Re: WG default routing

[Phillip McMahon <phillip.mcmahon@gmail.com>]

Hi Chris, you first post made it sound very much like a query on
wg-quick, it's mentioned in a way that implies you're using it.

"...My first try was with wg-quick, and noticed all my traffic went
through the WG-VPN connection.
It escapes me why. What is the idea behind this policy?

On my Linux boxes it's not a problem, I don't have to use wg-quick and
with few lines of bash in a script I have what I need. I have
root...."

On the working config I have, multiple clients, multiple wg tunnels
and policy-based routing, AllowedIPs does set up entries in my routing
table. Not setting another in AllowedIPs results in what you are
seeing, no traffic flow as their are no routes established. wg uses
your standard OS functionality for routing, try adding those routes
manually and no in the wg config and you should see quickly traffic
start to flow.

AllowedIPs function in the config is to easily encapsulate simple
routing requirements for tunnels that probably satisfies the needs of
most simple users. Stick in 0.0.0.0/0 and everything goes down the
pipe, or add specific ranges you want to go down the pipe and nothing
else.

Or you can go your own route (no pun intended) and make full use of
your OS routing and IP capability to get as complex as you need.

wg doesn't have a policy to take over your routing, but if you use
wg-quick as mentioned in your first post it's taking care of lots of
things for ease of use and based on the content of your config might
take over all routing.

Post your config and what you actually want to achieve and I am sure
this mailing list will have you up and running in no time.

On Tue, 5 Jan 2021 at 22:16, Chris Osicki <wg@osk.ch> wrote:
>
> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote:
> > On Tue, 5 Jan 2021 21:12:12 +0100
> > Chris Osicki <wg@osk.ch> wrote:
> >
> > > As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope
> > > it will stay like this.
> >
> > wg-quick uses AllowedIPs to also set up matching entries in the system routing
> > table. This can be disabled in its config.
> >
> > > It is just a filter
> >
> > It is not only a filter on incoming packets, but also WG's internal routing
> > table for knowing which packets should be sent to which peer.
>
> I'm sorry to contradict you but after some more readig I have to :-)
> WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify
> kernel routing tables, from the wg-quick man page:
>
>        It infers all routes from the list of peers' allowed IPs, and automatically adds them to  the  system  routing
>        table.  If  one  of  those  routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle
>        overriding of the default gateway.
>
> So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3
> If on the server I remove the AllowedIPs option, no one can connect.
> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was.
> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect.
>
> Thus, my question still remains: why this filtering function?
>
> >
> > --
> > With respect,
> > Roman
>
> Regards,
> Chris



-- 
Use this contact page to send me encrypted messages and files

https://flowcrypt.com/me/phillipmcmahon

P.S. Drowning in email? Try SaneBox and take back control:
http://sanebox.com/t/old3m. I love it.