Re: WG default routing
Can someone take me off this list? I’ve tried like 4 times replying to the wireguard list and it says Unsubscribed! And then comes back :( > On Jan 5, 2021, at 6:50 PM, Phillip McMahon wrote: > > Hi Chris, you first post made it sound very much like a query on > wg-quick, it's mentioned in a way that implies you're using it. > > "...My first try was with wg-quick, and noticed all my traffic went > through the WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and > with few lines of bash in a script I have what I need. I have > root" > > On the working config I have, multiple clients, multiple wg tunnels > and policy-based routing, AllowedIPs does set up entries in my routing > table. Not setting another in AllowedIPs results in what you are > seeing, no traffic flow as their are no routes established. wg uses > your standard OS functionality for routing, try adding those routes > manually and no in the wg config and you should see quickly traffic > start to flow. > > AllowedIPs function in the config is to easily encapsulate simple > routing requirements for tunnels that probably satisfies the needs of > most simple users. Stick in 0.0.0.0/0 and everything goes down the > pipe, or add specific ranges you want to go down the pipe and nothing > else. > > Or you can go your own route (no pun intended) and make full use of > your OS routing and IP capability to get as complex as you need. > > wg doesn't have a policy to take over your routing, but if you use > wg-quick as mentioned in your first post it's taking care of lots of > things for ease of use and based on the content of your config might > take over all routing. > > Post your config and what you actually want to achieve and I am sure > this mailing list will have you up and running in no time. > > On Tue, 5 Jan 2021 at 22:16, Chris Osicki wrote: >> >> On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: >>> On Tue, 5 Jan 2021 21:12:12 +0100 >>> Chris Osicki wrote: >>> As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope it will stay like this. >>> >>> wg-quick uses AllowedIPs to also set up matching entries in the system >>> routing >>> table. This can be disabled in its config. >>> It is just a filter >>> >>> It is not only a filter on incoming packets, but also WG's internal routing >>> table for knowing which packets should be sent to which peer. >> >> I'm sorry to contradict you but after some more readig I have to :-) >> WG has no "internal routing table", wg-quick (which, BTW, is not the subject >> of my query) uses it to modify >> kernel routing tables, from the wg-quick man page: >> >> It infers all routes from the list of peers' allowed IPs, and >> automatically adds them to the system routing >> table. If one of those routes is the default route (0.0.0.0/0 or >> ::/0), then it uses ip-rule(8) to handle >> overriding of the default gateway. >> >> So, in my test config I have a server, 10.10.10.1 and two clients, >> 10.10.10.2/3 >> If on the server I remove the AllowedIPs option, no one can connect. >> Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in >> them stays as it was. >> The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. >> >> Thus, my question still remains: why this filtering function? >> >>> >>> -- >>> With respect, >>> Roman >> >> Regards, >> Chris > > > > -- > Use this contact page to send me encrypted messages and files > > https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fflowcrypt.com%2fme%2fphillipmcmahon=E,1,q6H7xLo2Ql1ckQzn-sG0WaLpKn2kDMPp696lTGmO6yI5EVJAQAqJRdx-ybG9_uqxLtbwPuvp7GxiKhIBMg38WNDVMfww-ejPJ3ULW_RdDg,,=1 > > P.S. Drowning in email? Try SaneBox and take back control: > https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsanebox.com%2ft%2fold3m.=E,1,fVv1zLc4GJa4ts85CMPQnNHvJqqDBh4pZPpNNGqJ7OHbj2jRy_4g49w8CU-BvjN9Ke18WURhfX1mRxJ8msZqB9_JlPmTGl-t3CXLk9yHc9TA-meFewUp0w,,=1 > I love it.
