I'm trying to set up BGP routing (eg. dn42) with OpenWRT, but it turns out Wireguard is a bit difficult. It works quite well when you're using 'allowed ip' to route to the inner address of the peer, but that is unusable with dynamic routing. Adding a static route to the peer works quite well, but causes Bird to need 'multihop' to connect. The recommended option is to add an interface address specifying the peer address.
ip a a 172.20.0.1/32 dev dn42_[...] peer 172.20.1.1
config interface 'dn42_[...]'
option proto 'wireguard'
list addresses '172.20.0.1'
option endpoint_host '[...]'
option endpoint_port '[...]'
option persistent_keepalive '25'
list allowed_ips '172.20.0.0/14'
It would be very nice if I were to be able to add an ipv4 and ipv6 address to each peer configuration. Or maybe someone has another solution for this. Currently trying a hotplug.d solution, but that's not so nice.
It's already possible to assign multiple IPv4 and IPv6 addresses to a WG interface.
Are all your BGP-obtained routes in this subnet?
If not, use 0.0.0.0/0 or list the expected networks.
The problem with allowed_ips is that it is a firewall as well as the static routing table. Preferably I would add a /32 of the inner IP of the peer and a 0.0.0.0/0 to allow routing. But checking the add host routes checkbox would make that the default gateway, leaving it unchecked I need to add a host route manually. Unfortunately Bird router doesn't want a route without multihop, it wants a direct connection.
I didn't say anything about the Route Allowed IPs checkbox. I assumed BGP was handling the routing.
I don't understand this statement. Is your BGP traffic not over WG - or are you saying there's some issue because it's not a Layer 2 interface?
Yeah, as it's a L3 tunnel (POINTOPOINT,NOARP), it's more common to add a peer address like it would happen with PPPoE connections. Just by adding 0.0.0.0/0 to allowed ips doesn't inform linux about how to reach the peer. This can be solved by turning every connection into a /30 but that's very archaic and wasteful (but allows bird to determine reachability).
I see other people are using the PostUp feature of wireguard to add a peer address to the interface manually. It might be a lot easier to just implement this, but that's not quite as sensible.