Ifup ifdown wireguard interface routing table

Hi guys,

I have

  • OpenWrt 19.07.4 r11208-ce6496d796
  • a working wireguard (client) interface - so no issues with the connection, or setup, it's up and running

After executing the "ifup wg" command on the shell (and also when clicking the "Restart" button, in the webinterface, interface section) the wireguard connection establishes successfully.
The routing table will be updated like this:

default * 0.0.0.0 U 0 0 0 wg
X.X.X.X 10.0.0.1 255.255.255.255 UGH 0 0 0 wlan0

After executing "ifdown wg" (and also when clicking the "Stop" button in the webinterface), the interface goes down and the default route will be deleted, which means my network becomes unusuable for the moment.
This deletion of the default route is an expected behaviour, because the device (wg) that's used for it becomes unavailable. But there is no automatism that restores the original default route...
So I have to manually restore the default route in order to use the regular internet connection, without using wireguard, again.

The second route to the wireguard peer that was added won't be deleted.
This route is kept:

X.X.X.X 10.0.0.1 255.255.255.255 UGH 0 0 0 wlan0

So my questions are:

  1. What happens behind the scenes after executing "ifup wg" and "ifdown wg"?
  2. Is there a invoke of shell script or something, that adds the mentioned routes to the table? (how does the linux know, that this routes should be added?)
  3. Is there a way to modify this behaviour? For example: after ifdown the original default route will be restored and the other route will be deleted.
  4. Is there a difference between the shell commands and the buttons on the webinterface regarding functionality?

I hope you understand what I'm trying to express and I would be glad if there is someone who could explain this case to me.
Thank you! :slight_smile:

You need to change metric on the WAN interface to preserve its default route:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#dynamic_connection

1 Like

Thank you. But I still want to understand how the commands work in the background.
I can preserve the default route, thats helpful, yes, but as I explained the other route is kept and not removed automatically. Therefor I'm interested in a way how to achieve this.

But most important for me is the general functionality in OpenWRT, as it's quite different than in a regular linux OS based on Debian or RedHat...
Especially I'm interested in what I asked in my 2nd quesion:
"how does the linux know, that this routes should be added?"

(Because when I just run ifup, I just expect the interface to be activated, but NO changing of the routing table. This is OpenWRT special thing...)

Running ifup on a WireGuard interface in OpenWrt is similar to running "wg-quick up" in other Linux dists. There is "Route Allowed IPs" on the WireGuard interface in case you don't want to add the routes automatically.

1 Like

Each routing table can hold only one route with unique destination and metric.
Network management tools like NetworkManager automatically configure default metric depending on your connection type which helps to avoid conflicts preserving default gateway when using a VPN.
OpenWrt netifd does not try to be smart, so you need to manage metric manually.

This depends on the interface protocol/configuration as well as the network management service.

I take it it's the old wireguard endpoint route you want removed? I use a script to remove it...

# remove existing WireGuard route
OLD_ENDPOINT_IP=$(uci show network | grep "endpoint_host" | grep -oE "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}")
if [ "$OLD_ENDPOINT_IP" ]; then
  ip route delete "$OLD_ENDPOINT_IP"
  echo "  -> removed old enpoint route ($OLD_ENDPOINT_IP)
  "
fi

The most useful answer I got in this thread is from mikma:

Followed by the hint that I should add a metric to my default WAN route.

So lets summarize the answers to the 4 initial questions:

  1. What happens in the background when executing "ifup wg"?
    --> ifup wg is similiar to wg-quick-up

  2. How does OpenWRT know that it should add routes after the call of "ifup wg"?
    --> some magic happens, when "ifup" recognizes it's asked to bring up a wireguard interface. The IP addresses for the routes are used from the config file (/etc/config/network) and the mechanic of setting up the routes is hardcoded somewhere. Nobody told me where exactly.

  3. How to modify the behaviour of creating/deleting routes?
    --> setting a metric preserves the default route
    --> Use "Route Allowed IPs" on the WireGuard interface to control automatic creation of routes
    --> Use a script to remove the route to the wireguard peer, after executing "ifdown wg"

    This is the script I use, I placed it in /etc/hotplug.d/iface/

    #!/bin/sh
    [ "$ACTION" = ifdown -a "$INTERFACE" = wg ] && route del $(uci get network.wgpeer1.endpoint_host)
    
  4. Difference between the shell commands ifup/ifdown wireguard interface and the buttons in the LuCi?
    --> Dunno. Was not answered.

So 3 out of 4, 75% I can live with that.
Thanks everyone. I still like OpenWrt, it's running just fine for me.

You can consider this topic as solved.

Yes, I know. By "the other route" I meant the route to the wireguard peer, that is kept.
But I can handle this via a script. I just wondered, why the "ifdown" doesn't clean up completely.

(Two modifications are made by "ifup", but only one is restored by "ifdown" - If you ask me this is not consistent and should be changed within OpenWRT.)

Exactly this is what I meant. Thanks. I did it in a similiar way and put the script in
/etc/hotplug.d/iface/

But still, I think if the "ifup" creates new routes, the "ifdown" should remove all of these routes, without the need of the user to create it's own script for that purpose.

Good it working for you, my script is run within a larger script otherwise would have done similar.

I agree, I've also been playing around with OpenVPN recently and I've noticed it does this automatically.

No peer routes are kept for me when I ifdown the WG interface.
Try to upgrade to the latest version:

opkg update
opkg upgrade kmod-wireguard wireguard wireguard-tools
/etc/init.d/network restart

What makes you think there's any difference?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.