WG default routing

WG default routing

[Chris Osicki]

Hi

I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_.
One thing, however, makes me wonder. Why WG tries always to take over all my routing?
My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection.
It escapes me why. What is the idea behind this policy?

On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root.
On my Android devices I don't have root, and I cannot change anything in routing etc.
Why don't you provide an option to specify which net to route which way?

Regards,
Chris

RE: WG default routing

[Gijs Conijn]

That is what I am using the allowed IP's for
I only want to route via the tunnel to my home LAN so I enter the WG subnet and the home LAN subnet in allowed IP's
(As I understood Allowed IP's are not only Allowed but also routed via the  tunnel)

Regards, Erik 
DDWRT WireGuard user

-----Oorspronkelijk bericht-----
Van: WireGuard <wireguard-bounces@lists.zx2c4.com> Namens Chris Osicki
Verzonden: zondag 3 januari 2021 22:55
Aan: WireGuard mailing list <wireguard@lists.zx2c4.com>
Onderwerp: WG default routing

Hi

I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_.
One thing, however, makes me wonder. Why WG tries always to take over all my routing?
My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection.
It escapes me why. What is the idea behind this policy?

On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root.
On my Android devices I don't have root, and I cannot change anything in routing etc.
Why don't you provide an option to specify which net to route which way?

Regards,
Chris

Re: WG default routing

[Henning Reich]

Hi,
you can control the traffic is routed with the AllowedIPs option. If
you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel.
If you just allow for example 10.10.10.10/32 only 10.10.10.10 is
allowed. 10.10.0.0/16,192.168.1.0/24 will allow
10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on...

I use
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16
Endpoint = 123.123.123.123:12346
PersistentKeepalive=30

Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki <wg@osk.ch>:
>
> Hi
>
> I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_.
> One thing, however, makes me wonder. Why WG tries always to take over all my routing?
> My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection.
> It escapes me why. What is the idea behind this policy?
>
> On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root.
> On my Android devices I don't have root, and I cannot change anything in routing etc.
> Why don't you provide an option to specify which net to route which way?
>
> Regards,
> Chris

Re: WG default routing

[Chris Osicki]

On Mon, Jan 04, 2021 at 01:22:31PM +0000, Gijs Conijn wrote:
> That is what I am using the allowed IP's for
> I only want to route via the tunnel to my home LAN so I enter the WG subnet and the home LAN subnet in allowed IP's
> (As I understood Allowed IP's are not only Allowed but also routed via the  tunnel)
> 
> Regards, Erik 
> DDWRT WireGuard user
> 
> -----Oorspronkelijk bericht-----
> Van: WireGuard <wireguard-bounces@lists.zx2c4.com> Namens Chris Osicki
> Verzonden: zondag 3 januari 2021 22:55
> Aan: WireGuard mailing list <wireguard@lists.zx2c4.com>
> Onderwerp: WG default routing
> 
> Hi
> 
> I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_.
> One thing, however, makes me wonder. Why WG tries always to take over all my routing?
> My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection.
> It escapes me why. What is the idea behind this policy?
> 
> On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root.
> On my Android devices I don't have root, and I cannot change anything in routing etc.
> Why don't you provide an option to specify which net to route which way?
> 
> Regards,
> Chris
> 

Hi

As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope 
it will stay like this. It is just a filter and the next question arise: why this? Don't we have iptables/nftables?
Or is it for non Unix-like systems?

Regards,
Chris

Re: WG default routing

[Chris Osicki]

On Mon, Jan 04, 2021 at 02:38:23PM +0100, Henning Reich wrote:
> Hi,
> you can control the traffic is routed with the AllowedIPs option. If
> you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel.
> If you just allow for example 10.10.10.10/32 only 10.10.10.10 is
> allowed. 10.10.0.0/16,192.168.1.0/24 will allow
> 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on...
> 
> I use
> [Peer]
> PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16
> Endpoint = 123.123.123.123:12346
> PersistentKeepalive=30
> 
> Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki <wg@osk.ch>:
> >
> > Hi
> >
> > I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_.
> > One thing, however, makes me wonder. Why WG tries always to take over all my routing?
> > My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection.
> > It escapes me why. What is the idea behind this policy?
> >
> > On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root.
> > On my Android devices I don't have root, and I cannot change anything in routing etc.
> > Why don't you provide an option to specify which net to route which way?
> >
> > Regards,
> > Chris

Hi,

As I wrote in another mail, AllowedIPs config file option has nothing to do with routing, IMHO.
It looks just like a filter.

Regards,
Chris

Re: WG default routing

[Roman Mamedov]

On Tue, 5 Jan 2021 21:12:12 +0100
Chris Osicki <wg@osk.ch> wrote:

> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope 
> it will stay like this.

wg-quick uses AllowedIPs to also set up matching entries in the system routing
table. This can be disabled in its config.

