<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>We have been trying to use WireGuard on FreeBSD (we are using the WG plugin inside the open source <a href="http://opnsense.org" target="_blank">opnsense.org</a> software). These run FreeBSD 11.2-RELEASE-p9-HBSD (OPNsense 19.7.a_288-amd64).</div><div><br></div><div>We noticed that by default (i.e. no Table=) wireguard-go wg0 adds default routes (as two /31's) as expected. However, if table=off, we get no route at all - not even to the VPN peer. </div><div><br></div><div>The announcement for the Table= option[1] stated:</div><div><br></div><div><font face="monospace, monospace"> In collaboration with Luis Ressel, wg-quick(8) grew an option! We generally</font></div><div><font face="monospace, monospace"> do not like to add things to wg-quick or allow feature-creep, but this was</font></div><div><font face="monospace, monospace"> basic enough and mostly involves disabling functionality. Specifically,</font></div><div><font face="monospace, monospace"> wg-quick now accepts a Table= parameter with these semantics:</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> ~ Table=auto (default) selects the current behaviour</font></div><div><font face="monospace, monospace"> ~ Table=off disables creation of routes from allowed ips altogether</font></div><div><font face="monospace, monospace"> ~ All other values are passed through to "ip route add"'s table option</font></div><div><font face="monospace, monospace"> </font></div><div><font face="monospace, monospace"> This should enable people to do basic policy routing. It also matches the</font></div><div><font face="monospace, monospace"> functionality provided by LEDE/OpenWRT's uci config as well as NixOS's</font></div><div><font face="monospace, monospace"> networking configuration.</font></div><div><br></div><div>Ignoring the "creation of routes from allowed ips", it does not even add the subnet defined in [Interface]. netstat -r | grep wg returns nothing. </div><div><br></div><div>As a concrete example, if I take the trivial config at <a href="https://wiki.archlinux.org/index.php/WireGuard" target="_blank">https://wiki.archlinux.org/index.php/WireGuard</a>:</div><div><br></div><div><font face="monospace, monospace">[Interface]</font></div><div><font face="monospace, monospace">Address = <a href="http://10.200.200.2/24" target="_blank">10.200.200.2/24</a></font></div><div><font face="monospace, monospace">PrivateKey = [FOO's PRIVATE KEY]</font></div><div><font face="monospace, monospace">DNS = 10.200.200.1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[Peer]</font></div><div><font face="monospace, monospace">PublicKey = [SERVER PUBLICKEY]</font></div><div><font face="monospace, monospace">PresharedKey = [PRE-SHARED KEY]</font></div><div><font face="monospace, monospace">AllowedIPs = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, ::/0</font></div><div><font face="monospace, monospace">Endpoint = <a href="http://my.ddns.address.com:51820" target="_blank">my.ddns.address.com:51820</a></font></div><div><br></div><div>I would (naively) expect this:</div><div>Table=auto: inject route for <a href="http://10.200.200.2/24" target="_blank">10.200.200.2/24</a> *and* <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> via wg0</div><div>Table=off: inject route for <a href="http://10.200.200.2/24" target="_blank">10.200.200.2/24</a> *only* via wg0</div><div><br></div><div>What actually happens is:</div><div>Table=auto: as above/expected</div><div>Table=off: no route out wg0</div><div><br></div><div>This mean with Table=off, you are in the extremely confusing situation that you cant even ping the other peer.</div><div><br></div><div>Testing on Linux (Kernel 4.15.0-1032-aws inside a 18.04 AMI (public AMI - ami-07dc734dc14746eab)) shows that the behavior is different - its as I expect for both Table values. With this wg0.conf:</div><div><br></div><div><div><font face="monospace, monospace">root@ip-172-31-39-185:~# cat /etc/wireguard/wg0.conf</font></div><div><font face="monospace, monospace">[Interface]</font></div><div><font face="monospace, monospace">Address = <a href="http://192.168.2.1/24" target="_blank">192.168.2.1/24</a></font></div><div><font face="monospace, monospace">PrivateKey = eEIwdXp8jKV9/2MEwxYBqQLu4TZqBv9YWvG9fbMuaG4=</font></div><div><font face="monospace, monospace">Table = off</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">[Peer]</font></div><div><font face="monospace, monospace">PublicKey = pHQfWzLAUM85vDO6+MZAneBYhapOHUkPAuxr0lJdZlY=</font></div><div><font face="monospace, monospace">AllowedIPs = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></font></div><div><font face="monospace, monospace">Endpoint = <a href="http://18.130.138.71:51820" target="_blank">18.130.138.71:51820</a></font></div></div><div><font face="monospace, monospace"><br></font></div><div>I get this route:</div><div><br></div><div><div><font face="monospace, monospace">root@ip-172-31-39-185:~# ip route show | grep wg0</font></div><div><font face="monospace, monospace"><a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> dev wg0 proto kernel scope link src 192.168.2.1</font></div></div><div><br></div><div>Note the /24 route (as expected). With Table undefined or set to auto, I get the 0.0.0.0 route (also as expected).</div><div><br></div><div>I dont know much about FreeBSD, but I launched a test EC2 instance (FreeBSD 12.0-RELEASE based on public ami-0d244633039d93966 with kernel reported as 12.0-RELEASE-p3) and I think I see the same thing (i.e. no /24 route):</div><div><br></div><div><div><font face="monospace, monospace">root@freebsd:/etc/wireguard # netstat -rn | grep wg0</font></div><div><font face="monospace, monospace">192.168.2.5 link#3 UH wg0</font></div><div><font face="monospace, monospace">fe80::%wg0/64 link#3 U wg0</font></div><div><font face="monospace, monospace">fe80::1427:e888:767c:dce1%wg0 link#3 UHS lo0</font></div><div><font face="monospace, monospace">root@freebsd:/etc/wireguard # ping 192.168.2.5</font></div></div><div><br></div><div>Somebody more expert than me can comment on whether this is expected or not. At the very least, hopefully this post is useful for somebody else. For our specific problem, we have fixed this by putting a static route in for the "Address" subnet across wg0.</div><div><br></div><div>-Alex</div><div><br></div><div>[1] <a href="https://lists.zx2c4.com/pipermail/wireguard/2017-December/002231.html" target="_blank">https://lists.zx2c4.com/pipermail/wireguard/2017-December/002231.html</a></div></div></div></div></div></div></div></div></div></div></div>
</div></div>