search

DavidVentura / Wireguard_qml

UBPorts app in QML for Wireguard
MIT License
4 stars 5 forks source link

Peer: allowed ip prefixes, the "route all traffic through interface" function and the "extra_routes" #8

Open luksus42 opened 2 years ago

luksus42 commented 2 years ago

Hi, I did not manage to route all my traffic through the wireguard interface... I did some research and found an explanation in the debian manpage, how this should work, https://manpages.debian.org/unstable/wireguard-tools/wg-quick.8.en.html:

It [the configuration file] infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle overriding of the default gateway.

The configuration file will be passed directly to wg(8)'s `setconf' sub-command, with the exception of the following additions to the Interface section, which are handled by this tool:

  1. I would have thought, that the routes are being created by the wg setconf command, but that does not seem to happen.
  2. Currently I need to set the extra_routes option, to get access to the network behind the tunnel (it creates the needed routes) - but as I understand the documentation, the routes for that are already in the allowed ip prefixes config.
  3. Do we need to implement the step manually, which creates an ip rule, if 0.0.0.0/0 is present in ip prefixes?
DavidVentura commented 2 years ago

Hi The problem with adding 0.0.0.0/0 is that you need to either fwmark or add another rule for the endpoint itself; if you don't have a rule for the endpoint itself, you end up with a routing loop

https://www.wireguard.com/netns/#routing-all-your-traffic

luksus42 commented 2 years ago

if you don't have a rule for the endpoint itself, you end up with a routing loop

Yes, I already encountered gigabytes of traffic within seconds. ;-)

So should we implement an option for "route all traffic through wg" and use namespaces?

DavidVentura commented 2 years ago

I am preparing a change on the daemon to significantly improve on most of the issues, on routing: