Wireguard to add p2p peer address

I'm trying to set up BGP routing (eg. dn42) with OpenWRT, but it turns out Wireguard is a bit difficult. It works quite well when you're using 'allowed ip' to route to the inner address of the peer, but that is unusable with dynamic routing. Adding a static route to the peer works quite well, but causes Bird to need 'multihop' to connect. The recommended option is to add an interface address specifying the peer address.

ip a a dev dn42_[...] peer
config interface 'dn42_[...]'
        option proto 'wireguard' 
        list addresses ''
config wireguard_dn42_[...]    
        option endpoint_host '[...]'
        option endpoint_port '[...]'
        option persistent_keepalive '25'
        list allowed_ips ''

It would be very nice if I were to be able to add an ipv4 and ipv6 address to each peer configuration. Or maybe someone has another solution for this. Currently trying a hotplug.d solution, but that's not so nice.


It's already possible to assign multiple IPv4 and IPv6 addresses to a WG interface.

Are all your BGP-obtained routes in this subnet?

If not, use or list the expected networks.

1 Like

The problem with allowed_ips is that it is a firewall as well as the static routing table. Preferably I would add a /32 of the inner IP of the peer and a to allow routing. But checking the add host routes checkbox would make that the default gateway, leaving it unchecked I need to add a host route manually. Unfortunately Bird router doesn't want a route without multihop, it wants a direct connection.

I didn't say anything about the Route Allowed IPs checkbox. I assumed BGP was handling the routing.

I don't understand this statement. Is your BGP traffic not over WG - or are you saying there's some issue because it's not a Layer 2 interface?

Yeah, as it's a L3 tunnel (POINTOPOINT,NOARP), it's more common to add a peer address like it would happen with PPPoE connections. Just by adding to allowed ips doesn't inform linux about how to reach the peer. This can be solved by turning every connection into a /30 but that's very archaic and wasteful (but allows bird to determine reachability).

I see other people are using the PostUp feature of wireguard to add a peer address to the interface manually. It might be a lot easier to just implement this, but that's not quite as sensible.