Re: WG default routing
On 1/5/21 3:13 PM, Chris Osicki wrote: > On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: >> On Tue, 5 Jan 2021 21:12:12 +0100 >> Chris Osicki wrote: >> >>> As far as I can see after few tests, AllowedIPs config file option has >>> nothing to do with routing and I hope >>> it will stay like this. >> >> wg-quick uses AllowedIPs to also set up matching entries in the system >> routing >> table. This can be disabled in its config. >> >>> It is just a filter >> >> It is not only a filter on incoming packets, but also WG's internal routing >> table for knowing which packets should be sent to which peer. > > I'm sorry to contradict you but after some more readig I have to :-) > WG has no "internal routing table", wg-quick (which, BTW, is not the subject > of my query) uses it to modify Did you read this part of the home page? https://www.wireguard.com/#conceptual-overview At the heart of WireGuard is a concept called Cryptokey Routing, which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. [...] In the server configuration, when the network interface wants to send a packet to a peer (a client), it looks at that packet's destination IP and compares it to each peer's list of allowed IPs to see which peer to send it to. [...] In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table, and when receiving packets, the list of allowed IPs behaves as a sort of access control list. WireGuard itself does indeed have an internal routing table. And you should really read that whole section. > kernel routing tables, from the wg-quick man page: > >It infers all routes from the list of peers' allowed IPs, and > automatically adds them to the system routing >table. If one of those routes is the default route (0.0.0.0/0 or > ::/0), then it uses ip-rule(8) to handle >overriding of the default gateway. > > So, in my test config I have a server, 10.10.10.1 and two clients, > 10.10.10.2/3 > If on the server I remove the AllowedIPs option, no one can connect. > Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in > them stays as it was. > The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. > > Thus, my question still remains: why this filtering function? Because, as the WireGuard website explains, a tight, static binding between a peer's identity and its IP address range is an extremely useful building block, both for security and for designing a network topology. Cheers, Samuel
Re: WG default routing
Hi Chris, you first post made it sound very much like a query on wg-quick, it's mentioned in a way that implies you're using it. "...My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root" On the working config I have, multiple clients, multiple wg tunnels and policy-based routing, AllowedIPs does set up entries in my routing table. Not setting another in AllowedIPs results in what you are seeing, no traffic flow as their are no routes established. wg uses your standard OS functionality for routing, try adding those routes manually and no in the wg config and you should see quickly traffic start to flow. AllowedIPs function in the config is to easily encapsulate simple routing requirements for tunnels that probably satisfies the needs of most simple users. Stick in 0.0.0.0/0 and everything goes down the pipe, or add specific ranges you want to go down the pipe and nothing else. Or you can go your own route (no pun intended) and make full use of your OS routing and IP capability to get as complex as you need. wg doesn't have a policy to take over your routing, but if you use wg-quick as mentioned in your first post it's taking care of lots of things for ease of use and based on the content of your config might take over all routing. Post your config and what you actually want to achieve and I am sure this mailing list will have you up and running in no time. On Tue, 5 Jan 2021 at 22:16, Chris Osicki wrote: > > On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > > On Tue, 5 Jan 2021 21:12:12 +0100 > > Chris Osicki wrote: > > > > > As far as I can see after few tests, AllowedIPs config file option has > > > nothing to do with routing and I hope > > > it will stay like this. > > > > wg-quick uses AllowedIPs to also set up matching entries in the system > > routing > > table. This can be disabled in its config. > > > > > It is just a filter > > > > It is not only a filter on incoming packets, but also WG's internal routing > > table for knowing which packets should be sent to which peer. > > I'm sorry to contradict you but after some more readig I have to :-) > WG has no "internal routing table", wg-quick (which, BTW, is not the subject > of my query) uses it to modify > kernel routing tables, from the wg-quick man page: > >It infers all routes from the list of peers' allowed IPs, and > automatically adds them to the system routing >table. If one of those routes is the default route (0.0.0.0/0 or > ::/0), then it uses ip-rule(8) to handle >overriding of the default gateway. > > So, in my test config I have a server, 10.10.10.1 and two clients, > 10.10.10.2/3 > If on the server I remove the AllowedIPs option, no one can connect. > Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in > them stays as it was. > The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. > > Thus, my question still remains: why this filtering function? > > > > > -- > > With respect, > > Roman > > Regards, > Chris -- Use this contact page to send me encrypted messages and files https://flowcrypt.com/me/phillipmcmahon P.S. Drowning in email? Try SaneBox and take back control: http://sanebox.com/t/old3m. I love it.
Re: WG default routing
On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > On Tue, 5 Jan 2021 21:12:12 +0100 > Chris Osicki wrote: > > > As far as I can see after few tests, AllowedIPs config file option has > > nothing to do with routing and I hope > > it will stay like this. > > wg-quick uses AllowedIPs to also set up matching entries in the system routing > table. This can be disabled in its config. > > > It is just a filter > > It is not only a filter on incoming packets, but also WG's internal routing > table for knowing which packets should be sent to which peer. I'm sorry to contradict you but after some more readig I have to :-) WG has no "internal routing table", wg-quick (which, BTW, is not the subject of my query) uses it to modify kernel routing tables, from the wg-quick man page: It infers all routes from the list of peers' allowed IPs, and automatically adds them to the system routing table. If one of those routes is the default route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to handle overriding of the default gateway. So, in my test config I have a server, 10.10.10.1 and two clients, 10.10.10.2/3 If on the server I remove the AllowedIPs option, no one can connect. Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in them stays as it was. The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. Thus, my question still remains: why this filtering function? > > -- > With respect, > Roman Regards, Chris
