WG default routing
Hi I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. One thing, however, makes me wonder. Why WG tries always to take over all my routing? My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. On my Android devices I don't have root, and I cannot change anything in routing etc. Why don't you provide an option to specify which net to route which way? Regards, Chris
Re: Continued use of `wg-quick save` and SaveConfig=true?
On Sat, Jan 02, 2021 at 03:37:09PM +0100, Jason A. Donenfeld wrote: > Hi, > > I was thinking recently that most people have switched from a model of > updating the runtime configuration and then reading that back into a > config file, to editing the config file and then syncing that with the > runtime config. In other words, people have moved from doing: > > # wg set wg0 peer ... allowed-ips ... > # wg-quick save wg0 > > To doing: > > # vim /etc/wireguard/wg0.conf > # wg syncconf wg0 <(wg-quick strip wg0) > > I think this is mostly a positive change too in terms of reliability. > Reading back the runtime configuration was always a bit hit or miss, > and I suspect that more times than not people have been confused by > SaveConfig=true. > > That raises the question: are there good uses left for SaveConfig=true > and `wg-quick save` that warrant keeping the feature around? > Temporarily caching a roamed endpoint IP, perhaps, but how helpful is > that? > > I haven't thought too deeply about this in order to be wedded to one > outcome over the other yet, but seeing some confusion today, again, in > #wireguard over the feature made me wonder. > > Any opinions on this? Any one on this list actively use this feature > and see replacements for it (e.g. syncconf) as clearly inferior? > > Jason Hi Jason Being an old fashioned Unix admin, ~30 years spent in this job, I vote for the traditional way of doing it: change the config file and let the application reread it. I think the KISS principle is still valid ;-) Thanks for the excellent software, Jason! Regards, Chris
Re: WG default routing
On Mon, Jan 04, 2021 at 01:22:31PM +, Gijs Conijn wrote: > That is what I am using the allowed IP's for > I only want to route via the tunnel to my home LAN so I enter the WG subnet > and the home LAN subnet in allowed IP's > (As I understood Allowed IP's are not only Allowed but also routed via the > tunnel) > > Regards, Erik > DDWRT WireGuard user > > -Oorspronkelijk bericht- > Van: WireGuard Namens Chris Osicki > Verzonden: zondag 3 januari 2021 22:55 > Aan: WireGuard mailing list > Onderwerp: WG default routing > > Hi > > I am quite new to wireguard, moving after years of OpenVPN, and found it > simple and _really good_. > One thing, however, makes me wonder. Why WG tries always to take over all my > routing? > My first try was with wg-quick, and noticed all my traffic went through the > WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with > few lines of bash in a script I have what I need. I have root. > On my Android devices I don't have root, and I cannot change anything in > routing etc. > Why don't you provide an option to specify which net to route which way? > > Regards, > Chris > Hi As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope it will stay like this. It is just a filter and the next question arise: why this? Don't we have iptables/nftables? Or is it for non Unix-like systems? Regards, Chris
Re: WG default routing
On Mon, Jan 04, 2021 at 02:38:23PM +0100, Henning Reich wrote: > Hi, > you can control the traffic is routed with the AllowedIPs option. If > you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel. > If you just allow for example 10.10.10.10/32 only 10.10.10.10 is > allowed. 10.10.0.0/16,192.168.1.0/24 will allow > 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on... > > I use > [Peer] > PublicKey = xxx > AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16 > Endpoint = 123.123.123.123:12346 > PersistentKeepalive=30 > > Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki : > > > > Hi > > > > I am quite new to wireguard, moving after years of OpenVPN, and found it > > simple and _really good_. > > One thing, however, makes me wonder. Why WG tries always to take over all > > my routing? > > My first try was with wg-quick, and noticed all my traffic went through the > > WG-VPN connection. > > It escapes me why. What is the idea behind this policy? > > > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with > > few lines of bash in a script I have what I need. I have root. > > On my Android devices I don't have root, and I cannot change anything in > > routing etc. > > Why don't you provide an option to specify which net to route which way? > > > > Regards, > > Chris Hi, As I wrote in another mail, AllowedIPs config file option has nothing to do with routing, IMHO. It looks just like a filter. Regards, Chris
Re: WG default routing
On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > On Tue, 5 Jan 2021 21:12:12 +0100 > Chris Osicki wrote: > > > As far as I can see after few tests, AllowedIPs config file option has > > nothing to do with routing and I hope > > it will stay like this. > > wg-quick uses AllowedIPs to also set up matching entries in the system routing > table. This can be disabled in its config. > > > It is just a filter > > It is not only a filter on incoming packets, but also WG's internal routing > table for knowing which packets should be sent to which peer. I'm sorry to contradict you but after some more readig I have to :-) WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify kernel routing tables, from the wg-quick man page: It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle overriding of the default gateway. So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 If on the server I remove the AllowedIPs option, no one can connect. Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. Thus, my question still remains: why this filtering function? > > -- > With respect, > Roman Regards, Chris
