From: Thomas Keppler <winfr34k@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: WireGuard on macOS sets default route when it shouldn't
Date: Mon, 10 May 2021 00:37:17 +0200 [thread overview]
Message-ID: <4686FAEA-B9C0-4897-8422-954AB84B4E78@gmail.com> (raw)
Hello everyone,
on a remote system I administer, I have setup a WireGuard VPN. All in all, this process has worked swimmingly. However, I have got one big issue on all of my macOS clients and I'm not sure if it's a bug or if it's me just using the software aka holding it wrong.
I am not quite sure if this Mailing List is the right place to bother with questions like this, but I will try my luck anyways :-)
Given a client configuration like so:
------------ 8< ------------
[Interface]
PrivateKey = <privkey>
Address = 192.168.1.1/32
DNS = 192.168.0.253
MTU = 1420
[Peer]
PublicKey = <pubkey>
PresharedKey = <psk>
AllowedIPs = 192.168.0.0/24, 192.168.1.254/32
Endpoint = <endpoint>:51820
------------ >8 ------------
When I activate the tunnel connection, I always get several routes pushed, all of which are OK except the default route:
------------ 8< ------------
default via link#19 dev utun6
192.168.0.0/24 dev utun6 scope link
192.168.1.1/32 via 192.168.1.1 dev utun6
192.168.1.254/32 dev utun6 scope link
224.0.0.0/4 dev utun6 scope link
255.255.255.255/32 dev utun6 scope link
------------ >8 ------------
From what I have read so far on other forums, Reddit, StackOverflow and such, the specific "AllowedIPs" I'm supplying should prevent the default route from being pushed. I have also tried to locate the code responsible for pushing these routes, but so far I could only gather that a "routeSocket" is established and watched in the Go internals that seems to be only read. The macOS app also does not seem to modify this socket (or any part I have read so far).
So given all of this, I have got two (main) questions (and an aside):
1.) Am I using WireGuard just plainly wrong or is it a Bug/Known Issue?
2.) Where is the code responsible for pushing routes?
3.) ...and what are good resources to check to get a better understanding of how this works internally?
Thank you very much for any response to this message in advance. I cannot wait to figure this one out!
--
Sincerely
Thomas Keppler
reply other threads:[~2021-05-10 18:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4686FAEA-B9C0-4897-8422-954AB84B4E78@gmail.com \
--to=winfr34k@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).