Lochnair/vyatta-wireguard

Extra routes

Opened this issue · 2 comments

timkgh commented

Config on an ERX running as WG server, with 2 peers:

set interfaces wireguard wg0 address 10.1.1.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <router_private_key>

set interfaces wireguard wg0 peer <peer1_public_key> allowed-ips 10.1.1.2/32
set interfaces wireguard wg0 peer <peer1_public_key> preshared-key <peer1_psk>

set interfaces wireguard wg0 peer <peer2_public_key> allowed-ips 10.1.1.3/32
set interfaces wireguard wg0 peer <peer2_public_key> preshared-key <peer2_psk>

The routing table has these entries for wg0:

0.0.0.0/24 dev wg0 proto kernel scope link
10.1.1.0/24 dev wg0  proto kernel  scope link  src 10.1.1.1
10.1.1.2 dev wg0  scope link
10.1.1.3 dev wg0  scope link

A similar setup on a Linux server has a single route added, the /24.

Are the 3 extra routes really needed on the ERX or is it a bug?

Lochnair commented

We don't know where 0.0.0.0/24 comes from, but the same issue is seen with other VPN protocols on the ER platform. It's completely harmless so we don't see much point in investigating it.

As for the other two, no it's not a bug, and no they're not needed. In your case you only need the route that's implicitly added by the kernel when the interface address is set. The other two are added by vyatta-wireguard because you have route-allowed-ips set to true. Because you already have a route that covers them, you don't need route-allowed-ips and should set it to false.

route-allowed-ips is often more useful when using wg as a client, where you send traffic for other subnets through a peer.

timkgh commented

Understood about 0.0.0.0/24.

As for the other 2 routes, not sure whether it can be fixed to match the behavior on Linux where the /24 route is the only one added as it covers the other 2 also. But if the server IP is set to /32 (on Linux) then there's a route per peer.
In my case at least it seems that the better change is to change the server IP to /32 as I only use those 2 clients, I don't need the entire /24 subnet.