Reconciling "cryptokey-based" and regular routing
rm at romanrm.net
Fri Mar 16 18:01:11 CET 2018
I need to have multiple gateways on my WG network that can provide access to
the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing
In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on more than one
peer. Then I would add routes into the regular routing table for various
ip -4 route add 126.96.36.199 via 10.0.0.1
ip -4 route add 188.8.131.52 via 10.0.0.2
ip -4 route add default \
nexthop via 10.0.0.1 weight 1 \
nexthop via 10.0.0.2 weight 1
But as documentation and some testing show, this can't really work in WG's
"cryptokey-routing" system. If multiple hosts have 0.0.0.0/0 as allowed IPs,
WG just sends everything to a random one of them (the first one?),
disregarding all of the routing table settings from the examples above.
Is there any possibility to still use multiple routers like that?
If not, then could you add an option to not use AllowedIPs for routing?
Or at least to not enforce filtering on incoming packets -- then perhaps I
could have only 10.0.0.1 and 10.0.0.2 in AllowedIPs for those hosts, and
outgoing routing would work properly, with replies from Internet hosts not
getting filtered out?
(Apologies for multiple posts per day, I'm just deploying WireGuard for the
first time today, and it's quite unusual compared to what I used before. I
will stop soon :)
More information about the WireGuard