are WG clients expected to automatically handle it when the endpoint is within the AllowedIPs
Christoph Anton Mitterer
calestyo at scientia.org
Sun Jun 8 21:11:01 UTC 2025
Hey.
On Thu, 2025-06-05 at 12:27 +0200, Kajetan Staszkiewicz wrote:
> NetworkManager's Wireguard implemmentation already has a way of
> supporting it by using fwmarks. It's just that the fwmark operation
> is
> not automatically turned unless the tunnel is configured with
> AllowedIPs=::/0
AFAIU, even the AllowedIPs=::/0 case was only fixed[0] (in the sense
of: making it work out-of-the-box) recently, right?
But nevertheless, my main point was,... is it expected to be handled
*automatically* by WG clients?
It's clear that one can always make it somehow manually working, like
with the way from your comment or like how I did with adding a specific
route for the endpoint in [1] (though your approach is probably
cleaner).
And at least as of now, neither NM nor wg-quick seem to work out-of-
the-box with a split profile as described before.
> See my comment and a workaround which always forces the fwmark
> operation
> on
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1157#note_2426757
I would rather not have that imposed on "end-users"... not ruled out
they get it wrong and perhaps even compromise security.
Cheers,
Chris.
[0] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2158
[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1737
More information about the WireGuard
mailing list