Development discussion of WireGuard
 help / color / mirror / Atom feed
* wg-quick with default route fails on nfs root filesystem
@ 2021-07-14  9:54 Chris
  2021-07-30  3:27 ` Tom Yan
  0 siblings, 1 reply; 2+ messages in thread
From: Chris @ 2021-07-14  9:54 UTC (permalink / raw)
  To: wireguard

When wg-quick detects a default route through the tunnel it does this through a 
new routing table with a default route.
However not to destroy the existing non-default routes these will looked up and 
used first. This results in the follwing policy rule entries:
(The priority numers may be different from system to system)

32764:    from all lookup main suppress_prefixlength 0
32765:    not from all fwmark 0xca6c lookup 51820

It is very important of course, that the suppress_prefix rule comes first in the 
list, before
the second rule introduces the new default route (preventig the wireguard 
traffic through it's own tunnel).

The way to archive this is done by the following command sequence:

ip -4 rule add not fwmark 51820 table 51820
ip -4 rule add table main suppress_prefixlength 0

The sequence of the commands is important as the latter command gets the higher 
priority (lower numer).

BUT:
In case your root filesystem needs the local network, the second command will 
not be reached as the
first command (setting the new default route) kills the root filesystem and the 
system stalls!!!!!!

One possible solution:
Instead of adding the suppress_prefixlength 0 command secondly it must be first.
The you must find the priority of that rule and the add the default route with 
the same priority.
A rule with same priority will be added AFTER the other rules.

Example:
ip -4 rule add table main suppress_prefixlength 0
PRIO=$(ip rule list from all|grep suppress_prefixlength|sed -e 
'{s/^\(.*\)\:.*/\1/;q}')
ip -4 rule add not fwmark 51820 table 51820 priority $PRIO

This will lead to the correct sequence:
32765:    from all lookup main suppress_prefixlength 0
32765:    not from all fwmark 0xca6c lookup 51820
(Note the same priority number)

There are probably better ways to cirumvent cutting off the root filesystem.

Chris


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: wg-quick with default route fails on nfs root filesystem
  2021-07-14  9:54 wg-quick with default route fails on nfs root filesystem Chris
@ 2021-07-30  3:27 ` Tom Yan
  0 siblings, 0 replies; 2+ messages in thread
From: Tom Yan @ 2021-07-30  3:27 UTC (permalink / raw)
  To: Chris, Jason; +Cc: wireguard

Hi Chris,

So I did a test and took a look at the log:
...
wg-quick[2003]: [#] ip -4 route add 0.0.0.0/0 dev aliyun table 51820
wg-quick[2003]: [#] ip -4 rule add not fwmark 51820 table 51820
wg-quick[2003]: [#] ip -4 rule add table main suppress_prefixlength 0
...

What if wg-quick adds the route after adding both rules? AFAIK, a rule
will be a no-op if the table it looks up is empty.

Regards,
Tom

On Wed, 14 Jul 2021 at 18:00, Chris <wireguard@spam-free.eu> wrote:
>
> When wg-quick detects a default route through the tunnel it does this through a
> new routing table with a default route.
> However not to destroy the existing non-default routes these will looked up and
> used first. This results in the follwing policy rule entries:
> (The priority numers may be different from system to system)
>
> 32764:    from all lookup main suppress_prefixlength 0
> 32765:    not from all fwmark 0xca6c lookup 51820
>
> It is very important of course, that the suppress_prefix rule comes first in the
> list, before
> the second rule introduces the new default route (preventig the wireguard
> traffic through it's own tunnel).
>
> The way to archive this is done by the following command sequence:
>
> ip -4 rule add not fwmark 51820 table 51820
> ip -4 rule add table main suppress_prefixlength 0
>
> The sequence of the commands is important as the latter command gets the higher
> priority (lower numer).
>
> BUT:
> In case your root filesystem needs the local network, the second command will
> not be reached as the
> first command (setting the new default route) kills the root filesystem and the
> system stalls!!!!!!
>
> One possible solution:
> Instead of adding the suppress_prefixlength 0 command secondly it must be first.
> The you must find the priority of that rule and the add the default route with
> the same priority.
> A rule with same priority will be added AFTER the other rules.
>
> Example:
> ip -4 rule add table main suppress_prefixlength 0
> PRIO=$(ip rule list from all|grep suppress_prefixlength|sed -e
> '{s/^\(.*\)\:.*/\1/;q}')
> ip -4 rule add not fwmark 51820 table 51820 priority $PRIO
>
> This will lead to the correct sequence:
> 32765:    from all lookup main suppress_prefixlength 0
> 32765:    not from all fwmark 0xca6c lookup 51820
> (Note the same priority number)
>
> There are probably better ways to cirumvent cutting off the root filesystem.
>
> Chris
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-08-08 23:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-14  9:54 wg-quick with default route fails on nfs root filesystem Chris
2021-07-30  3:27 ` Tom Yan

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git