.

[provider_wireguard]

Type=WireGuard

Name = WireGuard VPN Tunnel

Host = 188.241.xx.xxx

WireGuard.Address = 10.2.0.2/32

WireGuard.ListenPort = 51820

WireGuard.PrivateKey = MGWKhrENy0r3soBHkJf0UGqYaxxxxxxxxxxxxxxxx=

WireGuard.PublicKey=LVsKLsUOqzeYK3ATkN8xxxxxxxxxxxxxx=

#WireGuard.PresharedKey = DfEYeVs04HS9XhKGM4/ZXHG3Qc4MFKxxxxxxxxx=

WireGuard.DNS=10.2.0.1

WireGuard.AllowedIPs = 0.0.0.0/0

WireGuard.EndpointPort = 51820

WireGuard.PersistentKeepalive = 25

the connection is made and my public ip changes but when I do a test with the dnsleak plugin I find the dns of my internet provider..

I have circumvented the problem temporarily with pihole or an alternative dns but I would like to solve the problem.

someone to help me?

**chewitt** · November 30, 2022 at 5:30 AM

laurent734 LE probably needs to use ConnMan with the built-in DNS proxy to avoid DNS leaks at source; but we deliberately don't use the DNS proxy because it means Kodi GUI (correctly) shows 127.0.0.1 as the system DNS server and then we drown in annoyiing user support posts that point fingers at "networking is broken, it shows 127.0.0.1 not my real DNS server" posts from users. The workaround is to force traffic using iptables (read a few posts above).

laurent734 · November 30, 2022 at 12:02 PM

Quote from chewitt

laurent734 LE probably needs to use ConnMan with the built-in DNS proxy to avoid DNS leaks at source; but we deliberately don't use the DNS proxy because it means Kodi GUI (correctly) shows 127.0.0.1 as the system DNS server and then we drown in annoyiing user support posts that point fingers at "networking is broken, it shows 127.0.0.1 not my real DNS server" posts from users. The workaround is to force traffic using iptables (read a few posts above).

hello,

Thank you for your reply ..

I followed your advice and I managed to remove the dns leaks..

1: I edited the rules.v4 file with the command:

nano /storage/.config/iptables/rules.v4

I used the loopy123 file and I replaced

2:PORT_FROM_WG_CONFIG with my provider's port and

3:WG_CONFIG_IP with address 10.2.0.2

4: I recorded with nano

5:I ran:

iptables-save >/storage/.config/iptables/rules.v4 to make it permanent

6: I then activated the personalized firewall in the graphical interface and restarted

after these steps I still had dns leaks.

I therefore configure a fixed ip with the 1st dns 10.2.0.1 and the second pihole.

miracle after test with the nslookup command I get:

nslookup google.fr

Server: 10.2.0.1

Address 1: 10.2.0.1

Name: google.fr

Address 1: 142.251.39.99 ams15s48-in-f3.1e100.net

I also did a test with the dnsleak pluggin which confirms the only use of a single dns that of proton.

to conclude I do not know if iptables help me or if I simply had to force the dns 10.2.0.1 but the essential and that it works.

I specify that I useful coreelec in nexus beta1 version wireguard donations works very well on nexus

thanks to loopy123 for his file and to you for your advice