Development discussion of WireGuard
 help / color / mirror / Atom feed
* wg-quick: "Endpoint" inside "Allowed IPs"
@ 2020-08-17 15:04 Daniel Hofer
  0 siblings, 0 replies; only message in thread
From: Daniel Hofer @ 2020-08-17 15:04 UTC (permalink / raw)
  To: wireguard

Hello to all,

Since this is my very first mail to a mailing list ever, I hope I do not
make any mistake (especially because I could not find a bugtracker or
something similar to write my issue to).

I am working at a university and my institute switched to WireGuard a
few weeks back, which lead to the the following configuration file:

####################
[Interface]
Address = <Private IP>/32
PrivateKey = <redacted>
DNS = <University DNS>

[Peer]
PublicKey = <redacted>
AllowedIPs = <University class B segment>.0.0/16
Endpoint = <University class B segment>.123.456:<Port>
####################

I am using Arch Linux with wireguard-tools 1.0.20200513-1.

My university owns a public class B segment. The purpose of the VPN is
to access this segment, but the endpoint for wireguard is also located
inside said network.
When I want to connect using "wg-quick up <config file>", a route is
added for the "Allowed IPs" which unfortunately also covers the desired
endpoint. As a result, wireguard runs into a chicken and egg problem.

As a workaround, I added the following line to the [Interface] section
excluding the endpoint from the route created for the Allowed IPs:
PostUp = ip route add <University class B segment>.123.456 via $(ip
route show default | awk '/default/ {print $3}')

Now to my question: Is wg-quick working as expected or did I miss
something? If my config is correct, wouldn't it be a good idea to let
wg-quick check if the endpoint is inside the allowed IPs and add the
route I am creating in the PostUp line automatically?

--
Daniel



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-08-18 11:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-17 15:04 wg-quick: "Endpoint" inside "Allowed IPs" Daniel Hofer

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git