From: "Patrick O'Sullivan" <irish@insaneirish.com>
To: wireguard@lists.zx2c4.com
Subject: Why does 'allowed-ips' affect route selection behavior?
Date: Sun, 15 Apr 2018 14:49:23 -0400 [thread overview]
Message-ID: <CA+bb15uz7jkD2GZhSQANkH9JPi5Sq2g20wrm0avTRFiOMJ55iA@mail.gmail.com> (raw)
Hi Folks,
Getting my feet wet with wireguard and enjoying the simplicity and
performance thus far. Nonetheless, I have a question about how the
normal route selection process is being affected by what's configured
for 'allowed-ips'.
I set up a peer and configured 'allowed-ips' for 0.0.0.0/0, as I was
going to be sending multiple routes over the peer link via BGP and
didn't want to keep modifying it. However, even though my default
route was over a different interface, this seemed to result in Linux
trying to route default traffic over wg0 despite there not being a
default route pointing to wg0.
Specifically:
$ sudo ip route show
default via 10.199.199.1 dev wlan0
10.111.111.0/24 dev wg0 proto kernel scope link src 10.111.111.100
10.199.199.0/24 dev wlan0 proto kernel scope link src 10.199.199.131
By this route table, traffic to e.g. 4.2.2.1 should use 10.199.199.1.
Packet captures were showing traffic trying to instead use wg0. Then I
found this:
$ sudo ip route get 4.2.2.1
4.2.2.1 dev wg0 table 51820 src 10.111.111.100
cache
Can someone please explain this behavior?
Obligatory... $ uname -rvm
4.14.30-v7+ #1102 SMP Mon Mar 26 16:45:49 BST 2018 armv7l
And... $ dpkg -l | grep wireguard
ii wireguard 0.0.20180413-1 all
fast, modern, secure kernel VPN tunnel (metapackage)
ii wireguard-dkms 0.0.20180413-1 all
fast, modern, secure kernel VPN tunnel (DKMS version)
ii wireguard-tools 0.0.20180413-1 armhf
fast, modern, secure kernel VPN tunnel (userland utilities)
next reply other threads:[~2018-04-15 18:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-15 18:49 Patrick O'Sullivan [this message]
2018-04-15 18:58 ` Roman Mamedov
2018-04-15 22:26 ` Jason A. Donenfeld
2018-04-16 1:06 ` Patrick O'Sullivan
2018-04-16 1:13 ` Jason A. Donenfeld
2018-04-16 12:29 ` Tim Sedlmeyer
2018-04-15 18:58 ` mikma.wg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+bb15uz7jkD2GZhSQANkH9JPi5Sq2g20wrm0avTRFiOMJ55iA@mail.gmail.com \
--to=irish@insaneirish.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).