Why does 'allowed-ips' affect route selection behavior?

[Jason A. Donenfeld]

Hi Patrick,

I see some others on the wireguard mailing list have replied to a
ghost email. That is, I don't have the original that they're replying
to. Looking into it a bit further, it appears that reasonable spam
filters -- which includes but is not limited to gmail's -- will have
your mail immediately bounced, because of your strict dmarc entry
("v=DMARC1; p=reject; rua=mailto:dmarc at insaneirish.com"), since
mailing list servers like lists.zx2c4.com tend to "remail" things. You
might want to loosen these up a bit. Anyway, I've pulled it out of the
archives for quoting here:

> Hi Folks,
>
> Getting my feet wet with wireguard and enjoying the simplicity and
> performance thus far. Nonetheless, I have a question about how the
> normal route selection process is being affected by what's configured
> for 'allowed-ips'.
>
> I set up a peer and configured 'allowed-ips' for 0.0.0.0/0, as I was
> going to be sending multiple routes over the peer link via BGP and
> didn't want to keep modifying it. However, even though my default
> route was over a different interface, this seemed to result in Linux
> trying to route default traffic over wg0 despite there not being a
> default route pointing to wg0.
>
> Specifically:
>
> $ sudo ip route show
> default via 10.199.199.1 dev wlan0
> 10.111.111.0/24 dev wg0 proto kernel scope link src 10.111.111.100
> 10.199.199.0/24 dev wlan0 proto kernel scope link src 10.199.199.131
>
> By this route table, traffic to e.g. 4.2.2.1 should use 10.199.199.1.
> Packet captures were showing traffic trying to instead use wg0. Then I
> found this:
>
> $ sudo ip route get 4.2.2.1
> 4.2.2.1 dev wg0 table 51820 src 10.111.111.100
>     cache
>
> Can someone please explain this behavior?
>
> Obligatory... $ uname -rvm
> 4.14.30-v7+ #1102 SMP Mon Mar 26 16:45:49 BST 2018 armv7l
>
> And... $ dpkg -l | grep wireguard
> ii  wireguard                       0.0.20180413-1               all
>        fast, modern, secure kernel VPN tunnel (metapackage)
> ii  wireguard-dkms                  0.0.20180413-1               all
>        fast, modern, secure kernel VPN tunnel (DKMS version)
> ii  wireguard-tools                 0.0.20180413-1               armhf
>        fast, modern, secure kernel VPN tunnel (userland utilities)

Are you using wg-quick(8)? If so, wg-quick will by default do special
things to sync up the allowed ips and the system routing table, which
includes some special case rule tricks for 0.0.0.0/0. It sounds like
you know what you're doing and don't actually want this behavior. For
this, you can simply specify Table=off in the [Interface] section.
This overrides the default value of Table=auto. Alternatively, you can
choose Table=main if you want those routes added to the default table
with no special rule tricks. Or, you can choose an arbitrary
named-table or number if you'd like to add the allowed ips to some
other routing table. The man page has info.

Jason