Community discussions

MikroTik App
 
alexrsagen
just joined
Topic Author
Posts: 1
Joined: Sat Sep 26, 2020 6:46 pm

[BUG] Wireguard handshake causes kernel panic

Sat Sep 26, 2020 7:20 pm

Version number: RouterOS 7.1beta2
Router's model: CCR1009-8G-1S
Configuration export: https://0x.ms/GU824etAtUN/text
Kernel panic backtrace: https://0x.ms/HkEjA4EgX1o/text
Steps to reproduce the issue:
Create a basic Wireguard tunnel between Linux kernel version 5.4.0-1018-aws (Ubuntu 20.04 LTS running on AWS Lightsail) and MikroTik CCR1009-8G-1S running RouterOS 7.1beta2.
Once tunnel is up and handshake OK, the important part which causes the kernel panic is to ping the remote end from a device behind the MikroTik on a bridge.

Detailed description / extra information:
You don't even need to add a firewall rule allowing the ping from the device to the remote end. Simply attempting to ping the remote end from a device causes a kernel panic.
In my case, I am pinging form 10.100.0.178 (my computer) to 10.100.9.2 (remote Wireguard server). The router has IP 10.100.9.1.

When pinging remote end directly from router, there is no kernel panic, but the ping does not work in any direction. Traffic can only go from the MikroTik router to the remote end, from remote end to MikroTik.

"wg show" command from remote end: https://0x.ms/FX9qX65Isdf/text
tcpdump from remote end when pinging from MikroTik router to remote end: https://0x.ms/E8yNpqcjtpw/text
tcpdump from remote end when pinging from remote end to MikroTik router: https://0x.ms/CFThgRp56SS/text
Both tcpdump commands above were ran with all firewall filter rules disabled.

As is clear from the tcpdumps above, the MikroTik router receives no packets over the Wireguard tunnel from the remote end, but the remote end can receive all packets from the MikroTik router.

Can send latest autosupout.rif to any MikroTik employees, just ask.
Please also ask me for any further explanation or further information, I will be glad to help debug this issue in any way I can.

Thanks for releasing a beta version of RouterOS v7 for us to test and thanks so much for taking the time to add support for Wireguard :)
 
woodych
just joined
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

Re: [BUG] Wireguard handshake causes kernel panic

Sat Jun 04, 2022 10:10 am

Experiencing the exact same problem on my CCR-1009 (debian as client) and RouterOS 7.2.3
I also found the kernel crash only happens, if you assign a global IPv6 Address to the wireguard interface on the mikrotik.
As soon as I remove the global IPv6 address the WG tunnel works but unfortunately only with old legacy ipv4 address.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 911
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: [BUG] Wireguard handshake causes kernel panic

Sat Jun 04, 2022 11:01 am

woodych, I suspect this has something to do with ND. Since you don't need ND for WireGuard, you can safely remove the global address from the WG interface and add a static route instead.
 
woodych
just joined
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

Re: [BUG] Wireguard handshake causes kernel panic

Sat Jun 04, 2022 12:45 pm

After more try and error I sorted out what causes the kernel panic.

By default, mikrotik assigns a Link-Local IPv6 Address to the Wireguard Server Interface.
If you then assign a global IPv6 IP to that interface and a client is connecting the kernel panics and the Mikortik reboots.

Simple solution: Delete the LD IPv6 Address on the Wireguard Interface so there is only the global one.

That way it not works for me.

IPv6 routing via Web-GUI is broken. So if you want to add routes to an IPv6 network 'behind' a WG client, you have to do this via CLI.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1348
Joined: Mon Sep 23, 2019 1:04 pm

Re: [BUG] Wireguard handshake causes kernel panic

Sat Jun 04, 2022 2:46 pm

Probably something TILE specific?
Are the endpoints IPv4 or IPv6 ?

Who is online

Users browsing this forum: No registered users and 10 guests