Wireguard to add p2p peer address

tkteun · October 30, 2023, 1:19am

I'm trying to set up BGP routing (eg. dn42) with OpenWRT, but it turns out Wireguard is a bit difficult. It works quite well when you're using 'allowed ip' to route to the inner address of the peer, but that is unusable with dynamic routing. Adding a static route to the peer works quite well, but causes Bird to need 'multihop' to connect. The recommended option is to add an interface address specifying the peer address.

ip a a 172.20.0.1/32 dev dn42_[...] peer 172.20.1.1

config interface 'dn42_[...]'
        option proto 'wireguard' 
        list addresses '172.20.0.1'
                                     
config wireguard_dn42_[...]    
        option endpoint_host '[...]'
        option endpoint_port '[...]'
        option persistent_keepalive '25'
        list allowed_ips '172.20.0.0/14'

It would be very nice if I were to be able to add an ipv4 and ipv6 address to each peer configuration. Or maybe someone has another solution for this. Currently trying a hotplug.d solution, but that's not so nice.

Thanks!

lleachii · October 30, 2023, 12:04pm

It's already possible to assign multiple IPv4 and IPv6 addresses to a WG interface.

Are all your BGP-obtained routes in this subnet?

If not, use 0.0.0.0/0 or list the expected networks.

tkteun · October 30, 2023, 9:29pm

The problem with allowed_ips is that it is a firewall as well as the static routing table. Preferably I would add a /32 of the inner IP of the peer and a 0.0.0.0/0 to allow routing. But checking the add host routes checkbox would make that the default gateway, leaving it unchecked I need to add a host route manually. Unfortunately Bird router doesn't want a route without multihop, it wants a direct connection.

lleachii · October 30, 2023, 9:32pm

I didn't say anything about the Route Allowed IPs checkbox. I assumed BGP was handling the routing.

I don't understand this statement. Is your BGP traffic not over WG - or are you saying there's some issue because it's not a Layer 2 interface?

tkteun · October 30, 2023, 10:38pm

Yeah, as it's a L3 tunnel (POINTOPOINT,NOARP), it's more common to add a peer address like it would happen with PPPoE connections. Just by adding 0.0.0.0/0 to allowed ips doesn't inform linux about how to reach the peer. This can be solved by turning every connection into a /30 but that's very archaic and wasteful (but allows bird to determine reachability).

I see other people are using the PostUp feature of wireguard to add a peer address to the interface manually. It might be a lot easier to just implement this, but that's not quite as sensible.

https://bird-users.network.narkive.com/6UaUwLdF/seems-i-can-t-get-bird-to-open-a-bgp-listen-socket#post3

_bernd · February 10, 2025, 12:51pm

Why not just use IPv6 Link local addresses and set interface and neighbor with in the bird peer conf?
Just allow fe80::/10 on all wg connection and disable auto route feature.