Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - fmeppo

#1
Actually I enabled the route creation in wireguard - that creates a host route in the kernel table.  But I get the same effect if I disable wire guard's route creation and manually add the host route (no recognition in vtysh either way).
#2
I'm trying to set up BGP across a Wireguard tunnel to accept routes for the dn42 project.  The tunnel's up and the other end builds a BGP connection, and I've got a static route defined as part of the endpoint setup in my kernel routing table.  However, vtysh indicates the next hop isn't valid:

vtysh# show bgp nexthop
Current BGP nexthop cache:
172.20.16.139 invalid, #paths 0, peer 172.20.16.139
  Last update: Thu Jun  2 18:42:29 2022

vtysh's show ip route omits the static route from its list, so that's probably why.  Other kernel routes do appear - just not the static one that carries my endpoint host.

If I manually start staticd and add a static route over the wg0 interface (duplicating what was in the kernel table) the BGP nexthop becomes valid and frr immediately sees and propagates my BGP routes.

Any advice here?  Is there some option I'm missing to get frr to pick up static routes, or a way to configure staticd+a route in OPNsense?
#3
Virtual private networks / opnsense, wireguard, and dn42
December 29, 2021, 01:46:51 AM
I'm trying to use wireguard to connect to dn42, a BGP-managed overlay network.  OPNsense is running my home network just fine, and I've set up wireguard and a BGP peer successfully.  Wireguard is up, and I'm receiving BGP adverts (and according to the dn42 forums, I'm advertising my IPv4 space as well).  Problem is, frr's bgpd isn't detecting that the BGP peer is a connected address - and by default, I don't even have a system route to the other side of the wireguard tunnel.

I can manually add a route to the remote side of the tunnel:

route add -host 172.20.16.139/32 -iface wg0

This at least gives me IPv4 connectivity to the remote endpoint, and lets bgpd receive updates.  However, bgpd refuses to do anything with the route updates as frr isn't seeing the nexthop as connected:

# show bgp nexthop
Current BGP nexthop cache:
172.20.16.139 invalid, peer 172.20.16.139
  Must be Connected
  Last update: Tue Dec 28 16:41:03 2021

I can work around that somewhat by (manually) starting staticd and adding some config with vtysh, but....there's gotta be a better way.  Does anyone use opnsense to connect to dn42, or have suggestions for how I could get the remote side of a wireguard tunnel to show up more automatically in various routing tables?