[MT300Nv2] Wireguard client suddenly stops and doesn't come back automatically after reboot

Hi,

device is running fine when suddenly it reboots due to missing ping to wireguard gateway (I receive notification). When it comes back, wireguard is not running anymore but I can reach it via ssh and web over LAN.

This is what the log shows:

Mon Oct 5 00:16:20 2020 daemon.notice procd: /etc/rc.d/S99wireguard: Warning: Section @zone[1] (wan) cannot resolve device of network ‘wan6’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Clearing IPv4 filter table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Clearing IPv4 nat table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Clearing IPv4 mangle table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Populating IPv4 filter table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-DHCP-Renew’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-Ping’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-IGMP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-IPSec-ESP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-ISAKMP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘guestzone_DHCP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘guestzone_DNS’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-Wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘lan’ → ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘guestzone’ → ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Populating IPv4 nat table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Populating IPv4 mangle table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Clearing IPv6 filter table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Clearing IPv6 mangle table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Populating IPv6 filter table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-DHCPv6’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-MLD’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-ICMPv6-Input’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-ICMPv6-Forward’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-IPSec-ESP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘Allow-ISAKMP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘guestzone_DHCP’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Rule ‘guestzone_DNS’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘lan’ → ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘guestzone’ → ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Forward ‘wireguard’ → ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Populating IPv6 mangle table
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘lan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wan’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘guestzone’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Zone ‘wireguard’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Set tcp_ecn to off
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Set tcp_syncookies to on
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Set tcp_window_scaling to on
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Running script ‘/etc/firewall.user’
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: uci: Entry not found
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: uci: Entry not found
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: iptables: No chain/target/match by that name.
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: iptables: No chain/target/match by that name.
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: ipset v6.34: The set with the given name does not exist
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: iptables v1.6.2: can’t initialize iptables table raw': Table does not exist (do you need to insmod?) Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: Perhaps iptables or your kernel needs to be upgraded. Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: iptables v1.6.2: can't initialize iptables table raw’: Table does not exist (do you need to insmod?)
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: Perhaps iptables or your kernel needs to be upgraded.
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: ! Failed with exit code 3
Mon Oct 5 00:16:21 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Running script ‘/usr/bin/glfw.sh’
Mon Oct 5 00:16:22 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Running script ‘/var/etc/gls2s.include’
Mon Oct 5 00:16:22 2020 daemon.notice procd: /etc/rc.d/S99wireguard: ! Skipping due to path error: No such file or directory
Mon Oct 5 00:16:22 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Running script ‘/usr/sbin/glqos.sh’
Mon Oct 5 00:16:23 2020 daemon.notice procd: /etc/rc.d/S99wireguard: * Running script ‘/var/etc/mwan3.include’
Mon Oct 5 00:16:24 2020 daemon.notice procd: /etc/rc.d/S99wireguard: /sbin/uci: Invalid argument
Mon Oct 5 00:16:24 2020 daemon.notice procd: /etc/rc.d/S99wireguard: /sbin/uci: Invalid argument
Mon Oct 5 00:16:24 2020 daemon.notice procd: /etc/rc.d/S99wireguard: /sbin/uci: Invalid argument
Mon Oct 5 00:16:25 2020 daemon.notice procd: /etc/rc.d/S99wireguard: uci: Entry not found
Mon Oct 5 00:16:25 2020 daemon.notice procd: /etc/rc.d/S99wireguard: uci: Entry not found

another thing I can add to this is that it doesn’t come back with soft reboot, but it does come back if I do a hard reset by replugging power supply

another thing that may help: Internet connectivity is present as while logread shows that error

ping -I eth0.2 1.1.1.1 is successful

also tried to add

(sleep 30; logger running wireguard restart; /etc/init.d/wireguard restart) &

in /etc/rc.local

the wireguard is actually restarted later, but problem persists so apparently is not a race condition

I’m comparing line by line the log with a working device (actually a clone) and the errors are the same, but it is working there

moreover I see that the wg tunnel is actually up (wg command shows some bits in/out) but pinging the wg gateway fails, so it might be a routing problem.

I will record this in bug list and try to replicate this.

what I’ve tested:

• i see some transfer using “wg” command, so tunnel seems up (eg keepalive works), but no data seems passing beside wg internal stuff
• I’ve tested Internet availability via manual ping -I eth0.2 1.1.1.1 and it works
• I’ve tested connection between wg client and server outside the tunnel (via public ips) and icmp/tcp/udp data reaches server on same port where wireguard service is supposed to move data (tested via tcpdump on server)

Everything seems to point routing problems, but I don’t see anything wrong on the software side.

After many soft reboots I ran out of time for today and went hard reboot and as previously stated it solved the problem (confirming apparently something hardware). It will surely happen again in the next 48 hours so please let me know if there’s any test I can do.

What server are you using?
Do you have DNS set in the client config?
Do you have over-ride DNS for all clients checked?

Server: Ubuntu server 20.04 LTS, wireguard_dkms

DNS in wg client config: yes, also search domain. Wg server is also DNS server and it accepts requests only over wg0 tunnel.

DNS override for all client: false, only rebind protection is flagged.

I don’t really need DNS. If you think the problem is rooted here I can get rid it.

Btw all the aforementioned tests nave been conducted wihout using name resolution.

I’ve just checked my set-up, which is very similar to yours (Ubuntu 20 server) and until now never noticed a problem…but

I tried disabling my DNS over Clodufare setting and I lose internet too.
I tried with and without DNS in the Wireguard config but no difference.

Will do further testing and analysis when I have time later.

Not that it helps the OP but I have concluded that my server cannot resolve DNS!