I am using an GL-MV1000 (Blume) and have a wireguard client installed. I only want traffic destined for the other end of the wireguard tunnel to be routed there, not the default route. If I set allowed IP’s to 0.0.0.0/0 which is the default, I get all traffic router via wg, so it is working, but it is not what I want. If I in stead set allowed IP’s to 192.168.8.0/21 which is really what I want, the route is still setup for all traffic, with the effect that only traffic for the 192.168.8.0/21 range gets through as wg blocks the rest.
It appears to me that the culprit is in the route commands in /etc/init.d/S99wireguard, where the following:
publicip=$(echo $end_point | cut -d ":" -f1)
rpublicip=`echo $publicip | grep "^[0-9]\{1,3\}\.\([0-9]\{1,3\}\.\)\{2\}[0-9]\{1,3\}"`
if [ "$rpublicip" != "" ];then
if [ "$publicip" != "$gw" ];then
ip route add $publicip via $gw dev $interface 1>/dev/null 2>&1
fi
else
if [ "$publicip" != "$gw" ];then
route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
fi
fi
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0
is executed regardless of the value of allowed ip’s.
I am considering making some modifications. As you suggested, router rules should be set according to allow IP.
Now, you can configure your rules by modifying the /etc/init.d/ wireguard.