* wg-quick: "Endpoint" inside "Allowed IPs"
@ 2020-08-17 15:04 Daniel Hofer
0 siblings, 0 replies; only message in thread
From: Daniel Hofer @ 2020-08-17 15:04 UTC (permalink / raw)
To: wireguard
Hello to all,
Since this is my very first mail to a mailing list ever, I hope I do not
make any mistake (especially because I could not find a bugtracker or
something similar to write my issue to).
I am working at a university and my institute switched to WireGuard a
few weeks back, which lead to the the following configuration file:
####################
[Interface]
Address = <Private IP>/32
PrivateKey = <redacted>
DNS = <University DNS>
[Peer]
PublicKey = <redacted>
AllowedIPs = <University class B segment>.0.0/16
Endpoint = <University class B segment>.123.456:<Port>
####################
I am using Arch Linux with wireguard-tools 1.0.20200513-1.
My university owns a public class B segment. The purpose of the VPN is
to access this segment, but the endpoint for wireguard is also located
inside said network.
When I want to connect using "wg-quick up <config file>", a route is
added for the "Allowed IPs" which unfortunately also covers the desired
endpoint. As a result, wireguard runs into a chicken and egg problem.
As a workaround, I added the following line to the [Interface] section
excluding the endpoint from the route created for the Allowed IPs:
PostUp = ip route add <University class B segment>.123.456 via $(ip
route show default | awk '/default/ {print $3}')
Now to my question: Is wg-quick working as expected or did I miss
something? If my config is correct, wouldn't it be a good idea to let
wg-quick check if the endpoint is inside the allowed IPs and add the
route I am creating in the PostUp line automatically?
--
Daniel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-08-18 11:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-17 15:04 wg-quick: "Endpoint" inside "Allowed IPs" Daniel Hofer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).