OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Erdem U. Altinyurt - 06.02.2019
Last edited by Jo-Philipp Wich - 23.04.2019

FS#2104 - wireguard: adds endpoint host to routing list. ( without need )

Environment: ramips, OpenWrt 18.06.[1-2], MediaTek MT7621, Xiaomi Mi Router 3G

I tried to setup router as WG client for a while. But it doesn’t work on my setup.
After research, I realized that licu-wireguard application adds a static route somehow.
Also after terminating the wireguard connection, that static routing record does not removed. After removal of non needed record of endpoint from routing table (51.x.x.x in my setup) by hand, Wireguard starts working proper.

root@MainRouter:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth0.2        *        U     0      0        0 wg0
51.x.x.x        MainRouter.lan UGH   0      0        0 br-lan     *        U     0      0        0 br-lan     *        U     0      0        0 eth0.2

PS: MainRouter.lan is name of the router. (

Closed by  Jo-Philipp Wich
23.04.2019 06:53
Reason for closing:  Fixed
Erdem U. Altinyurt commented on 06.02.2019 14:26

Issue is rise from proto_add_host_dependency routine.
Deactivating it make it working again.

---	2019-02-06 17:19:22.000000000 +0300
+++	2019-02-06 17:22:18.000000000 +0300
@@ -180,7 +180,7 @@
     sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
     while IFS=$'\t ' read -r key address port; do
     [ -n "${port}" ] || continue
-    proto_add_host_dependency "${config}" "${address}"
+    #proto_add_host_dependency "${config}" "${address}"
Jo-Philipp Wich commented on 06.02.2019 14:32

Do you have multiple default routes on your system? Did you set a `gateway` option on lan by any chance? If so, remove it.

Erdem U. Altinyurt commented on 07.02.2019 00:22

Multiple default routes? What does it mean? As you can see on my routing table, there are only one default route, which is on wan (eth0.2) port at router.

Also I don't know how can I set a "gateway" option on lan. Lan IP: is a gateway for our local LAN as it need to be. is modem.

Anyway, I don't understand what "proto_add_host_dependency" routine does and why it necessary and why it doesn't removed at termination of connection.


Bluse-Blue commented on 20.02.2019 00:44

Hi Erdem,

For a similar issue on my side I hacked this patch to solve the issue of Wireguard calling proto_add_host_dependency just in such cases, where the address is a remote IP with a routing table entry. Can you apply this patch the check weather it fixes the problem on your side, so it might be a relevant issue to fix in general ?

commit 9530b0803ffe1dfa57f714d961cdfc3932e71825
Author: Thomas Huehn <>
Date:   Sun Feb 18 21:59:21 2018 +0100

    wireguard: add distinction for remote and local endpoint ip

    This patch fixes a bug when someone tries to set up a Wireguard tunnel
    to an endpoint where its ip belongs to a local subnet, e.g. in a Freifunk
    olsr mesh. The call of proto_add_host_dependency() is just needed in cases
    where the endpoint is reachable via a default gateway but not in such cases
    where the endpoint is part of a local subnet.

    Signed-off-by: Thomas Huehn <>

diff --git a/package/network/services/wireguard/files/ b/package/network/services/wireguard/files/
index 96fa7215ffc8..fbde0fdb2c5e 100644
--- a/package/network/services/wireguard/files/
+++ b/package/network/services/wireguard/files/
@@ -16,6 +16,10 @@ fi
   init_proto "$@"

+is_remote_ip() {
+     ip route get $1 | grep "via $(ip route | grep -m1 default | cut -d" " -f3)"

 proto_wireguard_init_config() {
   proto_config_add_string "private_key"
@@ -180,7 +184,10 @@ proto_wireguard_setup() {
     sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
     while IFS=$'\t ' read -r key address port; do
     [ -n "${port}" ] || continue
-    proto_add_host_dependency "${config}" "${address}"
+    is_remote_ip ${address} && {
+      logger -t Wireguard "no local route to endpoint - call proto_add_host_dependency()"
+      proto_add_host_dependency "${config}" "${address}"
+    }

   proto_send_update "${config}"

Greetings Thomas

hatramatra commented on 23.02.2019 00:18

I must chip in, that the use of proto_add_host_dependency makes very little sense here. What is the use case for it, please? What problem is it trying to solve? The only scenario I can think of, where it would make remotely any sense, is if remote allowed-ips contain, or simply any less specific route for the remote endpoint. But isn't then better to solve it with fwmark and lookups in dedicated routing table?

Because then there are all those use cases where the path to the remote endpoint changes (primary/secondary wan links) and one absolutely wants the wireguard tunnel to re-route the encrypted packets via new uplink. In my case, there is floating static route pointing to the backup connectivity and primary line with bgp routing. I had to get rid of proto_add_host_dependency line from the script altogether for the wireguard interface to be even created under such setup.


Thorsten von Eicken commented on 12.04.2019 04:13

Ditto here. I want to second hatramatra's comment. I use wireguard on a Gl.Inet router and the proto_add_host_dependency locks in the route. Problem is it locks to an ethernet route, which comes up first, but I actually want the tunnel to go via a cellular route, which takes time to come up. The preferred default route is via the cellular and a second higher-metric default route goes via ethernet.
What is the proto_add_host_dependency trying to achieve?

Jo-Philipp Wich commented on 23.04.2019 06:50

The `proto_add_host_dependency` call ensures that a host route towards the remote endpoint IP is installed. Without such a route, the tunnel would collapse eventually when the defaultroute is redirected through the tunnel.

This is intended to cover the default use case of a VPN where all traffic is tunneled. If you do not require such a host route, or if you manage the routing manually, set `option nohostroute 1` in the interface section.

Jo-Philipp Wich commented on 23.04.2019 06:53

The `nohostroute` option has been introduced with


Available keyboard shortcuts


Task Details

Task Editing