bengsig
1
I am using an GL-MV1000 (Blume) and have a wireguard client installed. I only want traffic destined for the other end of the wireguard tunnel to be routed there, not the default route. If I set allowed IP’s to 0.0.0.0/0 which is the default, I get all traffic router via wg, so it is working, but it is not what I want. If I in stead set allowed IP’s to 192.168.8.0/21 which is really what I want, the route is still setup for all traffic, with the effect that only traffic for the 192.168.8.0/21 range gets through as wg blocks the rest.
It appears to me that the culprit is in the route commands in /etc/init.d/S99wireguard, where the following:
publicip=$(echo $end_point | cut -d ":" -f1)
rpublicip=`echo $publicip | grep "^[0-9]\{1,3\}\.\([0-9]\{1,3\}\.\)\{2\}[0-9]\{1,3\}"`
if [ "$rpublicip" != "" ];then
if [ "$publicip" != "$gw" ];then
ip route add $publicip via $gw dev $interface 1>/dev/null 2>&1
fi
else
if [ "$publicip" != "$gw" ];then
route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
fi
fi
ip route add 0/1 dev wg0
ip route add 128/1 dev wg0
is executed regardless of the value of allowed ip’s.
Any comments or suggestions?
I am considering making some modifications. As you suggested, router rules should be set according to allow IP.
Now, you can configure your rules by modifying the /etc/init.d/ wireguard.
bengsig
3
Yes, that is what I ended up doing. Here’s a diff -c of my changes:
*** wireguard-save 2020-09-24 18:06:56.540294172 +0200
--- wireguard 2020-09-29 19:36:48.056087443 +0200
***************
*** 8,13 ****
--- 8,14 ----
#USE_PROCD=1
#PROC="/usr/bin/wg"
WFILE="/var/etc/wireguard.conf"
+ RFILE="/data/wg.route"
EXTRA_COMMANDS=downup
model=$(get_model)
***************
*** 67,72 ****
--- 68,78 ----
[ -n "$public_key" ] && echo -e "PublicKey = $public_key" >>"$WFILE"
[ -n "$preshared_key" ] && echo -e "PresharedKey = $preshared_key" >>"$WFILE"
[ -n "$allowed_ips" ] && echo -e "AllowedIPs = $allowed_ips" >>"$WFILE"
+
+ for aip in `echo $allowed_ips | sed 's/,/ / g'`
+ do
+ echo ip route add $aip dev wg0 >> "$RFILE"
+ done
#[ -n "$end_point" ] && echo -e "Endpoint = $end_point" >> "$WFILE"
if [ "$persistent_keepalive" == "" ];then
echo -e "PersistentKeepalive = 25" >>"$WFILE"
***************
*** 100,106 ****
uci commit dhcp
/etc/init.d/dnsmasq restart
else
! echo -e "nameserver 209.244.0.3\nnameserver 64.6.64.6" > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
uci commit dhcp
/etc/init.d/dnsmasq restart
--- 106,112 ----
uci commit dhcp
/etc/init.d/dnsmasq restart
else
! echo -e "nameserver 1.1.1.1\nnameserver 208.67.222.222\nnameserver 8.8.8.8" > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
uci commit dhcp
/etc/init.d/dnsmasq restart
***************
*** 223,229 ****
{
local main_server
local enable
! rm -rf "$WFILE"
config_load wireguard
config_foreach proxy_func proxy
if [ "$enable" == "1" -a "$main_server" != "" ];then
--- 229,235 ----
{
local main_server
local enable
! rm -rf "$WFILE" "$RFILE"
config_load wireguard
config_foreach proxy_func proxy
if [ "$enable" == "1" -a "$main_server" != "" ];then
***************
*** 360,367 ****
route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
fi
fi
! ip route add 0/1 dev wg0
! ip route add 128/1 dev wg0
echo f >/proc/net/nf_conntrack
env -i ACTION="ifup" INTERFACE="wg" DEVICE="wg0" /sbin/hotplug-call iface
update_qos_rule
--- 366,376 ----
route add $publicip gw $gw dev $interface 1>/dev/null 2>&1
fi
fi
! #ip route add 0/1 dev wg0
! #ip route add 128/1 dev wg0
! sh "$RFILE"
! # A total hack by bjorn
! sh /data/etc/wgserver.sh
echo f >/proc/net/nf_conntrack
env -i ACTION="ifup" INTERFACE="wg" DEVICE="wg0" /sbin/hotplug-call iface
update_qos_rule
which also includes a few more things like calling my script to start wg server and a change to dns servers.
I should have added that the above change appears not to work on all systems. I also have mifi which still runs 3.029, where it would not work.