Hi Jochen, On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote: > Yet I cannot communicate. Is it possible that the wireguard tunnel > itself doesn't have the prefix in its allowed IPs? I always thought > this allowed_ips parameter is only for seting up the routing, even if > the name suggests otherwise.
With wg-quick (which OpenWrt is trying to mirror I guess) the AllowedIPs do double duty as source address ACL and routes. I actually forgot to mention you'd have to use Table=0 to get rid of the static routes. IIRC the route_allowed_ips option you found is the equivalent here. On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote: > allright I figured it out. > On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. > Then set route_allowed_ips to 0. Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0 should be unnecessary. > This seems to work, yet it is generally recommended not to allow any in > a wireguard tunnel. I don't see another way right now thogh. What do you mean? If your AllowedIPs set is empty wireguard will just act as a big useless black hole. To see how the OpenWrt stuff maps to wg options see the script handling the conversion: https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh AFAICT it does a straight conversion of the allowed_ips list to the wg option. --Daniel _______________________________________________ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users