openwrt route_allowed_ips is inprecise

Baptiste Jonglez baptiste at bitsofnetworks.org
Tue Dec 20 02:13:34 CET 2016


On Sun, Dec 18, 2016 at 09:14:18PM +0100, Jason A. Donenfeld wrote:
> The way it should be done is described in wg-config:
> 
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/wg-config/wg-config#n130
> 
>     if [[ $AUTO_ROUTE -eq 1 ]]; then
>         for i in $(wg show "$INTERFACE" allowed-ips | cut -f 2 | tr -d ,); do
>             if ! add_default "$i" && [[ $(ip route get "$i") != *dev\
> $INTERFACE\ * ]]; then
>                 add_route "$i"
>             fi
>         done
>     fi

> the important thing is that I run `ip route get` for each one, and only
> add a route if necessary.

By the way, besides the issue of magic, this approach seems incorrect
depending on the order of the routes.  Consider the case where cmd_add()
handles the following sequence of allowed-ips:

    10.0.0.0/8   dev wg0
    10.4.7.0/24  dev wg0
    10.4.0.0/16  dev wg1

Your method would incorrectly drop the second route, and then the third
route would take over traffic for this /24 through the wrong interface.

I'm sure this approach can be made to actually work in all cases (with
great complexity), but really, who cares about a few redundant routes.

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20161220/4b1a3bc2/attachment-0001.asc>


More information about the WireGuard mailing list