> It is just a filter

It is not only a filter on incoming packets, but also WG's internal routing
table for knowing which packets should be sent to which peer.

-- 
With respect,
Roman

Re: WG default routing

[Chris Osicki]

On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote:
> On Tue, 5 Jan 2021 21:12:12 +0100
> Chris Osicki <wg@osk.ch> wrote:
> 
> > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope 
> > it will stay like this.
> 
> wg-quick uses AllowedIPs to also set up matching entries in the system routing
> table. This can be disabled in its config.
> 
> > It is just a filter
> 
> It is not only a filter on incoming packets, but also WG's internal routing
> table for knowing which packets should be sent to which peer.

I'm sorry to contradict you but after some more readig I have to :-)
WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify 
kernel routing tables, from the wg-quick man page:

       It infers all routes from the list of peers' allowed IPs, and automatically adds them to  the  system  routing
       table.  If  one  of  those  routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle
       overriding of the default gateway.

So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3
If on the server I remove the AllowedIPs option, no one can connect.
Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was.
The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect.

Thus, my question still remains: why this filtering function?

> 
> -- 
> With respect,
> Roman

Regards,
Chris

Re: WG default routing

[Phillip McMahon]

Hi Chris, you first post made it sound very much like a query on
wg-quick, it's mentioned in a way that implies you're using it.

"...My first try was with wg-quick, and noticed all my traffic went
through the WG-VPN connection.
It escapes me why. What is the idea behind this policy?

On my Linux boxes it's not a problem, I don't have to use wg-quick and
with few lines of bash in a script I have what I need. I have
root...."

On the working config I have, multiple clients, multiple wg tunnels
and policy-based routing, AllowedIPs does set up entries in my routing
table. Not setting another in AllowedIPs results in what you are
seeing, no traffic flow as their are no routes established. wg uses
your standard OS functionality for routing, try adding those routes
manually and no in the wg config and you should see quickly traffic
start to flow.

AllowedIPs function in the config is to easily encapsulate simple
routing requirements for tunnels that probably satisfies the needs of
most simple users. Stick in 0.0.0.0/0 and everything goes down the
pipe, or add specific ranges you want to go down the pipe and nothing
else.

Or you can go your own route (no pun intended) and make full use of
your OS routing and IP capability to get as complex as you need.

wg doesn't have a policy to take over your routing, but if you use
wg-quick as mentioned in your first post it's taking care of lots of
things for ease of use and based on the content of your config might
take over all routing.

Post your config and what you actually want to achieve and I am sure
this mailing list will have you up and running in no time.

On Tue, 5 Jan 2021 at 22:16, Chris Osicki <wg@osk.ch> wrote:
>
> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote:
> > On Tue, 5 Jan 2021 21:12:12 +0100
> > Chris Osicki <wg@osk.ch> wrote:
> >
> > > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope
> > > it will stay like this.
> >
> > wg-quick uses AllowedIPs to also set up matching entries in the system routing
> > table. This can be disabled in its config.
> >
> > > It is just a filter
> >
> > It is not only a filter on incoming packets, but also WG's internal routing
> > table for knowing which packets should be sent to which peer.
>
> I'm sorry to contradict you but after some more readig I have to :-)
> WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify
> kernel routing tables, from the wg-quick man page:
>
>        It infers all routes from the list of peers' allowed IPs, and automatically adds them to  the  system  routing
>        table.  If  one  of  those  routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle
>        overriding of the default gateway.
>
> So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3
> If on the server I remove the AllowedIPs option, no one can connect.
> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was.
> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect.
>
> Thus, my question still remains: why this filtering function?
>
> >
> > --
> > With respect,
> > Roman
>
> Regards,
> Chris



-- 
Use this contact page to send me encrypted messages and files

https://flowcrypt.com/me/phillipmcmahon

P.S. Drowning in email? Try SaneBox and take back control:
http://sanebox.com/t/old3m. I love it.

Re: WG default routing

[Corey Costello]

Can someone take me off this list?

I’ve tried like 4 times replying to the wireguard list and it says Unsubscribed! And then comes back :( 

