breaks with AllowedIPs = 0.0.0.0/0

[peacey]

Hello @realies,

It's working fine for me on 3.1.9. Can you please be more specific?

[realies]

@peacey, thanks for the prompt reply! After upgrading from UDM 3.1.8 to UDM 3.1.9, the systemd service starts on boot; however, no WG interfaces are created.

root@UDM-SE:/etc/split-vpn/wireguard/x-x-x-x# wg-quick up ./wg2.conf 
[#] ip link add wg2 type wireguard
[#] wg setconf wg2 /dev/fd/63
[#] ip -4 address add x.x.x.x/32 dev wg2
[#] ip -6 address add x:x:x:x::x:x/128 dev wg2
[#] ip link set mtu 1420 up dev wg2
[#] ip -4 route add 0.0.0.0/0 dev wg2 table 102
RTNETLINK answers: File exists
[#] ip link delete dev wg2

# ip route show table 102
blackhole default 

# ip route del blackhole 0.0.0.0/1
RTNETLINK answers: No such process

Let me know if I should add any additional info.

[peacey]

You shouldn't use 0.0.0.0/0 or ::/0 as a route in your wg.conf (as per Step 2 in the wireguard guide) because it interferes with the blackhole route setup. Instead you should use 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1 which covers the same subnet but can be added alongside the blackhole routes.

Basically, change AllowedIPs in your wg.conf to:

AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1

[realies]

You shouldn't use 0.0.0.0/0 or ::/0 as a route in your wg.conf (as per Step 2 in the wireguard guide) because it interferes with the blackhole route setup. Instead you should use 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1 which covers the same subnet but can be added alongside the blackhole routes.

Basically, change AllowedIPs in your wg.conf to:

AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1

That was it, thanks. I really thought it was because of the upgrade for some reason. Assume that modifying the updown.sh script to remove the 0.0.0.0/0 blackhole would make it work, including the other WAN traffic leak, and for some reason, it doesn't remove the default blackhole.

[peacey]

If you want to disable the blackhole routes from being added you can just set DISABLE_BLACKHOLE=1 in your vpn.conf. Then you'll be able to use 0.0.0.0/0, but I wouldn't recommend it unless something is not working for you currently.

[realies]

If you want to disable the blackhole routes from being added you can just set DISABLE_BLACKHOLE=1 in your vpn.conf. Then you'll be able to use 0.0.0.0/0, but I wouldn't recommend it unless something is not working for you currently.

Does this mean that all traffic from the UDM will go through the VPN and nothing will leak including on reboot?

[peacey]

Note there are two blackhole routes this script adds, the optional startup blackholes routes and the route table blackholes (the ones we're talking about here).

The route table blackholes makes sure that nothing leaks in case of configuration problems (when used with the pre-up step), and the startup blackholes makes sure nothing leaks on reboot until the VPN is setup. They are both necessary if you want to make sure nothing leaks on reboot, but startup blackholes are disabled by default (since if something goes wrong, you will not have Internet access - so it's an advanced setup for those who know the risks).

[realies]

When DISABLE_BLACKHOLE=1 is set in vpn.conf, should the 4xVPN Blackhole routes be deleted?

[peacey]

You don't have to do it manually, the script should delete them for you and if shouldn't add them again.

[realies]

@peacey, going through the readme, I assumed I need to create these manually when DISABLE_BLACKHOLE=1 does not exist in vpn.conf:

Is that right? Should these be there or removed with and without DISABLE_BLACKHOLE=1 in vpn.conf?

[peacey]

No, those are the startup blackholes, not the route table ones. Those are not removed by DISABLE_BLACKHOLE. Those are always removed by the script unless you set REMOVE_STARTUP_BLACKHOLES=0.

I don't recommend you use those startup blackholes unless you expect the risk that if the VPN doesn't get configured for whatever reason, you'll lose Internet access. Usually they're not needed in a simple setup.

[realies]

@peacey, what's the benefit of having startup blackholes? What is the difference vs AllowedIPs = 0.0.0.0/0?