* WG default routing @ 2021-01-03 21:54 Chris Osicki 2021-01-04 13:22 ` Gijs Conijn 2021-01-04 13:38 ` Henning Reich 0 siblings, 2 replies; 10+ messages in thread From: Chris Osicki @ 2021-01-03 21:54 UTC (permalink / raw) To: WireGuard mailing list Hi I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. One thing, however, makes me wonder. Why WG tries always to take over all my routing? My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. On my Android devices I don't have root, and I cannot change anything in routing etc. Why don't you provide an option to specify which net to route which way? Regards, Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: WG default routing 2021-01-03 21:54 WG default routing Chris Osicki @ 2021-01-04 13:22 ` Gijs Conijn 2021-01-05 20:12 ` Chris Osicki 2021-01-04 13:38 ` Henning Reich 1 sibling, 1 reply; 10+ messages in thread From: Gijs Conijn @ 2021-01-04 13:22 UTC (permalink / raw) To: Chris Osicki, WireGuard mailing list That is what I am using the allowed IP's for I only want to route via the tunnel to my home LAN so I enter the WG subnet and the home LAN subnet in allowed IP's (As I understood Allowed IP's are not only Allowed but also routed via the tunnel) Regards, Erik DDWRT WireGuard user -----Oorspronkelijk bericht----- Van: WireGuard <wireguard-bounces@lists.zx2c4.com> Namens Chris Osicki Verzonden: zondag 3 januari 2021 22:55 Aan: WireGuard mailing list <wireguard@lists.zx2c4.com> Onderwerp: WG default routing Hi I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. One thing, however, makes me wonder. Why WG tries always to take over all my routing? My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. On my Android devices I don't have root, and I cannot change anything in routing etc. Why don't you provide an option to specify which net to route which way? Regards, Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-04 13:22 ` Gijs Conijn @ 2021-01-05 20:12 ` Chris Osicki 2021-01-05 20:25 ` Roman Mamedov 0 siblings, 1 reply; 10+ messages in thread From: Chris Osicki @ 2021-01-05 20:12 UTC (permalink / raw) To: Gijs Conijn; +Cc: WireGuard mailing list On Mon, Jan 04, 2021 at 01:22:31PM +0000, Gijs Conijn wrote: > That is what I am using the allowed IP's for > I only want to route via the tunnel to my home LAN so I enter the WG subnet and the home LAN subnet in allowed IP's > (As I understood Allowed IP's are not only Allowed but also routed via the tunnel) > > Regards, Erik > DDWRT WireGuard user > > -----Oorspronkelijk bericht----- > Van: WireGuard <wireguard-bounces@lists.zx2c4.com> Namens Chris Osicki > Verzonden: zondag 3 januari 2021 22:55 > Aan: WireGuard mailing list <wireguard@lists.zx2c4.com> > Onderwerp: WG default routing > > Hi > > I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. > One thing, however, makes me wonder. Why WG tries always to take over all my routing? > My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. > On my Android devices I don't have root, and I cannot change anything in routing etc. > Why don't you provide an option to specify which net to route which way? > > Regards, > Chris > Hi As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope it will stay like this. It is just a filter and the next question arise: why this? Don't we have iptables/nftables? Or is it for non Unix-like systems? Regards, Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-05 20:12 ` Chris Osicki @ 2021-01-05 20:25 ` Roman Mamedov 2021-01-05 21:13 ` Chris Osicki 0 siblings, 1 reply; 10+ messages in thread From: Roman Mamedov @ 2021-01-05 20:25 UTC (permalink / raw) To: Chris Osicki; +Cc: Gijs Conijn, WireGuard mailing list On Tue, 5 Jan 2021 21:12:12 +0100 Chris Osicki <wg@osk.ch> wrote: > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope > it will stay like this. wg-quick uses AllowedIPs to also set up matching entries in the system routing table. This can be disabled in its config. > It is just a filter It is not only a filter on incoming packets, but also WG's internal routing table for knowing which packets should be sent to which peer. -- With respect, Roman ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-05 20:25 ` Roman Mamedov @ 2021-01-05 21:13 ` Chris Osicki 2021-01-05 23:50 ` Phillip McMahon 2021-01-06 1:17 ` Samuel Holland 0 siblings, 2 replies; 10+ messages in thread From: Chris Osicki @ 2021-01-05 21:13 UTC (permalink / raw) To: Roman Mamedov; +Cc: Gijs Conijn, WireGuard mailing list On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > On Tue, 5 Jan 2021 21:12:12 +0100 > Chris Osicki <wg@osk.ch> wrote: > > > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope > > it