Wireguard strange route

Hello.
I'm trying to setup wg0 interface. But when wg0 is up - strange route to endpoint appear in the route table.
This is original route table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         pppoe-dyn       0.0.0.0         UG    0      0        0 pppoe-wan
4x.xxx.xx.1     *               255.255.255.255 UH    0      0        0 pppoe-wan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.200.0   *               255.255.255.0   U     0      0        0 tun0

And this is the route table after upping wg0:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         pppoe-dyn      0.0.0.0         UG    0      0        0 pppoe-wan
4x.xxx.xx.1     *               255.255.255.255 UH    0      0        0 pppoe-wan
9y.yyy.yy.yy8   192.168.0.254   255.255.255.255 UGH   0      0        0 br-lan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.200.0   *               255.255.255.0   U     0      0        0 tun0

/etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'ckey='
        option listen_port '51820'
        list addresses '192.168.100.3/32'

config wireguard_wg0
        option public_key 'Ukeys='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '9y.yyy.yy.yy8'
        option endpoint_port '51820'
        option persistent_keepalive '25'

As you can see with this route Wireguard interface is don't work.
if delete this route - it worked.

How to prevent this route to appear?

Thanks.

1 Like

This route for the endpoint must appear in the routing table for the tunnel to work.
What is wrong here is that it points to the gateway 192.168.0.254 in br-lan, instead of pppoe-dyn in pppoe-wan,
If I understand properly the wireguard endopoint is in the internet, not in your LAN.

  1. Can you confirm that?
  2. What is the 192.168.0.254? Do you have some static route towards that?
  3. Where do you use it?
1 Like
  1. Yes, wireguard endpoint is VPS on the Internet.
  2. 192.168.0.254 is my LAN (br-lan). No static routes.
  3. I want to use wireguard VPN for some IP addresses.

Then do not use 0.0.0.0/0. Only list the subnets you wish to route to.

2 Likes

Then it is wrong to use the LAN address of the Openwrt to reach something on the internet. I don't know how it got there, but you should have the IP of pppoe-dyn instead.
As @lleachii pointed you should use the networks you wish to reach over the tunnel instead of everything, and also enable the Route Allowed IPs tickbox.

2 Likes

Would it change the host route to the peer endpoint address? I don't think so since it seems to be always inserted if the peer endpoint is reachable via the default gateway. It doesn't depend on the allowed-ips anyway.

Or you could allow 0.0.0.0/0, and use a dynamic routing protocol or another way to define routes.

You cannot do this, see:

https://www.wireguard.com/#cryptokey-routing

Actually AllowedIPs = 0.0.0.0/0 is used in one example on the page you linked to. Though the config is only usable with one peer.

Is your peer a VPN server?

Hi!
I have exactly the same issue. Two routers connected through a WG-Tunnel.

  • R1
    • 1 WAN (public IPv4)
    • multiple LAN-Subnets
    • AllowedIPs: 0/0, but the routed nets manually set
  • R2
    • 1 WAN behind a FW prohibiting incoming connections
    • 2 LAN-Subnets
    • it was also AllowedIPs: 0/0, but the routed nets manually set
      I tried manually specifying the nets and autosetting the routes (while also keeping them as manual static routes), nothing changed

On R1 there the route is correct (IP of R2 -> WAN). On R2, the Route to R1 is through a LAN (which doesn't work :smiley: ). The Tunnel worked for ~1 Year without a problem. After a downtime of the WAN on R2, it stopped working. Actually in my case, I wouldn't need this route in any direction since I route only specific nets.

I would also appreciate help (although I can only debug it when I am at R2).

Wireguard adding explicit route to endpoint to the routing table - #2 by vgaetera

3 Likes