wg-quick: "Endpoint" inside "Allowed IPs"

Daniel Hofer daniel.hofer at jku.at
Mon Aug 17 17:04:23 CEST 2020


Hello to all,

Since this is my very first mail to a mailing list ever, I hope I do not
make any mistake (especially because I could not find a bugtracker or
something similar to write my issue to).

I am working at a university and my institute switched to WireGuard a
few weeks back, which lead to the the following configuration file:

####################
[Interface]
Address = <Private IP>/32
PrivateKey = <redacted>
DNS = <University DNS>

[Peer]
PublicKey = <redacted>
AllowedIPs = <University class B segment>.0.0/16
Endpoint = <University class B segment>.123.456:<Port>
####################

I am using Arch Linux with wireguard-tools 1.0.20200513-1.

My university owns a public class B segment. The purpose of the VPN is
to access this segment, but the endpoint for wireguard is also located
inside said network.
When I want to connect using "wg-quick up <config file>", a route is
added for the "Allowed IPs" which unfortunately also covers the desired
endpoint. As a result, wireguard runs into a chicken and egg problem.

As a workaround, I added the following line to the [Interface] section
excluding the endpoint from the route created for the Allowed IPs:
PostUp = ip route add <University class B segment>.123.456 via $(ip
route show default | awk '/default/ {print $3}')

Now to my question: Is wg-quick working as expected or did I miss
something? If my config is correct, wouldn't it be a good idea to let
wg-quick check if the endpoint is inside the allowed IPs and add the
route I am creating in the PostUp line automatically?

--
Daniel




More information about the WireGuard mailing list