PSA: systemd-networkd v250 adds routes from allowedips by default

Jason A. Donenfeld Jason at
Tue Jan 4 15:58:04 UTC 2022

Hi everyone,

Hope you all had a nice new year's.

Version 250 of systemd-networkd added support for a `RouteTable`
option in the `[WireGuard]` section of a `.netdev` config file. By
default, it is "main". When this happens, the allowed IPs from
configured peers are added to the system's main routing table using
the metric specified by the also added `RouteMetric` option.

This is pretty similar to wg-quick(8)'s behavior with its `Table`
option in the `[Interface]` section, except that it doesn't do
anything fancy for default routes or for routes that overlap with
configured endpoints.

This means that if you're currently using systemd-networkd v250 with or ::/0 or similar in your allowed IPs, those allowed IPs
will be automatically added to the main routing table, which might
prove problematic for folks who are already manually doing fancy
fwmark things with systemd-networkd. If this applies to you, you may
want to set `RouteTable=off` explicitly.

At the moment, I suspect this mostly affects Arch Linux users who
followed fwmark instructions on their wiki.


More information about the WireGuard mailing list