Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Report problems and success stories with Gargoyle on various hardware platforms.

Moderator: Moderators

Post Reply
belew
Posts: 5
Joined: Sat Oct 29, 2022 2:53 pm

Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by belew »

v1.13.0 and wireguard working well on WDR4300 v1.7. Enjoying the excellent firmware on several different devices. I noticed a couple of minor issues with the wireguard implementation.

Issue #1:
It seems you can only include one network in the AllowedIPs line of the Peer section in the wireguard config file. If there is more than one (comma separated) entry only one entry seems to be recognized. I usually include both the remote LAN and the tunnel networks so I can get full ping/trace results from the tunnel. So I've limited my test config file to the remote LAN only. Is this limitation by design?

Issue #2:
I only want the remote LAN traffic to go over the VPN and all other traffic to go out to the internet. I had to add a static default route in gargoyle to make this happen. Without this all traffic went over the tunnel. Is this the correct way to do this?

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by Lantis »

Issue 1, are you referring to the gargoyle wireguard config, the wireguard network config, or the config file for wireguard clients that can be downloaded? Sorry there are 3 and it helps to be clear :)
/etc/config/wireguard_gargoyle
/etc/config/network
downloadable config

Issue 2, your remote client, is that a Gargoyle router or some other device? If you set the server to "clients use it for lan traffic only" then it should behave as you desire, but there are some reports that this isn't behaving correctly and would be a bug.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

belew
Posts: 5
Joined: Sat Oct 29, 2022 2:53 pm

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by belew »

Issue 1 - referring to downloadable config file.

Issue 2 - Gargoyle is the client. Raspberry Pi OS running bullseye is the server. I tried both drop down options in gargoyle gui (allow non-wireguard and not). Behaviour was the same for both. Tunnel traffic was good. All other traffic was blocked. As soon as I added the default static route in the gargoyle gui, all was behaving as desired.

Thank you.

belew
Posts: 5
Joined: Sat Oct 29, 2022 2:53 pm

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by belew »

More info after some testing:

Issue 1 - it seems like a route is created for only the first item of the AllowedIPs parameter.

Issue 2 - seems to be resolved with my current config. I did not track the various changes to determine what exactly caused the issue. Consider it resolved.

Thank you.

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by Lantis »

Can you show an example of a line from the config that doesn’t work? I think I get it but just want to be sure.
I expect the config is not being parsed correctly and it isn’t sending the additional ips into the network config.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

belew
Posts: 5
Joined: Sat Oct 29, 2022 2:53 pm

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by belew »

The following is a line from the uploaded config file in the peer section:

AllowedIPs = 192.168.14.0/24,192.168.21.1/32

A route does get added for the 192.168.14.0/24 but without the mask (in the gui > 192.168.14.0 instead of 192.168.14.0/255.255.255.0). No other routes are added. As a workaround, I added a cron job to add the routes correctly at reboot.

When the line appears like this:
AllowedIPs = 192.168.14.0/24

The route is added correctly as 192.168.14.0/255.255.255.0 on gui routes screen.

Unrelated questions:
Are the following wireguard config file parameters supported in the current implementation:
PersistentKeepAlive
PostUp / PostDown

Thank you.

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by Lantis »

Are you comfortable modifying the javascript on the router? I assume so.
It will be minified so first step.
Locate /www/js/wireguard.js
Replace the contents with the contents of this https://raw.githubusercontent.com/ericp ... reguard.js
After line 306 (https://github.com/ericpaulbishop/gargo ... rd.js#L306) insert a new line:

Code: Select all

 var allowed_ips = document.getElementById(prefix + "allowed_ips").value;
+allowed_ips = allowed_ips.split(',');
 uci.set("wireguard_gargoyle", "client", "allowed_ips", allowed_ips)
At line 316 (now 317 after you've added the line above), change it as follows:

Code: Select all

-configureAC("wgserver",server_pubkey,[allowed_ips],endpoint_host,endpoint_port);
+configureAC("wgserver",server_pubkey,allowed_ips,endpoint_host,endpoint_port);
I haven't really tested it as I didn't want to disturb my current server config, but it should be pretty close.

For a server implementation we push PersistentKeepAlive out to all client configs, but when acting as a client the parameter is silently ignored. It should be trivial to add it in, let me know how the above goes and I'll look to add this in as well.
I think PostUp/Down would be far less trivial. Do you have a use case in mind?
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

belew
Posts: 5
Joined: Sat Oct 29, 2022 2:53 pm

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by belew »

Made your proposed changes (1 line add + 1 line change). No change in behaviour.

Summary of behaviour I've observed:
#1 - AllowedIPs = x.x.x.x/xx - all is good
#2 - AllowedIPs = x.x.x.1/32,x.x.x.0/24 - no routes added
#3 - AllowedIPs = x.x.x.0/24,x.x.x.x1/32 - route only added for /24 entry

In all 3 cases above, the /etc/config/wireguard_gargoyle and /etc/config/network AllowedIPs parameter is correct.

FYI. I expanded my workaround boot script (run via rc.local) to include adding the client-side persistent-keepalive via command line. It is working well.

No use case for PostUp/PostDown at this time. Just curious.

Thank you.

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.13.0 with Wireguard on TP-Link WDR4300

Post by Lantis »

If we are populating the configs correctly then i'm not sure what is wrong, that's more of a wireguard thing now.
If you could post the network config just to confirm that is ok.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply