♟ sskaje

Using relative url in .gitmodules will get forked repos difficult to build if not modify .gitmodules manually.

hev-socks5-tunnel in container

A new test, I read include/constraint/interface-name.xml.i, see there is a regex for interface names, so I rename the clash container created interface to tun0 which matches the regex, no error.

Case 1: Forward 127.0.0.1:53 to 127.0.0.1:7874

Background infomation

docker.io blocked in China.
192.168.50.40:8088 is a docker registry mirror set up by nexus, http only
mirror.conf above is disabled.

As I tested, the endfor changes is the better way, because two pppoe interfaces would cause

I tried two ways in staticd.frr.j2

vyos# exit
root@vyos:/home/vyos# cat /run/frr/config/vyos.frr.conf 
!
!
!
ip route 192.168.10.0/24 192.168.12.1
ip route 192.168.51.0/24 lo
ip route 192.168.52.0/24 192.168.12.1
ip  route 0.0.0.0/0 192.168.12.1 eth0 tag 210 210
ip  route 0.0.0.0/0 pppoe0 tag 210 1!
!
!
!
ip forwarding
!
!
!
!
ipv6 forwarding
!
!
!root@vyos:/home/vyos# 
exit
[edit]
vyos@vyos# set interfaces pppoe pppoe0 no-default-route 
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo su
root@vyos:/home/vyos# cat /run/frr/config/vyos.frr.conf 
!
!
!
ip route 192.168.10.0/24 192.168.12.1
ip route 192.168.51.0/24 lo
ip route 192.168.52.0/24 192.168.12.1
ip  route 0.0.0.0/0 192.168.12.1 eth0 tag 210 210
!
!
!
!
ip forwarding
!
!
!
!
ipv6 forwarding
!
!
!root@vyos:/home/vyos#

full config using 1.5-rolling-202501250006 live image

In T4930#209720, @runar wrote:

Routgh idea:

If peer is created with hostname over IP, do not add it during commit

I would insist only not adding endpoint, let peer be ready if they have configured with hostname endpoint.

The peer should be pre-provisioned with everything needed to be accessible externally for a remote peer to reconnect prior to dns resolution.
To allow for this the peer can be added with a endpoint of 0.0.0.0. (if a wireguard peer is not able to be provisioned without a endpoint at least)
This can then be used to "abort" a DNS resolution if the remote end has reconnected.
Only the "resolve dns" part should then be the blocking part, and only that part needs to be moved out of the commit loop.

I came up with a possible solution:

Here are some config commands I used with my ubnt plugin

Here is how to get the latest-handshakes in seconds:

In T4930#208881, @c-po wrote:

@runar @sskaje

In general I like the idea and it's a very useful addition. Given the current implementation and design of wireguard to be easy, lightweight and not messed with 1000 of config options the design choice is to move everything requiring brain out of the WG core code.

In T4930#208505, @runar wrote:

Hi!

I do not like the concept that this should be done inline while in the middle of a commit.
As this will halt the commit phase for potentially a long time (relative) if dns is not up'n'running.
This in itself is not that critical, but if this is done the same on multiple sub-systems you potentially can have an exponentionall increase of boot time because of this.
And in a time where we are optimising milliseconds of code to get shorter boot and commit times in other subsystems i feel this is not the correct way to do it.

5 endpoints using domain, limit retry to 5 times, total start costs around 5 * 10 = 50 seconds.

In T4930#208083, @runar wrote:

Hi @sskaje!

In reference to T1700 and other tickets, there are things in wireguard that is not implemented the "best way".
For the first as noted earlier, the Wireguard kernel module have NO information of the existance of a "DNS peer", DNS to IP mappings are done by the wg config utillity at the moment the command is executed on the device.. this means that entering a DNS name as a peer address will execute a DNS request ONCE and its never retried .

I thought dns look up causes the block. So I made some changes like:

@Viacheslav I made is based on T6490, PR here: https://github.com/vyos/vyos-1x/pull/4194
This PR makes peers no longer required, so WireGuard interfaces will be created on boot, with or without Internet connection, with or without DNS resolution.

I simply added hostname/fqdn to address and here is my test result:

I'm migrating my EdgeRouter to VyOS, its module 'https://github.com/WireGuard/wireguard-vyatta-ubnt/releases' supports endpoint as domain:port, which is same as wg set or wg-quick.

My fault, the double quotes were mis-removed in the PR when cleaning code.

I've made some changes but not sure if the logic is what VyOS team accept.

Code changed, to override all settings in build_config instead of args from cli only.

sskaje (sskaje)
User

Projects

User Details

Recent Activity
View All

Tue, Apr 22

Thu, Apr 10

Mar 30 2025

Mar 28 2025

Mar 23 2025

Mar 17 2025

Mar 16 2025

Mar 15 2025

Mar 14 2025

Mar 11 2025

Feb 9 2025

Feb 8 2025

Jan 28 2025

Jan 27 2025

Jan 26 2025

Dec 8 2024

Dec 6 2024

Dec 3 2024

Dec 1 2024

Nov 30 2024

Nov 28 2024

Nov 25 2024

Nov 19 2024

Nov 18 2024

Nov 15 2024

Apr 10 2023

Mar 29 2023

sskaje (sskaje)User