Re: WG default routing
On Tue, 5 Jan 2021 21:12:12 +0100 Chris Osicki wrote: > As far as I can see after few tests, AllowedIPs config file option has > nothing to do with routing and I hope > it will stay like this. wg-quick uses AllowedIPs to also set up matching entries in the system routing table. This can be disabled in its config. > It is just a filter It is not only a filter on incoming packets, but also WG's internal routing table for knowing which packets should be sent to which peer. -- With respect, Roman
Re: WG default routing
On Mon, Jan 04, 2021 at 02:38:23PM +0100, Henning Reich wrote: > Hi, > you can control the traffic is routed with the AllowedIPs option. If > you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel. > If you just allow for example 10.10.10.10/32 only 10.10.10.10 is > allowed. 10.10.0.0/16,192.168.1.0/24 will allow > 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on... > > I use > [Peer] > PublicKey = xxx > AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16 > Endpoint = 123.123.123.123:12346 > PersistentKeepalive=30 > > Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki : > > > > Hi > > > > I am quite new to wireguard, moving after years of OpenVPN, and found it > > simple and _really good_. > > One thing, however, makes me wonder. Why WG tries always to take over all > > my routing? > > My first try was with wg-quick, and noticed all my traffic went through the > > WG-VPN connection. > > It escapes me why. What is the idea behind this policy? > > > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with > > few lines of bash in a script I have what I need. I have root. > > On my Android devices I don't have root, and I cannot change anything in > > routing etc. > > Why don't you provide an option to specify which net to route which way? > > > > Regards, > > Chris Hi, As I wrote in another mail, AllowedIPs config file option has nothing to do with routing, IMHO. It looks just like a filter. Regards, Chris
Re: WG default routing
On Mon, Jan 04, 2021 at 01:22:31PM +, Gijs Conijn wrote: > That is what I am using the allowed IP's for > I only want to route via the tunnel to my home LAN so I enter the WG subnet > and the home LAN subnet in allowed IP's > (As I understood Allowed IP's are not only Allowed but also routed via the > tunnel) > > Regards, Erik > DDWRT WireGuard user > > -Oorspronkelijk bericht- > Van: WireGuard Namens Chris Osicki > Verzonden: zondag 3 januari 2021 22:55 > Aan: WireGuard mailing list > Onderwerp: WG default routing > > Hi > > I am quite new to wireguard, moving after years of OpenVPN, and found it > simple and _really good_. > One thing, however, makes me wonder. Why WG tries always to take over all my > routing? > My first try was with wg-quick, and noticed all my traffic went through the > WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with > few lines of bash in a script I have what I need. I have root. > On my Android devices I don't have root, and I cannot change anything in > routing etc. > Why don't you provide an option to specify which net to route which way? > > Regards, > Chris > Hi As far as I can see after few tests, AllowedIPs config file option has nothing to do with routing and I hope it will stay like this. It is just a filter and the next question arise: why this? Don't we have iptables/nftables? Or is it for non Unix-like systems? Regards, Chris
RE: WG default routing
That is what I am using the allowed IP's for I only want to route via the tunnel to my home LAN so I enter the WG subnet and the home LAN subnet in allowed IP's (As I understood Allowed IP's are not only Allowed but also routed via the tunnel) Regards, Erik DDWRT WireGuard user -Oorspronkelijk bericht- Van: WireGuard Namens Chris Osicki Verzonden: zondag 3 januari 2021 22:55 Aan: WireGuard mailing list Onderwerp: WG default routing Hi I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. One thing, however, makes me wonder. Why WG tries always to take over all my routing? My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. On my Android devices I don't have root, and I cannot change anything in routing etc. Why don't you provide an option to specify which net to route which way? Regards, Chris
Re: WG default routing
Hi, you can control the traffic is routed with the AllowedIPs option. If you use 0.0.0.0/0, all traffic is routed through the wireguard tunnel. If you just allow for example 10.10.10.10/32 only 10.10.10.10 is allowed. 10.10.0.0/16,192.168.1.0/24 will allow 10.10.0.0-10.10.254.254 and 192.168.1.0-192.168.1.254 and so on... I use [Peer] PublicKey = xxx AllowedIPs = 172.16.16.0/24,10.10.0.0/16,10.0.0.0/16 Endpoint = 123.123.123.123:12346 PersistentKeepalive=30 Am Mo., 4. Jan. 2021 um 13:40 Uhr schrieb Chris Osicki : > > Hi > > I am quite new to wireguard, moving after years of OpenVPN, and found it > simple and _really good_. > One thing, however, makes me wonder. Why WG tries always to take over all my > routing? > My first try was with wg-quick, and noticed all my traffic went through the > WG-VPN connection. > It escapes me why. What is the idea behind this policy? > > On my Linux boxes it's not a problem, I don't have to use wg-quick and with > few lines of bash in a script I have what I need. I have root. > On my Android devices I don't have root, and I cannot change anything in > routing etc. > Why don't you provide an option to specify which net to route which way? > > Regards, > Chris
WG default routing
Hi I am quite new to wireguard, moving after years of OpenVPN, and found it simple and _really good_. One thing, however, makes me wonder. Why WG tries always to take over all my routing? My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root. On my Android devices I don't have root, and I cannot change anything in routing etc. Why don't you provide an option to specify which net to route which way? Regards, Chris
