Reconciling "cryptokey-based" and regular routing
aaronmdjones at gmail.com
Fri Mar 16 18:35:21 CET 2018
-----BEGIN PGP SIGNED MESSAGE-----
On 16/03/18 17:01, Roman Mamedov wrote:
> I need to have multiple gateways on my WG network that can provide
> access to the entire IPv4 (or IPv6) Internet, for redundancy and
> load-balancing purposes.
> In WG terms this means I need to set AllowedIPs to 0.0.0.0/0 on
> more than one peer. Then I would add routes into the regular
> routing table for various destinations,
> ip -4 route add 220.127.116.11 via 10.0.0.1 ip -4 route add 18.104.22.168 via
> ip -4 route add default \ nexthop via 10.0.0.1 weight 1 \ nexthop
> via 10.0.0.2 weight 1
> or whatever.
WireGuard is a layer 3 interface; there is no ARP/NDP or other layer 2
semantics. This means "via foo" doesn't mean anything and is pointless.
> But as documentation and some testing show, this can't really work
> in WG's "cryptokey-routing" system. If multiple hosts have
> 0.0.0.0/0 as allowed IPs, WG just sends everything to a random one
> of them (the first one?), disregarding all of the routing table
> settings from the examples above.
If you add a duplicate AllowedIPs to a peer, it will remove it from the
previous peer, so the "order" is "most recently-configured".
> Is there any possibility to still use multiple routers like that?
Use multiple WireGuard interfaces.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the WireGuard