New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2104 - wireguard: adds endpoint host to routing list. ( without need ) #7134
Comments
EUA: Issue is rise from proto_add_host_dependency routine.
|
jow-: Do you have multiple default routes on your system? Did you set a |
EUA: Multiple default routes? What does it mean? As you can see on my routing table, there are only one default route, which is 192.168.2.1 on wan (eth0.2) port at router. Also I don't know how can I set a "gateway" option on lan. Lan IP: 192.168.1.1 is a gateway for our local LAN as it need to be. 192.168.2.1 is modem. Anyway, I don't understand what "proto_add_host_dependency" routine does and why it necessary and why it doesn't removed at termination of connection. THanks. |
Bluse: Hi Erdem, For a similar issue on my side I hacked this patch to solve the issue of Wireguard calling proto_add_host_dependency just in such cases, where the address is a remote IP with a routing table entry. Can you apply this patch the check weather it fixes the problem on your side, so it might be a relevant issue to fix in general ?
Greetings Thomas |
hatramatra: I must chip in, that the use of proto_add_host_dependency makes very little sense here. What is the use case for it, please? What problem is it trying to solve? The only scenario I can think of, where it would make remotely any sense, is if remote allowed-ips contain 0.0.0.0/0, or simply any less specific route for the remote endpoint. But isn't then better to solve it with fwmark and lookups in dedicated routing table? Because then there are all those use cases where the path to the remote endpoint changes (primary/secondary wan links) and one absolutely wants the wireguard tunnel to re-route the encrypted packets via new uplink. In my case, there is floating static route pointing to the backup connectivity and primary line with bgp routing. I had to get rid of proto_add_host_dependency line from the wireguard.sh script altogether for the wireguard interface to be even created under such setup. /Martin |
tve: Ditto here. I want to second hatramatra's comment. I use wireguard on a Gl.Inet router and the proto_add_host_dependency locks in the route. Problem is it locks to an ethernet route, which comes up first, but I actually want the tunnel to go via a cellular route, which takes time to come up. The preferred default route is via the cellular and a second higher-metric default route goes via ethernet. |
jow-: The This is intended to cover the default use case of a VPN where all traffic is tunneled. If you do not require such a host route, or if you manage the routing manually, set |
jow-: The |
EUA:
Environment: ramips, OpenWrt 18.06.[1-2], MediaTek MT7621, Xiaomi Mi Router 3G
Description:
I tried to setup router as WG client for a while. But it doesn't work on my setup.
After research, I realized that licu-wireguard application adds a static route somehow.
Also after terminating the wireguard connection, that static routing record does not removed.
After removal of non needed record of endpoint from routing table (51.x.x.x in my setup) by hand, Wireguard starts working proper.
root@MainRouter:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0.2
10.0.2.0 * 255.255.255.0 U 0 0 0 wg0
51.x.x.x MainRouter.lan 255.255.255.255 UGH 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0.2
PS: MainRouter.lan is name of the router. (192.168.1.1)
The text was updated successfully, but these errors were encountered: