Why does 'allowed-ips' affect route selection behavior?

Jason A. Donenfeld Jason at zx2c4.com
Mon Apr 16 00:26:56 CEST 2018

Hi Patrick,

I see some others on the wireguard mailing list have replied to a
ghost email. That is, I don't have the original that they're replying
to. Looking into it a bit further, it appears that reasonable spam
filters -- which includes but is not limited to gmail's -- will have
your mail immediately bounced, because of your strict dmarc entry
("v=DMARC1; p=reject; rua=mailto:dmarc at insaneirish.com"), since
mailing list servers like lists.zx2c4.com tend to "remail" things. You
might want to loosen these up a bit. Anyway, I've pulled it out of the
archives for quoting here:

> Hi Folks,
> Getting my feet wet with wireguard and enjoying the simplicity and
> performance thus far. Nonetheless, I have a question about how the
> normal route selection process is being affected by what's configured
> for 'allowed-ips'.
> I set up a peer and configured 'allowed-ips' for, as I was
> going to be sending multiple routes over the peer link via BGP and
> didn't want to keep modifying it. However, even though my default
> route was over a different interface, this seemed to result in Linux
> trying to route default traffic over wg0 despite there not being a
> default route pointing to wg0.
> Specifically:
> $ sudo ip route show
> default via dev wlan0
> dev wg0 proto kernel scope link src
> dev wlan0 proto kernel scope link src
> By this route table, traffic to e.g. should use
> Packet captures were showing traffic trying to instead use wg0. Then I
> found this:
> $ sudo ip route get
> dev wg0 table 51820 src
>     cache
> Can someone please explain this behavior?
> Obligatory... $ uname -rvm
> 4.14.30-v7+ #1102 SMP Mon Mar 26 16:45:49 BST 2018 armv7l
> And... $ dpkg -l | grep wireguard
> ii  wireguard                       0.0.20180413-1               all
>        fast, modern, secure kernel VPN tunnel (metapackage)
> ii  wireguard-dkms                  0.0.20180413-1               all
>        fast, modern, secure kernel VPN tunnel (DKMS version)
> ii  wireguard-tools                 0.0.20180413-1               armhf
>        fast, modern, secure kernel VPN tunnel (userland utilities)

Are you using wg-quick(8)? If so, wg-quick will by default do special
things to sync up the allowed ips and the system routing table, which
includes some special case rule tricks for It sounds like
you know what you're doing and don't actually want this behavior. For
this, you can simply specify Table=off in the [Interface] section.
This overrides the default value of Table=auto. Alternatively, you can
choose Table=main if you want those routes added to the default table
with no special rule tricks. Or, you can choose an arbitrary
named-table or number if you'd like to add the allowed ips to some
other routing table. The man page has info.


More information about the WireGuard mailing list