Hello Toke,
thanks for your information.
I've seen a topic came up on the bird user mailing list which you have
had crosslinked here.
In the mean time I've created this little python script:
https://github.com/pzillmann/wireguard-dynamic-routing
At least it does the job for me. I think Janne's code needs some time go
get integrated into upstream plus a few days until it is shipped with
the distributions. (Maybe we see it in Debian 10?)
Until then there is this script. Feel free to give me some feedback.
- Paul
Am 06.06.19 um 12:09 schrieb Toke Høiland-Jørgensen:
Paul Zillmann <[email protected]> writes:
Hello,
we have the same problem here, although our allowed IP ranges should be
0.0.0.0/0 for all peers.
We have OSPF traffic on the wireguard links so it should be task of the
Kernel's routing table to decide where to send what.
The problem is that the allowed-ips configuration has multiple purposes:
routing table and firewall/packet filter. This introduces these
problems. It would be helpfull to get a compile flag or something else
to make this behavior optional.
That is probably not going to happen; the crypto-routing is quite
integral to Wireguard, and is an important security feature.
Right now Wireguard isn't very friendly to dynamic routing.
I came up with multiple solutions:
- create multiple interfaces + tunnels.
or
- create a bash script that injects the Kernel's routing table into the
wg tool every other minute.
Do you guys have a better idea? If not I would create the bash script.
IMO, the "right" way to fix this is to make your routing daemon aware of
wireguard and have it configure the routes directly into the wireguard
table. That also gives you security for your routing protocol
automatically (since only authenticated sources/destinations will be
allowed), as long as you have a secure way of bootstrapping the
wireguard keying.
-Toke
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
