Asus Dual WAN Setup With Wireguard - Bug?

[losdelrock]

I have a Zen WiFi Pro ET 12 on the latest firmware 3.0.0.6.102_36602. OpenVPN is configured and working well.

Dual WAN setup, different ISP's

I am trying to configure WireGuard as a backup option in case OpenVPN fails and I found the following:

1. My DDNS is setup on the secondary WAN and that is what I connect to using OpenVPN and Wireguard
2. With OpenVPN everything works as expected, LAN and WAN accessible
3. With Wireguard, if both my primary and secondary WANs are enabled, Wireguard logs show: Handshake for peer 1 (xxx.xxx.xxx.xxx:909) did not complete after 5 seconds, retrying (try 2)
4. If I disable my primary WAN, the handshake completes and the Wireguard VPN connects

This means that even though the Wireguard clients connect to the secondary WAN to initiate the connection, inexplicably, the ASUS sends the return traffic out of the primary WAN and the VPN does not establish.

Is this an ASUS bug or a Wireguard bug?

Help appreciated.

Adrian.

 

[losdelrock]

I found this on the Asus website:

https://routerkb.asuscomm.com/?p=13659&lang=en

At the bottom it mentions that DDNS and Dual WAN do not play well together.

However, if that is the case, why does the Asus give you the choice to pick which WAN you want the DDNS service to bind to?

I have a feeling that the issue is that the Asus routing rules precedence of the dual WAN sends the return Wireguard traffic over the primary WAN and not the secondary.

Despite the Wireguard VPN connection being initiated on the secondary WAN.

In my mind the Asus wireguard configuration should know that the VPN is coming via the secondary WAN and route it back accordingly ignoring the primary WAN.

So my money is on it being an Asus bug.

How do I report it?

Adrian.

 

[Tech9]

If you have 2x ISPs and Dual WAN in Asuswrt is miraculously working well for your needs - better use more reliable DDNS service than built-in Asus free DDNS and with updater on a client device. How to report suspected bug - use Feedback Form in GUI.

 

[losdelrock]

If you have 2x ISPs and Dual WAN in Asuswrt is miraculously working well for your needs - better use more reliable DDNS service than built-in Asus free DDNS and with updater on a client device. How to report suspected bug - use Feedback Form in GUI.

Thank you - I use a paid no-ip account for DDNS. Found the bug report place and filed a case.

Let's see what they say.

Adrian.

 

[Tech9]

I don't know about your use case, but Dual WAN is in general unreliable on Asus devices.

 

[Ranger802004]

Try my Dual WAN Failover script, it should be able to handle your DDNS updates as well.

 

[Tech9]

Try my Dual WAN Failover script

There is no Asuswrt-Merlin firmware for ET12 though.

 

[Digilog]

I have a Zen WiFi Pro ET 12 on the latest firmware 3.0.0.6.102_36602. OpenVPN is configured and working well.

Dual WAN setup, different ISP's

I am trying to configure WireGuard as a backup option in case OpenVPN fails and I found the following:

1. My DDNS is setup on the secondary WAN and that is what I connect to using OpenVPN and Wireguard
2. With OpenVPN everything works as expected, LAN and WAN accessible
3. With Wireguard, if both my primary and secondary WANs are enabled, Wireguard logs show: Handshake for peer 1 (xxx.xxx.xxx.xxx:909) did not complete after 5 seconds, retrying (try 2)
4. If I disable my primary WAN, the handshake completes and the Wireguard VPN connects

This means that even though the Wireguard clients connect to the secondary WAN to initiate the connection, inexplicably, the ASUS sends the return traffic out of the primary WAN and the VPN does not establish.

Is this an ASUS bug or a Wireguard bug?

Help appreciated.

Adrian.

Well its how wireguard is set up, but if you are using a fail over WAN, you need to use the mac address from the bond0 instead of a wan port, Because it exclusively uses only one WAN interface by mac address.

 

[ColinTaylor]

Well its how wireguard is set up, but if you are using a fail over WAN, you need to use the mac address from the bond0 instead of a wan port, Because it exclusively uses only one WAN interface by mac address.

"Dual WAN" is not link aggregation, therefore there is no bond0 interface.

 

[Digilog]

"Dual WAN" is not link aggregation, therefore there is no bond0 interface.

Bond0 is the redundant link. If you use Interface method instead of a IP table routing.
When I create a redundant WAN in linux:

   ip link add bond0 type bond
   ip link set bond0 type bond miimon 100 mode active-backup
   ip link set eth0 down
   ip link set eth1 down
   ip link set eth0 master bond0
   ip link set eth1 master bond0
# for DHCP WAN
 dhclient -v bond0

When you use wireshark, it must be set to the mac address of the bond0 in a redundant or aggregated link. Otherwise, it will use the current WAN by default.

Is don't know what method they use in those toy routers, but this is how I do this with a Linux gateway server.

 

[ColinTaylor]

Bond0 is the redundant link. If you use Interface method instead of a IP table routing.
When I create a redundant WAN in linux:

   ip link add bond0 type bond
   ip link set bond0 type bond miimon 100 mode active-backup
   ip link set eth0 down
   ip link set eth1 down
   ip link set eth0 master bond0
   ip link set eth1 master bond0
# for DHCP WAN
 dhclient -v bond0

When you use wireshark, it must be set to the mac address of the bond0 in a redundant or aggregated link. Otherwise, it will use the current WAN by default.

Is don't know what method they use in those toy routers, but this is how I do this with a Linux gateway server.

None of that is relevant to this thread. As I said, he is not using link aggregation aka bonding. Some Asus routers do also support link aggregation but that it not what he's doing.

 

[Digilog]

None of that is relevant to this thread. As I said, he is not using link aggregation aka bonding. Some Asus routers do also support link aggregation but that it not what he's doing.

Link aggregation is just one mode of bond. The other common one is active-backup (live redundant) which is exactly what they are using.

So what do you get when you run " ip -a " at the SSH terminal?
there should be one that is the bond interface that is the hub for the redundant connection.
If not, whoever put together the router software did it in a non-standard way.

Asus routers are junk if they don't support all the modes for the commands they rip off from Linux.

 

[ColinTaylor]

Link aggregation is just one mode of bond. The other common one is active-backup (live redundant) which is exactly what they are using.

So what do you get when you run " ip -a " at the SSH terminal?
there should be one that is the bond interface that is the hub for the redundant connection.
If not, whoever put together the router software did it in a non-standard way.

Asus routers are junk if they don't support all the modes for the commands they rip off from Linux.

Why do you continue with your juvenile pissing contest with other forum members? You clearly don't understand Asus routers or the issue being discussed in this thread. Asus routers are not the same as your toy Linux server.