a working wireguard (client) interface - so no issues with the connection, or setup, it's up and running
After executing the "ifup wg" command on the shell (and also when clicking the "Restart" button, in the webinterface, interface section) the wireguard connection establishes successfully.
The routing table will be updated like this:
default * 0.0.0.0 U 0 0 0 wg
X.X.X.X 10.0.0.1 255.255.255.255 UGH 0 0 0 wlan0
After executing "ifdown wg" (and also when clicking the "Stop" button in the webinterface), the interface goes down and the default route will be deleted, which means my network becomes unusuable for the moment.
This deletion of the default route is an expected behaviour, because the device (wg) that's used for it becomes unavailable. But there is no automatism that restores the original default route...
So I have to manually restore the default route in order to use the regular internet connection, without using wireguard, again.
The second route to the wireguard peer that was added won't be deleted.
This route is kept:
X.X.X.X 10.0.0.1 255.255.255.255 UGH 0 0 0 wlan0
So my questions are:
What happens behind the scenes after executing "ifup wg" and "ifdown wg"?
Is there a invoke of shell script or something, that adds the mentioned routes to the table? (how does the linux know, that this routes should be added?)
Is there a way to modify this behaviour? For example: after ifdown the original default route will be restored and the other route will be deleted.
Is there a difference between the shell commands and the buttons on the webinterface regarding functionality?
I hope you understand what I'm trying to express and I would be glad if there is someone who could explain this case to me.
Thank you!
Thank you. But I still want to understand how the commands work in the background.
I can preserve the default route, thats helpful, yes, but as I explained the other route is kept and not removed automatically. Therefor I'm interested in a way how to achieve this.
But most important for me is the general functionality in OpenWRT, as it's quite different than in a regular linux OS based on Debian or RedHat...
Especially I'm interested in what I asked in my 2nd quesion:
"how does the linux know, that this routes should be added?"
(Because when I just run ifup, I just expect the interface to be activated, but NO changing of the routing table. This is OpenWRT special thing...)
Running ifup on a WireGuard interface in OpenWrt is similar to running "wg-quick up" in other Linux dists. There is "Route Allowed IPs" on the WireGuard interface in case you don't want to add the routes automatically.
Each routing table can hold only one route with unique destination and metric.
Network management tools like NetworkManager automatically configure default metric depending on your connection type which helps to avoid conflicts preserving default gateway when using a VPN.
OpenWrt netifd does not try to be smart, so you need to manage metric manually.
This depends on the interface protocol/configuration as well as the network management service.
The most useful answer I got in this thread is from mikma:
Followed by the hint that I should add a metric to my default WAN route.
So lets summarize the answers to the 4 initial questions:
What happens in the background when executing "ifup wg"?
--> ifup wg is similiar to wg-quick-up
How does OpenWRT know that it should add routes after the call of "ifup wg"?
--> some magic happens, when "ifup" recognizes it's asked to bring up a wireguard interface. The IP addresses for the routes are used from the config file (/etc/config/network) and the mechanic of setting up the routes is hardcoded somewhere. Nobody told me where exactly.
How to modify the behaviour of creating/deleting routes?
--> setting a metric preserves the default route
--> Use "Route Allowed IPs" on the WireGuard interface to control automatic creation of routes
--> Use a script to remove the route to the wireguard peer, after executing "ifdown wg"
This is the script I use, I placed it in /etc/hotplug.d/iface/
#!/bin/sh
[ "$ACTION" = ifdown -a "$INTERFACE" = wg ] && route del $(uci get network.wgpeer1.endpoint_host)
Difference between the shell commands ifup/ifdown wireguard interface and the buttons in the LuCi?
--> Dunno. Was not answered.
So 3 out of 4, 75% I can live with that.
Thanks everyone. I still like OpenWrt, it's running just fine for me.
Yes, I know. By "the other route" I meant the route to the wireguard peer, that is kept.
But I can handle this via a script. I just wondered, why the "ifdown" doesn't clean up completely.
(Two modifications are made by "ifup", but only one is restored by "ifdown" - If you ask me this is not consistent and should be changed within OpenWRT.)
Exactly this is what I meant. Thanks. I did it in a similiar way and put the script in
/etc/hotplug.d/iface/
But still, I think if the "ifup" creates new routes, the "ifdown" should remove all of these routes, without the need of the user to create it's own script for that purpose.