openwrt route_allowed_ips is inprecise

Baptiste Jonglez baptiste at
Tue Dec 20 02:13:34 CET 2016

On Sun, Dec 18, 2016 at 09:14:18PM +0100, Jason A. Donenfeld wrote:
> The way it should be done is described in wg-config:
>     if [[ $AUTO_ROUTE -eq 1 ]]; then
>         for i in $(wg show "$INTERFACE" allowed-ips | cut -f 2 | tr -d ,); do
>             if ! add_default "$i" && [[ $(ip route get "$i") != *dev\
> $INTERFACE\ * ]]; then
>                 add_route "$i"
>             fi
>         done
>     fi

> the important thing is that I run `ip route get` for each one, and only
> add a route if necessary.

By the way, besides the issue of magic, this approach seems incorrect
depending on the order of the routes.  Consider the case where cmd_add()
handles the following sequence of allowed-ips:   dev wg0  dev wg0  dev wg1

Your method would incorrectly drop the second route, and then the third
route would take over traffic for this /24 through the wrong interface.

I'm sure this approach can be made to actually work in all cases (with
great complexity), but really, who cares about a few redundant routes.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the WireGuard mailing list