will stay like this. > > wg-quick uses AllowedIPs to also set up matching entries in the system routing > table. This can be disabled in its config. > > > It is just a filter > > It is not only a filter on incoming packets, but also WG's internal routing > table for knowing which packets should be sent to which peer. I'm sorry to contradict you but after some more readig I have to :-) WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify kernel routing tables, from the wg-quick man page: It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle overriding of the default gateway. So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 If on the server I remove the AllowedIPs option, no one can connect. Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. Thus, my question still remains: why this filtering function? > > -- > With respect, > Roman Regards, Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-05 21:13 ` Chris Osicki @ 2021-01-05 23:50 ` Phillip McMahon 2021-01-06 1:03 ` Corey Costello 2021-01-06 1:17 ` Samuel Holland 1 sibling, 1 reply; 10+ messages in thread From: Phillip McMahon @ 2021-01-05 23:50 UTC (permalink / raw) To: Chris Osicki; +Cc: Roman Mamedov, Gijs Conijn, WireGuard mailing list Hi Chris, you first post made it sound very much like a query on wg-quick, it's mentioned in a way that implies you're using it. "...My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root...." On the working config I have, multiple clients, multiple wg tunnels and policy-based routing, AllowedIPs does set up entries in my routing table. Not setting another in AllowedIPs results in what you are seeing, no traffic flow as their are no routes established. wg uses your standard OS functionality for routing, try adding those routes manually and no in the wg config and you should see quickly traffic start to flow. AllowedIPs function in the config is to easily encapsulate simple routing requirements for tunnels that probably satisfies the needs of most simple users. Stick in 0.0.0.0/0 and everything goes down the pipe, or add specific ranges you want to go down the pipe and nothing else. Or you can go your own route (no pun intended) and make full use of your OS routing and IP capability to get as complex as you need. wg doesn't have a policy to take over your routing, but if you use wg-quick as mentioned in your first post it's taking care of lots of things for ease of use and based on the content of your config might take over all routing. Post your config and what you actually want to achieve and I am sure this mailing list will have you up and running in no time. On Tue, 5 Jan 2021 at 22:16, Chris Osicki <wg@osk.ch> wrote: > > On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > > On Tue, 5 Jan 2021 21:12:12 +0100 > > Chris Osicki <wg@osk.ch> wrote: > > > > > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope > > > it will stay like this. > > > > wg-quick uses AllowedIPs to also set up matching entries in the system routing > > table. This can be disabled in its config. > > > > > It is just a filter > > > > It is not only a filter on incoming packets, but also WG's internal routing > > table for knowing which packets should be sent to which peer. > > I'm sorry to contradict you but after some more readig I have to :-) > WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify > kernel routing tables, from the wg-quick man page: > > It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing > table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle > overriding of the default gateway. > > So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 > If on the server I remove the AllowedIPs option, no one can connect. > Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. > The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. > > Thus, my question still remains: why this filtering function? > > > > > -- > > With respect, > > Roman > > Regards, > Chris -- Use this contact page to send me encrypted messages and files https://flowcrypt.com/me/phillipmcmahon P.S. Drowning in email? Try SaneBox and take back control: http://sanebox.com/t/old3m. I love it. