Hi Daniel, Am Dienstag, dem 14.03.2023 um 06:53 +0100 schrieb Daniel Gröber: > Hi Jochen, > > On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote: > > Yet I cannot communicate. Is it possible that the wireguard tunnel > > itself doesn't have the prefix in its allowed IPs? I always thought > > this allowed_ips parameter is only for seting up the routing, even > > if > > the name suggests otherwise. > > With wg-quick (which OpenWrt is trying to mirror I guess) the > AllowedIPs do > double duty as source address ACL and routes. I actually forgot to > mention > you'd have to use Table=0 to get rid of the static routes. IIRC the > route_allowed_ips option you found is the equivalent here. > > On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote: > > allright I figured it out. > > On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0. > > Then set route_allowed_ips to 0. > > Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0 > should be > unnecessary. > > > This seems to work, yet it is generally recommended not to allow > > any in > > a wireguard tunnel. I don't see another way right now thogh. > > What do you mean? If your AllowedIPs set is empty wireguard will just > act > as a big useless black hole.
Well there were several blog posts and texts that said running wireguard without a filter to IPs was a bad idea. I do not concur that's why I implemented it without a filter and I'm happy with it :-) > > To see how the OpenWrt stuff maps to wg options see the script > handling the > conversion: > > > https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh > > AFAICT it does a straight conversion of the allowed_ips list to the > wg > option. > > --Daniel _______________________________________________ Babel-users mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
