Wireguard with both eth0 and wlan0 enabled... Seems like Wireguard tunnel goes through wlan0 interface but eth0 is desired

seemebreakthis · October 29, 2022 at 6:24 PM

I have successfully setup my wireguard client. And if wireless interface is turned off, no problem. My wireguard connection works perfectly routing through eth0 to the outside world.

But when both eth0 and wlan0 are connected (these interfaces are on two different networks with two totally separate internet gateways), it seems libreelec has a preference to set up the iproute table so that wg0 endpoint will route through wlan0 and not eth0.

Normally I would think of "postup" in wireguard config file as a way to solve this issue, by adding appropriate iproute commands in "postup" to set up routing table properly. But with libreelec using connman, I don't know of a way to add the "postup" section.

So now this is what I see when I type in "ip route":

Code

LibreELEC:~/.config # ip route
default dev wg0 scope link
10.64.0.1 dev wg0 scope link
103.125.233.3 via 192.168.1.9 dev wlan0
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.5
192.168.1.9 dev wlan0 scope link
218.252.0.24 via 222.167.31.1 dev eth0
218.252.0.25 via 222.167.31.1 dev eth0
222.167.31.0/24 dev eth0 scope link  src 222.167.31.87
222.167.31.1 dev eth0 scope link

where 103.125.233.3 is my Wireguard endpoint. So basically I'd like to see

103.125.233.3 via 222.167.31.1 dev eth0

instead of

103.122.233.3 via 192.168.1.9 dev wlan0

when everything is connected.

Any help appreciated !!

elonesna · October 29, 2022 at 6:53 PM

You are right, I use PostUp and PostDown in wg0.conf

Code

[Interface]
Address = 10.10.20.1/24
ListenPort = 51820
PrivateKey = <private-key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip route add 192.168.1.0/24 via 10.10.20.5 dev wg0 metric 6000
PostUp = ip route add 192.168.2.0/24 via 10.10.20.1 dev wg0 metric 6000
PostUp = ip route add 192.168.3.0/24 via 10.10.20.9 dev wg0 metric 6000
PostDown = ip route del 192.168.1.0/24 via 10.10.20.5 dev wg0 metric 6000
PostDown = ip route del 192.168.2.0/24 via 10.10.20.1 dev wg0 metric 6000
PostDown = ip route del 192.168.3.0/24 via 10.10.20.9 dev wg0 metric 6000

[Peer]
...

Display More

but i don't use connman

seemebreakthis · October 30, 2022 at 9:32 AM

Thanks for your reply.

How can you not use connman? Does libreelec have "wg-quick"?

Also doesn't connman have the advantage of letting you see the wireguard config on the Kodi UI, so you can more easily connect / disconnect...?

elonesna · October 30, 2022 at 5:41 PM

Quote from seemebreakthis

How can you not use connman?

I use docker linuxserver/wireguard for x86_64 as server

seemebreakthis · October 30, 2022 at 6:48 PM

If anyone can shed some light on how to configure Wireguard in libreelec to steer the connection to eth0 (when both eth0 and wlan0 are active) I'd appreciate it very much.

Right now I can think of using a cron job to monitor ip route then adjust accordingly at regular intervals, but I am sure there are better and cleaner ways of doing it.

elonesna · October 31, 2022 at 1:41 PM

Quote from seemebreakthis

If anyone can shed some light on how to configure Wireguard in libreelec to steer the connection to eth0 (when both eth0 and wlan0 are active) I'd appreciate it very much.
Right now I can think of using a cron job to monitor ip route then adjust accordingly at regular intervals, but I am sure there are better and cleaner ways of doing it.

Try to assimilate the information given by others. In my wg0.conf configuration it appears "ip route add 192.168.1.0/24 via 10.10.20.5 dev wg0 metric 6000" because my LE server manages two simultaneous VPN networks and with "metric 6000" I set preferences, if I only have WireGuard I set a route , if I have only ZeroTier I set another route, and if I have both VPN networks I prefer WireGuard. Try to do something similar!

seemebreakthis · November 2, 2022 at 4:50 PM

Thanks elonesna , but my question below you will not be able to answer since you are not setting up Wireguard right within libreelec.

To others: If anyone could shed some light on a way to configure Wireguard in libreelec to steer the connection to eth0, or to allow for insertion of postup commands into Wireguard in libreelec, I'd appreciate it very much.

elonesna · November 2, 2022 at 5:19 PM

Quote from seemebreakthis

you are not setting up Wireguard right within libreelec.

Excuse me, I use all the tools that LibreELEC allows me and believe me if I tell you that there are many.

I don't like to create services in /storage/.config/system.d because I have a bad memory and I forget about them, so I put almost everything in /storage/.config/autostart.sh. Although for a programmer (and I am not) it is not orthodox, autostart.sh is the place where I start the services that docker does not start, the network forwarding that the services do not do, the routing that seems necessary to me, the setting running scripts from surveillance camera recordings, or watchdogs that have to watch things. There is an exception to the WireGuard configuration, considering I don't use connman (because it doesn't work for what I need), I do it in wg0.conf, but this is an exception, this doesn't happen with ZeroTier.

In short, you can create whatever routes you need in autostart.sh or via cron scripts or via services. On the other hand, my router allows me to establish static routes, which is wonderful because it allows any device on the home network that does not have VPN client services to reach anywhere.

You are very wrong, I am configuring everything right with LibreELEC, according to my preferences, and I manage all the main services via web through portainer or ssh or sftp, in fact, I always have the Kodi service in a stopped state and the HDMI cable disconnected.

**chewitt** · November 3, 2022 at 1:11 AM

Experiment with the connmanctl move-before/move-after options, as this will change interface priority and influence the routing table.

seemebreakthis · November 4, 2022 at 4:11 AM

Quote from chewitt

Experiment with the connmanctl move-before/move-after options, as this will change interface priority and influence the routing table.

Thanks ! Will try.

seemebreakthis · November 4, 2022 at 4:53 AM

Quote from chewitt

Experiment with the connmanctl move-before/move-after options, as this will change interface priority and influence the routing table.

Yes, that did it. Thanks again for helping, exactly what I needed.

The concept turns out to be using connmanctl to move the wifi connection AFTER ethernet, before connecting your VPN.

Manually experimented and made it work, then entered the following in /storage/.config/system.d/wireguard.service :

Code

[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman-vpn.service time-sync.target
Wants=network-online.target nss-lookup.target connman-vpn.service time-sync.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sleep 5
ExecStart=/usr/bin/connmanctl move-after wifi_dca6329dc6c1_4c43985729083470239573469a_managed_psk ethernet_dca6329dc6c0_cable
ExecStart=/bin/sleep 5
ExecStart=/usr/bin/connmanctl connect vpn_my_vpn_service
ExecStop=/usr/bin/connmanctl disconnect vpn_my_vpn_service

[Install]
WantedBy=multi-user.target

Display More

All worked out. Marking this post as solved.

Note: I needed to add a couple of "sleep" lines before everything works without manual intervention. Don't know 100% if both of these sleep lines are needed, but as long as it works, I am not spending more time to make adjustments.