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-05 23:50 ` Phillip McMahon @ 2021-01-06 1:03 ` Corey Costello 0 siblings, 0 replies; 10+ messages in thread From: Corey Costello @ 2021-01-06 1:03 UTC (permalink / raw) To: Phillip McMahon Cc: Chris Osicki, Roman Mamedov, Gijs Conijn, WireGuard mailing list Can someone take me off this list? I’ve tried like 4 times replying to the wireguard list and it says Unsubscribed! And then comes back :( > On Jan 5, 2021, at 6:50 PM, Phillip McMahon <phillip.mcmahon@gmail.com> wrote: > > Hi Chris, you first post made it sound very much like a query on > wg-quick, it's mentioned in a way that implies you're using it. > > "...My first try was with wg-quick, and noticed all my traffic went > through the WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and > with few lines of bash in a script I have what I need. I have > root...." > > On the working config I have, multiple clients, multiple wg tunnels > and policy-based routing, AllowedIPs does set up entries in my routing > table. Not setting another in AllowedIPs results in what you are > seeing, no traffic flow as their are no routes established. wg uses > your standard OS functionality for routing, try adding those routes > manually and no in the wg config and you should see quickly traffic > start to flow. > > AllowedIPs function in the config is to easily encapsulate simple > routing requirements for tunnels that probably satisfies the needs of > most simple users. Stick in 0.0.0.0/0 and everything goes down the > pipe, or add specific ranges you want to go down the pipe and nothing > else. > > Or you can go your own route (no pun intended) and make full use of > your OS routing and IP capability to get as complex as you need. > > wg doesn't have a policy to take over your routing, but if you use > wg-quick as mentioned in your first post it's taking care of lots of > things for ease of use and based on the content of your config might > take over all routing. > > Post your config and what you actually want to achieve and I am sure > this mailing list will have you up and running in no time. > > On Tue, 5 Jan 2021 at 22:16, Chris Osicki <wg@osk.ch> wrote: >> >> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: >>> On Tue, 5 Jan 2021 21:12:12 +0100 >>> Chris Osicki <wg@osk.ch> wrote: >>> >>>> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope >>>> it will stay like this. >>> >>> wg-quick uses AllowedIPs to also set up matching entries in the system routing >>> table. This can be disabled in its config. >>> >>>> It is just a filter >>> >>> It is not only a filter on incoming packets, but also WG's internal routing >>> table for knowing which packets should be sent to which peer. >> >> I'm sorry to contradict you but after some more readig I have to :-) >> WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify >> kernel routing tables, from the wg-quick man page: >> >> It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing >> table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle >> overriding of the default gateway. >> >> So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 >> If on the server I remove the AllowedIPs option, no one can connect. >> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. >> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. >> >> Thus, my question still remains: why this filtering function? >> >>> >>> -- >>> With respect, >>> Roman >> >> Regards, >> Chris > > > > -- > Use this contact page to send me encrypted messages and files > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fflowcrypt.com%2fme%2fphillipmcmahon&c=E,1,q6H7xLo2Ql1ckQzn-sG0WaLpKn2kDMPp696lTGmO6yI5EVJAQAqJRdx-ybG9_uqxLtbwPuvp7GxiKhIBMg38WNDVMfww-ejPJ3ULW_RdDg,,&typo=1 > > P.S. Drowning in email? Try SaneBox and take back control: > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsanebox.com%2ft%2fold3m.&c=E,1,fVv1zLc4GJa4ts85CMPQnNHvJqqDBh4pZPpNNGqJ7OHbj2jRy_4g49w8CU-BvjN9Ke18WURhfX1mRxJ8msZqB9_JlPmTGl-t3CXLk9yHc9TA-meFewUp0w,,&typo=1 I love it. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-05 21:13 ` Chris Osicki 2021-01-05 23:50 ` Phillip McMahon @ 2021-01-06 1:17 ` Samuel Holland 1 sibling, 0 replies; 10+ messages in thread From: Samuel Holland @ 2021-01-06 1:17 UTC (permalink / raw) To: Chris Osicki, Roman Mamedov; +Cc: Gijs Conijn, WireGuard mailing list On 1/5/21 3:13 PM, Chris Osicki wrote: > On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: >> On Tue, 5 Jan 2021 21:12:12 +0100 >> Chris Osicki <wg@osk.ch> wrote: >> >>> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope >>> it will stay like this. >> >> wg-quick uses AllowedIPs to also set up matching entries in the system routing >> table. This can be disabled in its config. >> >>> It is just a filter >> >> It is not only a filter on incoming packets, but also WG's internal routing >> table for knowing which packets should be sent to which peer. > > I'm sorry to contradict you but after some more readig I have to :-) > WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify Did you read this part of the home page? https://www.wireguard.com/#conceptual-overview At the heart of WireGuard