Allowed_ips does not influence route commands

bengsig · September 24, 2020, 2:05pm

I am using an GL-MV1000 (Blume) and have a wireguard client installed. I only want traffic destined for the other end of the wireguard tunnel to be routed there, not the default route. If I set allowed IP’s to 0.0.0.0/0 which is the default, I get all traffic router via wg, so it is working, but it is not what I want. If I in stead set allowed IP’s to 192.168.8.0/21 which is really what I want, the route is still setup for all traffic, with the effect that only traffic for the 192.168.8.0/21 range gets through as wg blocks the rest.

It appears to me that the culprit is in the route commands in /etc/init.d/S99wireguard, where the following:

publicip=$(echo $end_point | cut -d ":" -f1)                               
rpublicip=`echo $publicip | grep "^[0-9]\{1,3\}\.\([0-9]\{1,3\}\.\)\{2\}[0-9]\{1,3\}"`
if [ "$rpublicip" != "" ];then                                        
        if [ "$publicip" != "$gw" ];then                              
                ip route add $publicip via $gw dev $interface 1>/dev/null 2>&1           
        fi                                                                            
else                                                                                  
        if [ "$publicip" != "$gw" ];then                                              
                route add $publicip gw $gw dev $interface 1>/dev/null 2>&1            
        fi                                                                            
fi                                                                                    
ip route add 0/1 dev wg0                                                              
ip route add 128/1 dev wg0

is executed regardless of the value of allowed ip’s.

Any comments or suggestions?

luochongjun · September 29, 2020, 10:53am

I am considering making some modifications. As you suggested, router rules should be set according to allow IP.
Now, you can configure your rules by modifying the /etc/init.d/ wireguard.

bengsig · September 29, 2020, 6:17pm

Yes, that is what I ended up doing. Here’s a diff -c of my changes:

*** wireguard-save  2020-09-24 18:06:56.540294172 +0200
--- wireguard       2020-09-29 19:36:48.056087443 +0200
***************
*** 8,13 ****
--- 8,14 ----
  #USE_PROCD=1
  #PROC="/usr/bin/wg"
  WFILE="/var/etc/wireguard.conf"
+ RFILE="/data/wg.route"
  EXTRA_COMMANDS=downup

  model=$(get_model)
***************
*** 67,72 ****
--- 68,78 ----
        [ -n "$public_key" ] && echo -e "PublicKey = $public_key" >>"$WFILE"
        [ -n "$preshared_key" ] && echo -e "PresharedKey = $preshared_key" >>"$WFILE"
        [ -n "$allowed_ips" ] && echo -e "AllowedIPs = $allowed_ips" >>"$WFILE"
+   
+   for aip in `echo $allowed_ips | sed 's/,/ / g'`
+   do
+           echo ip route add $aip dev wg0 >> "$RFILE"
+   done
        #[ -n "$end_point" ] && echo -e "Endpoint = $end_point" >> "$WFILE"
        if [ "$persistent_keepalive" == "" ];then
                echo -e "PersistentKeepalive = 25" >>"$WFILE"
***************
*** 100,106 ****
                uci commit dhcp
                /etc/init.d/dnsmasq restart
        else
!           echo -e "nameserver 209.244.0.3\nnameserver 64.6.64.6" > /tmp/resolv.conf.vpn
                uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
                uci commit dhcp
                /etc/init.d/dnsmasq restart
--- 106,112 ----
                uci commit dhcp
                /etc/init.d/dnsmasq restart
        else
!           echo -e "nameserver 1.1.1.1\nnameserver 208.67.222.222\nnameserver 8.8.8.8" > /tmp/resolv.conf.vpn
                uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
                uci commit dhcp
                /etc/init.d/dnsmasq restart
***************
*** 223,229 ****
  {
        local main_server
        local enable
!   rm -rf "$WFILE"
        config_load wireguard
        config_foreach proxy_func proxy
        if [ "$enable" == "1" -a "$main_server" != "" ];then
--- 229,235 ----
  {
        local main_server
        local enable
!   rm -rf "$WFILE" "$RFILE"
        config_load wireguard
        config_foreach proxy_func proxy
        if [ "$enable" == "1" -a "$main_server" != "" ];then
***************
*** 360,367 ****
                        route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
                fi
        fi
!   ip route add 0/1 dev wg0
!   ip route add 128/1 dev wg0
        echo f >/proc/net/nf_conntrack
        env -i ACTION="ifup" INTERFACE="wg" DEVICE="wg0" /sbin/hotplug-call iface
        update_qos_rule
--- 366,376 ----
                        route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
                fi
        fi
!   #ip route add 0/1 dev wg0
!   #ip route add 128/1 dev wg0
!   sh "$RFILE"
!   # A total hack by bjorn
!   sh /data/etc/wgserver.sh
        echo f >/proc/net/nf_conntrack
        env -i ACTION="ifup" INTERFACE="wg" DEVICE="wg0" /sbin/hotplug-call iface
        update_qos_rule

which also includes a few more things like calling my script to start wg server and a change to dns servers.

bengsig · October 1, 2020, 3:59pm

I should have added that the above change appears not to work on all systems. I also have mifi which still runs 3.029, where it would not work.