On Windows: Wrong source IP address

Jason A. Donenfeld Jason at zx2c4.com
Sat Sep 14 18:51:50 CEST 2019

We do this in order to prevent routing loops. Since the endpoints
can't roam, we can't add an explicit route for it (efficiently and
easily, at least) with the 0/1,128/1 hack. So instead on each platform
we attempt to use some form of policy routing to exclude the wireguard
socket from the wireguard route. On windows, policy routing
capabilities seem somewhat limited, and IP_UNICAST_IF to the default
route seemed like it'd work good enough for most people's use cases.
It obviously totally breaks when you're not using the default route. I
wonder if WFP can be made to attach some kind of context that we can
route on late in the stack, but I haven't looked into that yet. If
you'd like to tackle this issue and find something better than
IP_UNICAST_IF with the default for policy routing, I'd be happy to
take patches.

More information about the WireGuard mailing list