Development discussion of WireGuard
 help / color / mirror / Atom feed
* WireGuard on macOS sets default route when it shouldn't
@ 2021-05-09 22:37 Thomas Keppler
  0 siblings, 0 replies; only message in thread
From: Thomas Keppler @ 2021-05-09 22:37 UTC (permalink / raw)
  To: wireguard

Hello everyone,

on a remote system I administer, I have setup a WireGuard VPN. All in all, this process has worked swimmingly. However, I have got one big issue on all of my macOS clients and I'm not sure if it's a bug or if it's me just using the software aka holding it wrong.

I am not quite sure if this Mailing List is the right place to bother with questions like this, but I will try my luck anyways :-)

Given a client configuration like so:
------------ 8< ------------
[Interface]
PrivateKey = <privkey>
Address = 192.168.1.1/32
DNS = 192.168.0.253
MTU = 1420

[Peer]
PublicKey = <pubkey>
PresharedKey = <psk>
AllowedIPs = 192.168.0.0/24, 192.168.1.254/32
Endpoint = <endpoint>:51820
------------ >8 ------------

When I activate the tunnel connection, I always get several routes pushed, all of which are OK except the default route:
------------ 8< ------------
default via link#19 dev utun6
192.168.0.0/24 dev utun6  scope link
192.168.1.1/32 via 192.168.1.1 dev utun6
192.168.1.254/32 dev utun6  scope link
224.0.0.0/4 dev utun6  scope link
255.255.255.255/32 dev utun6  scope link
------------ >8 ------------

From what I have read so far on other forums, Reddit, StackOverflow and such, the specific "AllowedIPs" I'm supplying should prevent the default route from being pushed. I have also tried to locate the code responsible for pushing these routes, but so far I could only gather that a "routeSocket" is established and watched in the Go internals that seems to be only read. The macOS app also does not seem to modify this socket (or any part I have read so far).

So given all of this, I have got two (main) questions (and an aside):

1.) Am I using WireGuard just plainly wrong or is it a Bug/Known Issue?
2.) Where is the code responsible for pushing routes?
3.) ...and what are good resources to check to get a better understanding of how this works internally?

Thank you very much for any response to this message in advance. I cannot wait to figure this one out!

--
Sincerely
Thomas Keppler

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-05-10 18:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-09 22:37 WireGuard on macOS sets default route when it shouldn't Thomas Keppler

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git