Hi Chris, you first post made it sound very much like a query on wg-quick, it's mentioned in a way that implies you're using it.
"...My first try was with wg-quick, and noticed all my traffic went through the WG-VPN connection. It escapes me why. What is the idea behind this policy? On my Linux boxes it's not a problem, I don't have to use wg-quick and with few lines of bash in a script I have what I need. I have root...." On the working config I have, multiple clients, multiple wg tunnels and policy-based routing, AllowedIPs does set up entries in my routing table. Not setting another in AllowedIPs results in what you are seeing, no traffic flow as their are no routes established. wg uses your standard OS functionality for routing, try adding those routes manually and no in the wg config and you should see quickly traffic start to flow. AllowedIPs function in the config is to easily encapsulate simple routing requirements for tunnels that probably satisfies the needs of most simple users. Stick in 0.0.0.0/0 and everything goes down the pipe, or add specific ranges you want to go down the pipe and nothing else. Or you can go your own route (no pun intended) and make full use of your OS routing and IP capability to get as complex as you need. wg doesn't have a policy to take over your routing, but if you use wg-quick as mentioned in your first post it's taking care of lots of things for ease of use and based on the content of your config might take over all routing. Post your config and what you actually want to achieve and I am sure this mailing list will have you up and running in no time. On Tue, 5 Jan 2021 at 22:16, Chris Osicki <[email protected]> wrote: > > On Wed, Jan 06, 2021 at 01:25:30AM +0500, Roman Mamedov wrote: > > On Tue, 5 Jan 2021 21:12:12 +0100 > > Chris Osicki <[email protected]> wrote: > > > > > As far as I can see after few tests, AllowedIPs config file option has > > > nothing to do with routing and I hope > > > it will stay like this. > > > > wg-quick uses AllowedIPs to also set up matching entries in the system > > routing > > table. This can be disabled in its config. > > > > > It is just a filter > > > > It is not only a filter on incoming packets, but also WG's internal routing > > table for knowing which packets should be sent to which peer. > > I'm sorry to contradict you but after some more readig I have to :-) > WG has no "internal routing table", wg-quick (which, BTW, is not the subject > of my query) uses it to modify > kernel routing tables, from the wg-quick man page: > > It infers all routes from the list of peers' allowed IPs, and > automatically adds them to the system routing > table. If one of those routes is the default route (0.0.0.0/0 or > ::/0), then it uses ip-rule(8) to handle > overriding of the default gateway. > > So, in my test config I have a server, 10.10.10.1 and two clients, > 10.10.10.2/3 > If on the server I remove the AllowedIPs option, no one can connect. > Giving AllowedIPs = 10.10.10.0/24 both clients can connect and routing in > them stays as it was. > The same for the clients, without AllowedIPs = 10.10.10.0/24 cannot connect. > > Thus, my question still remains: why this filtering function? > > > > > -- > > With respect, > > Roman > > Regards, > Chris -- Use this contact page to send me encrypted messages and files https://flowcrypt.com/me/phillipmcmahon P.S. Drowning in email? Try SaneBox and take back control: http://sanebox.com/t/old3m. I love it.
