I have wireguard encrypting the connection between two private LANs -- nothing exposed to the WAN interface. However, they are on different private IP networks and during wg init a route will be created for the target IP that has the WAN IP as the gateway. They connect fine when I delete that route (and I have a hotplug script that will do just that) but it seems that this shouldn't be getting created in the first place. Example:
config interface 'wg0'
option proto 'wireguard'
...
list addresses '10.1.3.1/24'
config wireguard_wg0
...
option endpoint_host '10.4.3.1/24'
When wg starts up a route is created like this:
10.4.3.1 <wan-ip-gateway> 255.255.255.255 <wan-interface>
I believe the section doing this is:
wg show "${config}" endpoints | \
sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
while IFS=$'\t ' read -r key address port; do
[ -n "${port}" ] || continue
proto_add_host_dependency "${config}" "${address}"
done
Eyeballing the netifd helper script an interface can be added to the proto_add_host_dependency call but I haven't really thought through how this should be done while keeping the implementation generic. I'm guessing the difference in IPs is noted but surely a private IP should never be routed to a gateway on the WAN interface?