From: Chris <wireguard@spam-free.eu>
To: wireguard <wireguard@lists.zx2c4.com>
Subject: wg-quick with default route fails on nfs root filesystem
Date: Wed, 14 Jul 2021 11:54:42 +0200 [thread overview]
Message-ID: <e4fef9da-ee7f-d1db-036e-b294785d9ee8@spam-free.eu> (raw)
When wg-quick detects a default route through the tunnel it does this through a
new routing table with a default route.
However not to destroy the existing non-default routes these will looked up and
used first. This results in the follwing policy rule entries:
(The priority numers may be different from system to system)
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
It is very important of course, that the suppress_prefix rule comes first in the
list, before
the second rule introduces the new default route (preventig the wireguard
traffic through it's own tunnel).
The way to archive this is done by the following command sequence:
ip -4 rule add not fwmark 51820 table 51820
ip -4 rule add table main suppress_prefixlength 0
The sequence of the commands is important as the latter command gets the higher
priority (lower numer).
BUT:
In case your root filesystem needs the local network, the second command will
not be reached as the
first command (setting the new default route) kills the root filesystem and the
system stalls!!!!!!
One possible solution:
Instead of adding the suppress_prefixlength 0 command secondly it must be first.
The you must find the priority of that rule and the add the default route with
the same priority.
A rule with same priority will be added AFTER the other rules.
Example:
ip -4 rule add table main suppress_prefixlength 0
PRIO=$(ip rule list from all|grep suppress_prefixlength|sed -e
'{s/^\(.*\)\:.*/\1/;q}')
ip -4 rule add not fwmark 51820 table 51820 priority $PRIO
This will lead to the correct sequence:
32765: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
(Note the same priority number)
There are probably better ways to cirumvent cutting off the root filesystem.
Chris
next reply other threads:[~2021-07-14 9:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-14 9:54 Chris [this message]
2021-07-30 3:27 ` Tom Yan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4fef9da-ee7f-d1db-036e-b294785d9ee8@spam-free.eu \
--to=wireguard@spam-free.eu \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).