Re: [leaf-user] Can openresolv.lrp be added to Bering-uClibc to provide resolvconf for wireguard

[LEAF <le...@pa...>]

Hi Erich,

On 1/04/2026 11:44 am, LEAF wrote:
>>
>> Right, so wireguard loads the modules dynamically. I am pretty sure 
>> it uses the same kernel modules as shorewall to handle iptables.
>
> Wireguard does try to load the modules it needs. I don't know if 
> shorewall loads everything wireguard needs, but I can test this at a 
> later time.

This is that test - wireguard restart with wireguard not loading any 
modules and shorewall enabled and loading the its default modules. (I've 
added a few empty lines in the output for clarity)

    router# /etc/init.d/wireguard restart
    Stopping wireguard VPN server on interface wg0
    wg-quick: `wg0' is not a WireGuard interface
    Starting wireguard VPN server on interface wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.2.0.2/32 dev wg0
    RTNETLINK answers: Network is unreachable
    [#] ip link set mtu 1420 up dev wg0
    [#] resolvconf -a wg0 -m 0 -x
    [#] wg set wg0 fwmark 51820
    [#] ip -6 route add ::/0 dev wg0 table 51820
    [#] ip -6 rule add not fwmark 51820 table 51820
    [#] ip -6 rule add table main suppress_prefixlength 0

    [#] ip6tables-restore -n
    modprobe: can't open 'modules.dep': No such file or directory
    ip6tables-restore v1.8.8 (legacy): ip6tables-restore: unable to
    initialize table 'raw'

    Error occurred at line: 1
    Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more
    information.

    [#] resolvconf -d wg0 -f
    [#] ip -6 rule delete table 51820
    [#] ip -6 rule delete table main suppress_prefixlength 0
    [#] ip link delete dev wg0
    router#

So wireguard is looking for the following modules that are not provided 
by shorewall. There could be a few others (I didn't work through them to 
check), but that doesn't matter, because shorewall module loading 
doesn't provide everything on its own.

    iptable_raw
    ip6table_raw

Note: for this test wireguard has no internet access in this run as I've 
swapped the VM interfaces around, so I can connect from my PC to the VM 
to copy off infomation for this email.
So errors about network unreachable are only due to this setup.

Thanks,
Mark