Wireguard client NOT connected when AllowedIPs = 0.0.0.0/0

Hello:

I have installed Wireguard from entware in a S905X3 TV-box as server (CE 19.4 inside).
Config (wg0.conf of the server) like this:

[Interface]
Address = 10.1.1.1
ListenPort = 51820
PrivateKey = BLABLABLA
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

And I have installed also Wireguard fron entware as client in other S905X3 TV-box (CE 19.4 inside).
Config (wg0.conf of the client) like this:

[Interface]
Address = 10.1.1.31
PrivateKey = BLABLABLA
ListenPort = 51820

[Peer]
PublicKey = BLABLABLA
Endpoint = blablabla.duckdns.org:51820
AllowedIPs = 10.1.1.0/24

By the way, wireguard from entware resolve domains with NO problem at all.
My “blablabla.duckdns.org” is “translated” to 80.90.100.110 or the correspondent IP. If the public IP of the server changes, rebooting the client it resolves the new IP for the domain.

OK.

wg-quick up wg0
in server, OK

wg-quick up wg0
in client, OK

Perfect! Connected! We are happy!

Another Wireguard (WG) clients in Windows, Android or Fire TV, also connected to the server. Great!

The “problem” is that when I use:
AllowedIPs = 10.1.1.0/24

the traffic ONLY goes to the WG server when there is in the WG subnet. I use the WG server (10.1.1.1) as a tvheadend server. All clients connected to the server, no problem at all.

But when I try to make ALL traffic from client to pass through server:
AllowedIPs = 0.0.0.0/0

in all the clients, in Android and Windows clients it works great, and ALL the traffic from clients goes to 10.1.1.1 and use the public IP of the server to exit to internet.

Before working I made:
echo “net.ipv4.ip_forward = 1” >/storage/.config/sysctl.d/ip_forward.conf
on the server. If not, it did not work.

The problem is that when I use:
AllowedIPs = 0.0.0.0/0

on CoreELEC clients…

CoreELEC:~ # wg-quick up wg0
/opt/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Warning: `/storage/.opt/etc/wireguard/wg0.conf’ is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.1.1.31 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table ‘raw’

Error occurred at line: 1
Try `iptables-restore -h’ or ‘iptables-restore --help’ for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

I tried to change:
Endpoint = blablabla.duckdns.org:51820
for
Endpoint = 80.90.100.110:51820
80.90.100.110 is an example of public IP for the domain

and it’s not the problem.

So:
1) Android and Windows WG clients work OK
2) CE WG client works OK ONLY when:
AllowedIPs = 10.1.1.0/24

If
AllowedIPs = 0.0.0.0/0
NOT.

It seems that there is NO problem on the server side. What could be the problem on the client CE WG side?
Any ideas to pass all client CE traffic though CE WG server (like in Windows or Android)?

Thanks in advance and kind regards

Since the order of the routes is not important and the more specific routes take precedence over the more generic ones you can add

ip route add 0.0.0.0/1 dev wg0
ip route add 128.0.0.0/1 dev wg0

or replace

AllowedIPs = 0.0.0.0/0

by

AllowedIPs = 0.0.0.0/1,128.0.0.0/1

to force the default route, equivalent to AllowedIPs = 0.0.0.0/0, to the wireguard interface (sorry, I haven’t tested it).

I really liked your topic, so much that I have stopped using ‘connman’ because it complicates things too much to use dynamic dns, to use your solution. I don’t care about default routes.

Thanks, @cubimol

Very strange thigns (for me) happening here.

When I do this:
AllowedIPs = 0.0.0.0/1,128.0.0.0/1

in WG CE client, then…

CoreELEC:~ # wg show
interface: wg0
public key: blablabla
private key: (hidden)
listening port: 51820

peer: blablabla
endpoint: IP:51820
allowed ips: 0.0.0.0/1, 128.0.0.0/1
latest handshake: 54 seconds ago
transfer: 1.39 KiB received, 3.56 GiB sent
persistent keepalive: every 25 seconds

Some seconds ago…

CoreELEC:~ # wg show
interface: wg0
public key: blablabla
private key: (hidden)
listening port: 51820

peer: blablabla
endpoint: IP:51820
allowed ips: 0.0.0.0/1, 128.0.0.0/1
latest handshake: 1 minute, 12 seconds ago
transfer: 1.82 KiB received, 4.82 GiB sent
persistent keepalive: every 25 seconds

I don’t know why, but it starts to send a lot of GB in few seconds and I can’t connect to my WG CE tvheadend server, for example.
Very strange for me.

When I do this:

Creatig WG client in CE:
/storage/.config/wireguard/wireguard.config

Like this:

[provider_wireguard]
Type = WireGuard
Name = CoreELEC3M.ip
Host = IP # I need to put IP. It does not work well with domain.
WireGuard.Address = 10.1.1.33/32
WireGuard.ListenPort = 51820
WireGuard.PrivateKey = blablabla
WireGuard.PublicKey = blablabla
WireGuard.DNS = 8.8.8.8, 1.0.0.1, 8.8.4.4, 1.1.1.1
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = 51820
WireGuard.PersistentKeepalive = 25

IT WORKS, PERFECT, but… it’s neccesary to connect manually each time (Coreelec settings > Connect).

When I try to connect automatically, it DOES NOT WORK.

CoreELEC:~ # wg show
interface: wg0
public key: blablabla
private key: (hidden)
listening port: 51820

peer: blablabla
preshared key: (hidden)
endpoint: IP:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 27 seconds ago
transfer: 61.59 MiB received, 1.03 MiB sent
persistent keepalive: every 25 seconds

I have no idea about the cause that it works (manually) but NOT automatic.

It’s not an “elegant” method and of course NOT unnatended… but it works.

Kind regards

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.