[iOS - macOS] Route all traffic through peer only for IPv6

[Mario Costa]

Hi all.

I have a VPS with IPv6 connectivity that I use as WireGuard “server” for other peers. I successfully configured each peer with an IPv4 and an IPv6 address, but I don’t want to route all traffic through the server. I only want to route the WireGuard IPv4 subnet so that my peers can talk to the server, but I want the rest of the v4 Internet to go outside of the tunnel.

In addition to that, I’d like to add IPv6 connectivity to my peers, which usually don’t have. The problem is, when I add the IPv6 catchall ::/0 to the AllowedIPs section of my iOS and macOS peers the IPv6 traffic gets correctly routed, but I completely lose IPv4 connectivity.

The issue seems related to how the routing tables are changed when WG establishes the connection. With ::/0, a default gateway for IPv4 gets added (it says link#21, I don’t know what that means). If I add 0.0.0.0/0 too then everything works and I appear to have dual stack, but I only want IPv6 to be routed though the tunnel!

I think that if only ::/0 is configured, an IPv4 default gateway should not be added. By the way, a Debian peer with the same configuration seems to work correctly (IPv6 through the tunnel and IPv4 through my LAN’s gateway), but I’m using wg and not wg-quick. I don’t know if this issue is caused by the iOS/macOS apps or if wg-quick runs under those apps and causes the routing problem. Maybe later I will try wg-quick on Debian to see how it affects the routing tables, but the apps should work with these settings nonetheless.

-m