WireGuard-Windows sets wrong gateway IP address in routes

Simon Rozman simon at rozman.si
Thu Dec 12 11:21:42 CET 2019


> it appears I found a bug in the Windows implementation of the WireGuard
> client.
> I'm not sure, because it seems to be a rather trivial one, but I guess
> you will tell me if it's not the case.

It's not the case.

Windows will know correctly to send packets to the WireGuard interface. Mind
the "Interface" column in your "route print" output.
Once Windows sends packets to the WireGuard interface, WireGuard will handle
the rest: tunnel them to the appropriate peer according to AllowedIPs.

> So: When you activate a configured tunnel, WG sets the very first IP
> address of a network as gateway, instead of the first usable address.
> 
> That means, if you have a VPN (sub)net like 10.0.10.0/24, where your
> server has 10.0.10.1 and the Windows machine 10.0.10.4, the client tries
> to use 10.0.10.0 as gateway. This obviously doesn't work, because this
> address is reserved / not usable, and the gateway has a different IP.
> The first usable address for hosts is 10.0.10.1, which the WireGuard
> client should set as gateway.
> 
> Same applies for IPv6.

Who guarantees you the first usable address will always be the gateway? Some
use .254 for the gateway.

> I didn't try it out yet though, don't have a WireGuard dev env set up.
> If you want me to, I can take a look and maybe send a patch if I get it
> to work.

Please try it and see it just works as it is.

Mind boggling, isn't it? :)

Best regards,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4919 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20191212/d9bba294/attachment.p7s>


More information about the WireGuard mailing list