Wireguard built-in routing breaks LAN

Hi, I am using wireguard to gateway my lan to the VPN. The built-in routing doesn't do the right thing for that, and breaks my LAN. The lan is 192.168.1.0/24 and the Wireguard VPN is 192.168.11.0/24 . The build is a recent snapshot by croniccorey to port to Linkstar H68, I'm assuming this issue is in the main branch and not his code. Given this configuration:

config wireguard_wg0        
       option description 'uc.perens.com'
       option public_key 'redacted'
       option endpoint_host 'uc.perens.com'
       option endpoint_port '10245'
       option persistent_keepalive '30'
       list allowed_ips '192.168.1.0/24'
       list allowed_ips '192.168.11.0/24'
       option route_allowed_ips '1'

I get these routes. The one for 192.168.1.0/24 is obviously wrong and breaks the LAN:

192.168.1.0/24 dev wg0 scope link 
192.168.11.0/24 dev wg0 scope link

The code should recognize the LAN in allowed IPs and not route it.

Thanks for the great work you folks do!

1 Like

Allowed ips is what is allowed as the source address coming from the other side. It is also what will be routed back to the other side. In other words, allowed_ips match the other LAN, not your LAN. The two LANs can't be the same.

1 Like

What happens if we set the uci option route_allowed_ips to 0? I do not see the equivalent option in WireGuard original configurations (/etc/wireguard/wg0.conf), and I do not really understand what happens if we do not create such routes either. Just curious.

Don't use your LAN as an allowed IP, that is wrong on several levels.

Destination based routing of an outgoing packet through Wireguard is a two step process. First the main kernel routing table sends the packet into the wg0 interface. Then if there is more than one peer configured, Wireguard uses an internal table to further decide which peer to send this packet to. The internal table is built out as allowed_ips are configured. Setting route_allowed_ips also enters the IP subnets into the main routing table. Almost always that is what you want.

Deleted (issue answered).

@Livy, if route_allowed_ips is 0, I must add this route manually:

route add 192.168.11.0/24 dev wg0

@mk24 Thank you, that is what I was missing.

I just want to add that it is sometimes desired to not use the wireguarad auto route feature.
I.e. for site to site VPN with a lot of peers/sites it's easier to use only point to point connections and a dynamic routing protocol, while setting allowed IPs to 0.0.0.0/0 and ::/0, so traffic can be routed over every peer/site.
I just want to highlight this use case/setup.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.