wg-quick: "Endpoint" inside "Allowed IPs"
Daniel Hofer
daniel.hofer at jku.at
Mon Aug 17 17:04:23 CEST 2020
Hello to all,
Since this is my very first mail to a mailing list ever, I hope I do not
make any mistake (especially because I could not find a bugtracker or
something similar to write my issue to).
I am working at a university and my institute switched to WireGuard a
few weeks back, which lead to the the following configuration file:
####################
[Interface]
Address = <Private IP>/32
PrivateKey = <redacted>
DNS = <University DNS>
[Peer]
PublicKey = <redacted>
AllowedIPs = <University class B segment>.0.0/16
Endpoint = <University class B segment>.123.456:<Port>
####################
I am using Arch Linux with wireguard-tools 1.0.20200513-1.
My university owns a public class B segment. The purpose of the VPN is
to access this segment, but the endpoint for wireguard is also located
inside said network.
When I want to connect using "wg-quick up <config file>", a route is
added for the "Allowed IPs" which unfortunately also covers the desired
endpoint. As a result, wireguard runs into a chicken and egg problem.
As a workaround, I added the following line to the [Interface] section
excluding the endpoint from the route created for the Allowed IPs:
PostUp = ip route add <University class B segment>.123.456 via $(ip
route show default | awk '/default/ {print $3}')
Now to my question: Is wg-quick working as expected or did I miss
something? If my config is correct, wouldn't it be a good idea to let
wg-quick check if the endpoint is inside the allowed IPs and add the
route I am creating in the PostUp line automatically?
--
Daniel
More information about the WireGuard
mailing list