Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: rcmcdonald91 on December 19, 2020, 03:30:57 AM

Title: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: rcmcdonald91 on December 19, 2020, 03:30:57 AM
I need to use wireguard for point-to-point links without Wireguard injecting routes into the routing table. On Linux or manually configuring .conf files , this is easy to do with "Table = off" and settint the AllowedIPs = 0.0.0.0/0 on both client and server.

The only way I can get traffic to pass through my wireguard tunnels is NOT disable routes , I thought this was the GUI equivalent of Table = off.

What's the deal?
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: Gauss23 on December 19, 2020, 09:09:32 AM
So you have allowed_ips=0.0.0.0/0 and disable routes enabled? Then you added some static routes manually? Or via firewall rule (policy routing).
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: rcmcdonald91 on December 21, 2020, 01:19:32 AM
What kind of static route or firewall rule should I apply to create just a point-to-point link? On Linux all that is required is "Table= off" and it just works. I guess things are a bit different here? I did figure out that if I create a gateway pointed at the other end of the link, and then set this gateway on the Wireguard>Local Advanced Settings configuration, this seems to work...though pinging the local side of the link from Opnsense is quite slow, so it seems that the traffic is hitting the far side and then coming back, instead of staying local?
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: mimugmail on December 21, 2020, 06:00:05 AM
Correct .. for local ping it Gies forth and back. There changed couple of things, I need to check sometime If docs are still valid. But as most got it working it should be ok
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: rcmcdonald91 on December 21, 2020, 12:56:49 PM
Any particular reason why?
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: mimugmail on December 21, 2020, 02:02:47 PM
I didnt track it down, I just accepted it since it's  no use-case to constantly ping its own IP.
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: rcmcdonald91 on December 21, 2020, 06:35:24 PM
Looking at netstat -rn seems to suggest that there isn't a local local binding for the wg0 local tunnel address:

For instance, if we look at the routing table with ZeroTier enabled we see this:

Code Select

Internet:
Destination        Gateway            Flags     Netif Expire
10.147.17.0/24     link#10            U      ztdbpfrc
10.147.17.162      link#10            UHS         lo0


However, for a WireGuard interface we only see this:
Code Select

Internet:
Destination        Gateway            Flags     Netif Expire
10.0.13.0          wg0                UHS         wg0
10.0.13.0/31       10.0.13.0          UGS         wg0
10.0.13.1          link#11            UH          wg0

So it seems that wg-quick (or whatever you are using on the backend to build and teardown wg instances, isn't doing it correctly.
Title: Re: Wireguard 0.0.0.0/0 allowed and "Table = off"
Post by: rcmcdonald91 on December 21, 2020, 06:48:38 PM
Problem appears to be upstream:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244330

Will be so nice when we get kernel module with FreeBSD 13
Text only | Text with Images