> On Jan 5, 2021, at 6:50 PM, Phillip McMahon <phillip.mcmahon@gmail.com> wrote:
> 
> Hi Chris, you first post made it sound very much like a query on
> wg-quick, it's mentioned in a way that implies you're using it.
> 
> "...My first try was with wg-quick, and noticed all my traffic went
> through the WG-VPN connection.
> It escapes me why. What is the idea behind this policy?
> 
> On my Linux boxes it's not a problem, I don't have to use wg-quick and
> with few lines of bash in a script I have what I need. I have
> root...."
> 
> On the working config I have, multiple clients, multiple wg tunnels
> and policy-based routing, AllowedIPs does set up entries in my routing
> table. Not setting another in AllowedIPs results in what you are
> seeing, no traffic flow as their are no routes established. wg uses
> your standard OS functionality for routing, try adding those routes
> manually and no in the wg config and you should see quickly traffic
> start to flow.
> 
> AllowedIPs function in the config is to easily encapsulate simple
> routing requirements for tunnels that probably satisfies the needs of
> most simple users. Stick in 0.0.0.0/0 and everything goes down the
> pipe, or add specific ranges you want to go down the pipe and nothing
> else.
> 
> Or you can go your own route (no pun intended) and make full use of
> your OS routing and IP capability to get as complex as you need.
> 
> wg doesn't have a policy to take over your routing, but if you use
> wg-quick as mentioned in your first post it's taking care of lots of
> things for ease of use and based on the content of your config might
> take over all routing.
> 
> Post your config and what you actually want to achieve and I am sure
> this mailing list will have you up and running in no time.
> 
> On Tue, 5 Jan 2021 at 22:16, Chris Osicki <wg@osk.ch> wrote:
>> 
>> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote:
>>> On Tue, 5 Jan 2021 21:12:12 +0100
>>> Chris Osicki <wg@osk.ch> wrote:
>>> 
>>>> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope
>>>> it will stay like this.
>>> 
>>> wg-quick uses AllowedIPs to also set up matching entries in the system routing
>>> table. This can be disabled in its config.
>>> 
>>>> It is just a filter
>>> 
>>> It is not only a filter on incoming packets, but also WG's internal routing
>>> table for knowing which packets should be sent to which peer.
>> 
>> I'm sorry to contradict you but after some more readig I have to :-)
>> WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify
>> kernel routing tables, from the wg-quick man page:
>> 
>>       It infers all routes from the list of peers' allowed IPs, and automatically adds them to  the  system  routing
>>       table.  If  one  of  those  routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle
>>       overriding of the default gateway.
>> 
>> So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3
>> If on the server I remove the AllowedIPs option, no one can connect.
>> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was.
>> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect.
>> 
>> Thus, my question still remains: why this filtering function?
>> 
>>> 
>>> --
>>> With respect,
>>> Roman
>> 
>> Regards,
>> Chris
> 
> 
> 
> -- 
> Use this contact page to send me encrypted messages and files
> 
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fflowcrypt.com%2fme%2fphillipmcmahon&c=E,1,q6H7xLo2Ql1ckQzn-sG0WaLpKn2kDMPp696lTGmO6yI5EVJAQAqJRdx-ybG9_uqxLtbwPuvp7GxiKhIBMg38WNDVMfww-ejPJ3ULW_RdDg,,&typo=1
> 
> P.S. Drowning in email? Try SaneBox and take back control:
> https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsanebox.com%2ft%2fold3m.&c=E,1,fVv1zLc4GJa4ts85CMPQnNHvJqqDBh4pZPpNNGqJ7OHbj2jRy_4g49w8CU-BvjN9Ke18WURhfX1mRxJ8msZqB9_JlPmTGl-t3CXLk9yHc9TA-meFewUp0w,,&typo=1 I love it.

Re: WG default routing

[Samuel Holland]

On 1/5/21 3:13 PM, Chris Osicki wrote:
> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote:
>> On Tue, 5 Jan 2021 21:12:12 +0100
>> Chris Osicki <wg@osk.ch> wrote:
>>
>>> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope 
>>> it will stay like this.
>>
>> wg-quick uses AllowedIPs to also set up matching entries in the system routing
>> table. This can be disabled in its config.
>>
>>> It is just a filter
>>
>> It is not only a filter on incoming packets, but also WG's internal routing
>> table for knowing which packets should be sent to which peer.
> 
> I'm sorry to contradict you but after some more readig I have to :-)
> WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify

Did you read this part of the home page?

https://www.wireguard.com/#conceptual-overview

	At the heart of WireGuard is a concept called Cryptokey Routing,
	which works by associating public keys with a list of tunnel IP
	addresses that are allowed inside the tunnel.

	[...]

	In the server configuration, when the network interface wants to
	send a packet to a peer (a client), it looks at that packet's
	destination IP and compares it to each peer's list of allowed
	IPs to see which peer to send it to.

	[...]

	In other words, when sending packets, the list of allowed IPs
	behaves as a sort of routing table, and when receiving packets,
	the list of allowed IPs behaves as a sort of access control
	list.

WireGuard itself does indeed have an internal routing table. And you
should really read that whole section.

> kernel routing tables, from the wg-quick man page:
> 
>        It infers all routes from the list of peers' allowed IPs, and automatically adds them to  the  system  routing
>        table.  If  one  of  those  routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle
>        overriding of the default gateway.
> 
> So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3
> If on the server I remove the AllowedIPs option, no one can connect.
> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was.
> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect.
> 
> Thus, my question still remains: why this filtering function?

Because, as the WireGuard website explains, a tight, static binding
between a peer's identity and its IP address range is an extremely
useful building block, both for security and for designing a network
topology.

Cheers,
Samuel