Reconciling "cryptokey-based" and regular routing

Tim Sedlmeyer tim at sedlmeyer.org
Fri Mar 16 18:22:48 CET 2018


You need to create multiple wireguard interfaces and assign a single
peer to each.

On Fri, Mar 16, 2018 at 1:01 PM, Roman Mamedov <rm at romanrm.net> wrote:
> Hello,
>
> I need to have multiple gateways on my WG network that can provide access to
> the entire IPv4 (or IPv6) Internet, for redundancy and load-balancing
> purposes.
>
> In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on more than one
> peer. Then I would add routes into the regular routing table for various
> destinations,
>
> ip -4 route add 8.8.8.8 via 10.0.0.1
> ip -4 route add 8.8.4.4 via 10.0.0.2
>
> or
>
> ip -4 route add default \
>   nexthop via 10.0.0.1 weight 1 \
>   nexthop via 10.0.0.2 weight 1
>
> or whatever.
>
> But as documentation and some testing show, this can't really work in WG's
> "cryptokey-routing" system. If multiple hosts have 0.0.0.0/0 as allowed IPs,
> WG just sends everything to a random one of them (the first one?),
> disregarding all of the routing table settings from the examples above.
>
> Is there any possibility to still use multiple routers like that?
>
> If not, then could you add an option to not use AllowedIPs for routing?
> Or at least to not enforce filtering on incoming packets -- then perhaps I
> could have only 10.0.0.1 and 10.0.0.2 in AllowedIPs for those hosts, and
> outgoing routing would work properly, with replies from Internet hosts not
> getting filtered out?
>
> (Apologies for multiple posts per day, I'm just deploying WireGuard for the
> first time today, and it's quite unusual compared to what I used before. I
> will stop soon :)
>
> --
> With respect,
> Roman
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard


More information about the WireGuard mailing list