traffic not routed through vpn when connected with network-manager.

[alientechnology]

when i connect via network-manager, I can access the VPN server itself via vpn network, but all traffic still goes as there is no vpn. When connected via wg-quick everything works as expected.

Output of ip r and route -n when connected from NetworkManager:

default via 192.168.0.1 dev wlo1 proto dhcp metric 600 
10.100.100.0/24 dev usa proto kernel scope link src 10.100.100.2 metric 50 
169.254.0.0/16 dev wlo1 scope link metric 1000 
192.168.0.0/24 dev wlo1 proto kernel scope link src 192.168.0.100 metric 600 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    600    0        0 wlo1
10.100.100.0    0.0.0.0         255.255.255.0   U     50     0        0 usa
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlo1
192.168.0.0     0.0.0.0         255.255.255.0   U     600    0        0 wlo1

When connected with wg-quick up:

default via 192.168.0.1 dev wlo1 proto dhcp metric 600 
169.254.0.0/16 dev wlo1 scope link metric 1000 
192.168.0.0/24 dev wlo1 proto kernel scope link src 192.168.0.100 metric 600

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    600    0        0 wlo1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlo1
192.168.0.0     0.0.0.0         255.255.255.0   U     600    0        0 wlo1

Does not happen with other VPN plugins as pptp, openvpn.

[meiser79]

You have to add the networks in the IPv4 tab under "Routes".

[brknkfr]

I got the same problem.

When connecting with wg-quick in the console, traffic is routed over wireguard server, but when connecting via network-manager, I can ping the wireguard server, but the traffic isn't going through it.

I can reproduce this on an archlinux system.

Connected via network-manager-wireguard:

# ip route
default via 192.168.11.1 dev wlp3s0 proto dhcp metric 600 
10.0.53.0/24 dev wg-tumtum proto kernel scope link src 10.0.53.6 metric 50 
192.168.11.0/24 dev wlp3s0 proto kernel scope link src 192.168.11.51 metric 600 

Connected via wg-quick:

default via 192.168.11.1 dev wlp3s0 proto dhcp metric 600 
192.168.11.0/24 dev wlp3s0 proto kernel scope link src 192.168.11.51 metric 600 

I think, but I'm not sure, I found the reason for that but I don't know how to fix it: wg-quick alone redirects the traffic by setting ip rules with an fwmark and without setting any "routes" to the wireguard subnet. The network-manager-wireguard plugin somehow indirectly uses wg-quick and then unfortunately network-manager itself adds rules for the wireguard subnet aswell, which is not needed in this case?!

As a workaround I just readd the the table 51820 default route from wp-quick after the connection with the network-manager-plugin. For my personal use I created a small network-dispatcher script under /etc/NetworkManager/dispatcher.d/99-wireguard which seems to work, but I don't know if this is the correct way (or I would say it's a dirty hack).

#!/bin/bash

MY_CONNECTION_UUID="32568811-ceb3-455a-bc4c-dfa6c067e29c"

if [ $MY_CONNECTION_UUID == $CONNECTION_UUID ]; then
	case $2 in
        	vpn-up)
			ip -4 route add 0.0.0.0/0 dev $1 table 51820
                	;;
        	vpn-down)
                	;;
	esac
fi

[sakaki-]

Same issue as @brknkfr on Gentoo (systemd); the workaround dispatcher script above (with an appropriate UUID, extracted via nmcli c) also fixed it for me.

[james-lawrence]

same issue, we should fix this. (I may take a look at generating a PR)

given the following configuration:

[Interface]
Address    = 172.16.0.2/24
DNS        = 172.31.0.2
PrivateKey = 0000000000000000000000000000000000000000000=

[Peer]
PublicKey  = 0000000000000000000000000000000000000000000=
AllowedIPs = 172.16.0.0/16, 172.31.0.0/16
Endpoint   = example.com:2100
PersistentKeepalive = 5

results in the following routes:

wg-quick up ./client.conf
netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp8s0
172.16.0.0      0.0.0.0         255.255.255.0   U         0 0          0 wireguard
172.16.0.0      0.0.0.0         255.255.0.0     U         0 0          0 wireguard
172.31.0.0      0.0.0.0         255.255.0.0     U         0 0          0 wireguard
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp8s0

using this plugin from the same file:

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp8s0
172.16.0.0      0.0.0.0         255.255.255.0   U         0 0          0 wireguard
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp8s0

[oXyiGYJ]

Any update on this? Getting the same results.

[ArthurBorsboom]

I noticed the same behavior difference between wg-quick and network manager.

Without having looked at the code, it seems only the first IP block of the Allowed IPs list is processed and added as a route; it should iterate over all the IP blocks and add a route for each block.

[mcosti]

Same issue here on Ubuntu 20.04

[jvinolas]

This is needed to correctly route vpn packets. Any progress?

[bonjour81]

You have to add the networks in the IPv4 tab under "Routes".

it does work if you need, for example, to access only a remote LAN through wireguard, but It seems not ok to route all traffic toward wireguard.

[shalzz]

A weird scenario where routing doesn't work even when manually setting up the routes that I've encountered is that with some wireguard configs, the Address of the client needs to be specified in CIDR notation (eg 192.168.1.1/32).

With this the routing proceeds to work for all AllowedIPs even without manually specifying the routes
However I still needed to specific some routes for another wireguard config.