Wireguard on tile-architecture Routers crashes Kernel

JayDi · Fri Aug 27, 2021 4:22 pm

Hello swarm-intelligence,
I have been super stoked to see that wireguard is supported in RouterOS7 and immediately started using it in non-critical lab-environments. All of the boxes I used were ARM-based.
We use Mikrotik gear all around our network, mainly as routers for student-dormitories that are connected to our university networks. All of these routers are tile-architecture CCRs (1009, 1036, 1072...).
Since 7.1RC1 is now released, I wanted to play around with it on the CCRs to evaluate if we can offer our students wireguard-vpns to their respective dorms as soon as 7.1 is released.
Configuring wiregurad works just like on the ARM-boxes, however as soon as the first peer connects, the CCR crashes.

Configuration in question:

[admin@wg-jaydi] > /export 
# aug/27/2021 13:14:33 by RouterOS 7.1rc1
# software id = N02M-E1Q2
#
# model = CCR1009-7G-1C
# serial number = 84A1075A0FE0
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
/interface wireguard
add disabled=yes listen-port=51820 mtu=1280 name=wg0
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitiv\
    e,api,romon,dude,tikapp,rest-api"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5
/interface wireguard peers
add allowed-address=134.60.112.18/32,2001:7c0:31fe:1::18/128 interface=wg0 public-key=\
    "blub"
/ip address
add address=134.60.x.0/24 interface=ether1 network=134.60.2.0
add address=134.60.y.0/28 interface=wg0 network=134.60.y.0
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address=134.60.0.0/16
add action=accept chain=input dst-port=51820 protocol=tcp
add action=accept chain=input dst-port=51820 protocol=udp
add action=drop chain=input
add action=accept chain=forward src-address=134.60.y.0/28
add action=accept chain=forward dst-address=134.60.y.0/28
add action=drop chain=forward
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=134.60.x.1
/ipv6 route
add gateway=fe80::1%ether1
/ipv6 address
add address=2001:7c0:31xx::xxx advertise=no interface=ether1
add address=2001:7c0:31yy::yyy advertise=no interface=wg0
/ipv6 firewall filter
add action=accept chain=input src-address=fe80::/10
add action=accept chain=input port=22 protocol=tcp
add action=accept chain=input src-address=2001:7c0:3100::/40
add action=accept chain=input port=51820 protocol=tcp
add action=accept chain=input port=51820 protocol=udp
add action=accept chain=input protocol=icmpv6
add action=drop chain=input
add action=accept chain=forward src-address=2001:7c0:31yy:1::/64
add action=accept chain=forward dst-address=2001:7c0:31yy:1::/64
add action=drop chain=forward
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system identity
set name=wg-jaydi
/system ntp client
set enabled=yes
/system ntp client servers
add address=134.60.1.27
/system routerboard settings
# Warning: cpu not running at default frequency
set cpu-frequency=1200MHz

Steps to reproduce:

1. Upload this configuration to any of the TILE-Routers, but disable the wg-interface beforehand in the config.
2. Enable the wg-interface.
3. Wait for peer to connect.

[admin@wg-jaydi] /interface> print 
Flags: X, R - RUNNING
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
#   NAME    TYPE   ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
0 X combo1  ether        1500   1580      10222  64:D1:54:EC:F1:B4
1 R ether1  ether        1500   1580      10222  64:D1:54:EC:F1:B5
2   ether2  ether        1500   1580      10222  64:D1:54:EC:F1:B6
3   ether3  ether        1500   1580      10222  64:D1:54:EC:F1:B7
4   ether4  ether        1500   1580      10222  64:D1:54:EC:F1:B8
5   ether5  ether        1500   1580      10222  64:D1:54:EC:F1:B9
6   ether6  ether        1500   1580      10222  64:D1:54:EC:F1:BA
7   ether7  ether        1500   1580      10222  64:D1:54:EC:F1:BB
8 X wg0     wg           1280                    00:00:00:00:00:00
[admin@wg-jaydi] /interface> enable 8 
13:18:18 echo: system,critical,info ntp change time Jan/01/2002 01:00:19 => Aug/27/2021 13:18:18
[admin@wg-jaydi] /interface> Resetting chip and restarting.

I don't know how to provide more logging that what I currently have, but I am happy to assist you, if you should need anything.

Greetings and keep up the great work!

JayDi · Tue Aug 31, 2021 4:03 pm

Update: 7.2RC2 doesn't seem to fix the problem.

wgrando1993 · Tue Dec 21, 2021 1:20 pm

Hi dears, same problem here !

mozerd · Tue Dec 21, 2021 1:52 pm

I have been running WireGuard on the Tile Arch. using RoS 7.1 {Stable] without any issue of whatsoever nature. No Crashers [yet]. I did not try your steps to reproduce since your method is very different to mine..

I did note that in your steps you system has the following which IMO is a mistake on your part

# Warning: cpu not running at default frequency
set cpu-frequency=1200MHz

Your CPU should be at the default frequency

Wireguard on tile-architecture Routers crashes Kernel

Wireguard on tile-architecture Routers crashes Kernel

Re: Wireguard on tile-architecture Routers crashes Kernel

Re: Wireguard on tile-architecture Routers crashes Kernel

Re: Wireguard on tile-architecture Routers crashes Kernel