allright I figured it out. On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. Then set route_allowed_ips to 0.
This seems to work, yet it is generally recommended not to allow any in a wireguard tunnel. I don't see another way right now thogh. So I believe my setup is save, thank you! Thanks Jochen Am Montag, dem 13.03.2023 um 22:43 +0100 schrieb Jochen Demmer: > Thank you for that detailed description. > It seems to be working. I simulate a prefix change at my home site by > adding a prefix to the redistribute: > > config filter > option type "redistribute" > option ip "2a03:fe3:fe3::/48" > > I then add an ip from that prefix to an interface and very fast it > will > show up as a route at the remote firewall (OpenWrt btw at both > sides). > > Yet I cannot communicate. Is it possible that the wireguard tunnel > itself doesn't have the prefix in its allowed IPs? I always thought > this allowed_ips parameter is only for seting up the routing, even if > the name suggests otherwise. > > Regards > Jochen > > Am Montag, dem 13.03.2023 um 10:51 +0100 schrieb Daniel Gröber: > > Hi Jochen, > > > > On Mon, Mar 13, 2023 at 09:50:31AM +0100, Jochen Demmer wrote: > > > I though I could use babeld to just fill that gap and always have > > > a > > > route to the prefix I get at home. So even when there is a > > > disconnect > > > and a new prefix, I thought babeld will just fetch it and push it > > > over > > > to site B. > > > > > > Is that a valid idea? If so, what would a configuration will look > > > like? > > > > You can definetly use babel here. You just need to add some config > > lines to > > redistribute your prefixes. Quoting the manpage: > > > > By default, babeld redistributes all local addresses, > > and > > no other > > routes. In order to make sure that only the routes you > > specify are re‐ > > distributed, you should include the line > > > > redistribute local deny > > > > So that's a good start and then you just need to add filters to get > > the > > prefixes in: > > > > redistribute local deny > > redistribute ip fd5e:ef07:ec1a::/48 #< Site A ULA prefix > > redistribute ip 2000::/3 #< Site X GUA prefixes > > > > And that's pretty much it for the babel side. Just add the > > interface(s) you > > want to run on to /etc/default/babeld (on Debian at least) and you > > should > > be good to go. > > > > There is one gotcha that I'd like to point out. babeld fucks with a > > number > > of ip sysctls which you might not expect if your routers are > > already > > setup > > as you want them. You can disable this using `skip-kernel-setup > > true`. Grep > > the source for skip_kernel_setup to see the sysctls it touches. > > > > Note that by default babeld will accept all routes from neighbours. > > You > > might want to add `in` filters to prevent the other site from > > announcing > > routes it's not allowed to send. > > > > You can be more specific with the GUA prefixes if you like but > > that's > > a > > local policy matter :) > > > > > Do I just have to configure the wireguard interface on both sites > > > or > > > will I have to add filters? > > > > To get babel to work on wg you have to 1) add a unique fe80::/64 > > interface > > address on each side and 2) if using restrictive AllowedIPs include > > fe80::/64 and ff02::1:6 in the list. > > > > Let me know how it goes, > > --Daniel > > > _______________________________________________ > Babel-users mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
