Wireguard seems broken in CoreElec on kernel level

ssor · 4 September 2024 12:46

TLDR: wireguard will not work correctly until the tunnel risen with wg-quick utility. Connman messes with routing tables, so part of traffic bypass wg adapter.

CoreElec(I’ve used image: Amlogic-ng.arm-21.1-Omega_nightly_20240820) includes cutted version of wireguard that doesn’t include wg-quick script. Instead of that usage of connman is proposed. I didn’t satisfied with connman result(config was done by this guide, which rises tunnel up, but when I run:

curl ifconfig.co

It show be different ip from time to time - sometimes ip of my provider, sometimes - of my wireguard server. It is very dangerous in terms of privacy if you watch content for some reason regulated or blocked in your country!

So I’ve tried to copy wg-quick utility(it is just regular bash script with no deps) from regular Debain linux to my CoreElec installation, to /storage/wireguard dir. But replaced there “/etc/wireguard” with “/storage/wirguard” where my profile stored, so script can run profile.

After that I’ve tried to run:

CoreELEC:~/wireguard # bash wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
ip: invalid argument '51820' to 'table'
[#] ip link delete dev wg0

The same profile wg0.conf sucessfuly runs with same command on Debian and Ubuntu. So I assume it is some CoreElec specific problem, maybe routing tables, maybe kernel configuration, maybe wireguard version.

Now wireguard completely broken and irreliable. The connman solution just masks the problem. Please make sure wireguard correctly works with wg-quick first. Connman can be pretty glitchy by itself, even when managing regular network adapters, not even talking about virtual ones.

vpeter · 4 September 2024 12:49

What do you mean by that? Who should make sure?

ssor · 4 September 2024 19:59

Who should make sure?

if you are regular user of CoreElec and privacy is important for you, and you try to achieve privacy with wireguard, you must be aware of this problem
if you a CoreElec developer who will decide to spend time on checking that problem

ssor · 4 September 2024 21:19

I’ve investigated more and seems it is busybox problem. At least one problem with wg-quick file is in function “get_fwmark”. So to avoid it you can replace in wg-quick line:
table=51820
with line:
table=1023
or any maximum number that will not lead to error in command:
ip route show table 1023
It must be 1023, 2047, 4095 etc. Try for you build.

The second problem is in line:
cmd ip $proto rule add not fwmark $table table $table

seems there is an issue with busybox, that can be fixed with that patch: [PATCH] add ip sub commands needed by wg-quick script

Current version of busybox is 1.36.1, that has not that patch: https://git.busybox.net/busybox/tree/networking/libiproute/iprule.c?h=1_36_stable

And even when I’ve commented that line with “not” route add, there is more problems. So I assume making wg-quick script work with busybox is impossible now.

vpeter · 5 September 2024 06:02

Next bump of this package will have it included.

The point is decide.

I don’t have any server so it is impossible top do anything on this area.

Btw: You could install docker and use full tools from there.

psycmos · 12 September 2024 23:19

Hi to all Devs and contributors.

Wireguard is very powerfull, put it running on coreelect using url insted of IP will be very good… i will wait for news about this issue…