Wireguard not updating routing tables

twinkleLED · June 22, 2020, 4:01pm

I have two routers running Wireguard. They talk to each other happily through the tunnel, but I can only get PeerS to route local Wifi client's traffic via PeerF if I manually change the PeerS routing tables.

How can I get PeerS to automatically route client traffic over Wireguard to the internet from PeerF? route_allowed_ips does not seem to work.

PeerF router
-- behind NAT
-- wireguard initiates connection to PeerS

PeerS router
-- Can accept incoming wireguard connections from PeerF
-- WiFi clients internet traffic is routed to intenet via PeerF

**# configuration from PeerS**
network.wgpeerf.description='PeerF'
network.wgpeerf.allowed_ips='0.0.0.0/0' '192.168.209.0/24'
network.wgpeerf.route_allowed_ips='0'

The difference in routing tables is minimal when changing the value of route_allowed_ips, but clearly something is happening.

# when route_allowed_ips='0'
root@PeerS:~# ip route       
default via 192.168.88.1 dev eth0.2 proto static src 192.168.88.138
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.88.0/24 dev eth0.2 proto kernel scope link src 192.168.88.138
192.168.209.0/24 dev wg0 proto **kernel scope link src 192.168.209.1**

# when route_allowed_ips='1'
root@PeerS:~# ip route
default via 192.168.88.1 dev eth0.2 proto static src 192.168.88.138
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.88.0/24 dev eth0.2 proto kernel scope link src 192.168.88.138
192.168.209.0/24 dev wg0 proto **static scope link**

lleachii · June 22, 2020, 6:38pm

Try 0.0.0.0/1 and 128.0.0.0/1 instead of 0.0.0.0/0.

I'm not sure how you get to the Internet on WAN on the WG interface if you duplicate it's route. The above makes a more-specific route.

twinkleLED · June 23, 2020, 4:09pm

I tried this. Different results but still not working automatically.

# with route_allowed_ips='1'
root@PeerS:~# ip route
0.0.0.0/1 dev wg0 proto static scope link
default via 192.168.88.1 dev eth0.2 proto static src 192.168.88.138
128.0.0.0/1 dev wg0 proto static scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.88.0/24 dev eth0.2 proto kernel scope link src 192.168.88.138
192.168.209.0/24 dev wg0 proto kernel scope link src 192.168.209.1

If I turn off the automatic route_allowed_ips, and instead manually add the routes it works fine

root@PeerS:~# ip route
0.0.0.0/1 dev wg0 scope link
default via 192.168.88.1 dev eth0.2 proto static src 192.168.88.138
128.0.0.0/1 dev wg0 scope link
132.13.82.172 via 192.168.88.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.88.0/24 dev eth0.2 proto kernel scope link src 192.168.88.138
192.168.209.0/24 dev wg0 proto kernel scope link src 192.168.209.1

Would you know where the code is which modifies the routing tables when route_allowed_ips='1'? Would I be correct that that is wrapper code outside of wireguard itself?

mikma · June 23, 2020, 4:55pm

Yes, because the wireguard protocol implemented in the wireguard module doesn't care about routes.

BTW the routes are configured in /lib/netifd/proto/wireguard.sh which seems to talk to netifd.