Applying Wireguard Peer Settings overwrites Static Routes

Started by crlt, December 08, 2025, 04:36:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2025, 04:36:17 AM Last Edit: December 08, 2025, 05:09:57 AM by crlt
Modifying or adding wireguard peers with a modified allowed IPs field causes some static routes configured in the GUI (or obtained via BGP) to disappear? I've already checked the box to disable adding routes in the wireguard instance but that doesn't seem to change the behavior of the peer setting? Has anyone been able to get around this? It only seems to happen when modifying a peer that has a conflicting route.

I don't need wireguard to install this route but wireguard still needs it since the allowed ips is also a form of authentication for wireguard to allow traffic to pass over its own interface. Anyone have any experience or workarounds?

For example I have a remote site 10.20.0.0/16 which is routed via BGP over a peering network that goes over the Wireguard tunnel. If I modify the peer of that wireguard tunnel containing any overlapping subnet it will delete the routes learned via BGP or static routes... and wireguard needs to have the allowed IP set (for example to 10.20.0.0/16) to permit traffic over the interface even though the route is not required since thats learned through BGP and the wireguard tunnel interface is a gateway... I have to re-apply any static routes (like to the peering instance) and stop and restart FRR.
December 09, 2025, 03:33:25 AM #1 Last Edit: December 09, 2025, 05:12:40 AM by crlt
Restarting the wireguard tunnel interface also produces this behavior. After restarting (main menu reload button next to the wg interface) the static route from the Routes menu and the routes from BGP disappear. Need to click re-apply in the routes menu on opnsense and then stop and start FRR for the routes to get written again. Wireguard doesn't actually overwrite it but rather just removes it from the routing table.

Edit1: Based on this old bug report this would appear to be expected but I don't understand how it is bad design? how else would we do dynamic routing over redundant tunnels? https://redmine.pfsense.org/issues/11326 OpenVPN doesn't have this issue since using client specific overrides only adds iroutes and not kernel routes. Maybe the issue isn't wireguard but rather that when the wireguard interface is reloaded it removes any routes added by BGP which is what I'm seeing (the routes are in the BGP routes but not seen in the kernel routes).

Edit2: Could do an outbound SNAT on the wireguard interface src any  dest any NAT'ed it to the interface IP but then that would remove the ability to define granular firewall rules on the opposite rules as it would look like everything originates from the tunnel address.

Edit3: Is this expected? should I create a bug report? would it be an opnsense or frr bug?
Print
Go Up Pages1
User actions