is a concept called Cryptokey Routing, which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. [...] In the server configuration, when the network interface wants to send a packet to a peer (a client), it looks at that packet's destination IP and compares it to each peer's list of allowed IPs to see which peer to send it to. [...] In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table, and when receiving packets, the list of allowed IPs behaves as a sort of access control list. WireGuard itself does indeed have an internal routing table. And you should really read that whole section. > kernel routing tables, from the wg-quick man page: > > It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing > table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle > overriding of the default gateway. > > So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 > If on the server I remove the AllowedIPs option, no one can connect. > Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. > The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. > > Thus, my question still remains: why this filtering function? Because, as the WireGuard website explains, a tight, static binding between a peer's identity and its IP address range is an extremely useful building block, both for security and for designing a network topology. Cheers, Samuel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-03 21:54 WG default routing Chris Osicki 2021-01-04 13:22 ` Gijs Conijn @ 2021-01-04 13:38 ` Henning Reich 2021-01-05 20:15 ` Chris Osicki 1 sibling, 1 reply; 10+ messages in thread From: Henning Reich @ 2021-01-04 13:38 UTC (permalink / raw) To: Chris Osicki; +Cc: WireGuard mailing list Hi, you can control the traffic is routed with the AllowedIPs option. If you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel. If you just allow for example 10.10.10.10/32 only 10.10.10.10 is allowed. 10.10.0.0/16,192.168.1.0/24 will allow 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on... I use [Peer] PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16 Endpoint = 123.123.123.123:12346 PersistentKeepalive=30 Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki <wg@osk.ch>: > > Hi > > I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. > One thing, however, makes me wonder. Why WG tries always to take over all my routing? > My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. > On my Android devices I don't have root, and I cannot change anything in routing etc. > Why don't you provide an option to specify which net to route which way? > > Regards, > Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: WG default routing 2021-01-04 13:38 ` Henning Reich @ 2021-01-05 20:15 ` Chris Osicki 0 siblings, 0 replies; 10+ messages in thread From: Chris Osicki @ 2021-01-05 20:15 UTC (permalink / raw) To: Henning Reich; +Cc: WireGuard mailing list On Mon, Jan 04, 2021 at 02:38:23PM +0100, Henning Reich wrote: > Hi, > you can control the traffic is routed with the AllowedIPs option. If > you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel. > If you just allow for example 10.10.10.10/32 only 10.10.10.10 is > allowed. 10.10.0.0/16,192.168.1.0/24 will allow > 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on... > > I use > [Peer] > PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16 > Endpoint = 123.123.123.123:12346 > PersistentKeepalive=30 > > Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki <wg@osk.ch>: > > > > Hi > > > > I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. > > One thing, however, makes me wonder. Why WG tries always to take over all my routing? > > My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. > > It escapes me why. What is the idea behind this policy? > > > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. > > On my Android devices I don't have root, and I cannot change anything in routing etc. > > Why don't you provide an option to specify which net to route which way? > > > > Regards, > > Chris Hi, As I wrote in another mail, AllowedIPs config file option has nothing to do with routing, IMHO. It looks just like a filter. Regards, Chris ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-01-06 2:45 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-03 21:54 WG default routing Chris Osicki 2021-01-04 13:22 ` Gijs Conijn 2021-01-05 20:12 ` Chris Osicki 2021-01-05 20:25 ` Roman Mamedov 2021-01-05 21:13 ` Chris Osicki 2021-01-05 23:50 ` Phillip McMahon 2021-01-06 1:03 ` Corey Costello 2021-01-06 1:17 ` Samuel Holland 2021-01-04 13:38 ` Henning Reich 2021-01-05 20:15 ` Chris Osicki
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).