WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Issue with Apple clients when routing all traffic through Wireguard
@ 2019-08-30 11:34 Dmitry Kovalenko
  0 siblings, 0 replies; only message in thread
From: Dmitry Kovalenko @ 2019-08-30 11:34 UTC (permalink / raw)
  To: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1384 bytes --]

Hi

I have been using wireguard for a while now and discovered an issue with
routes created by macOS and iOS GUI clients. The issue is that wireguard
does not create a route to the endpoint via a default route. So when you
specify AllowedIPs = 0.0.0.0/0 (excluding private IPs does not change
anything) on a client, everything just stops working because 0.0.0.0/0 is
now reachable only through wireguard tunnel, which is obviously not
reachable as there is no route to it through normal internet connection.

Pretty much, the routes look like this:
*default via 10.80.0.1 dev wg0* - default route through wg
*default via 10.0.0.1 dev eth0* - old default route through ethernet
*10.0.0.0/24 <http://10.0.0.0/24> dev eth0*

When they have to look like this:
*default via 10.80.0.1 dev wg0 *- default route through wg
*default via 10.0.0.1 dev eth0* - old default route through ethernet
*1.2.3.4/32 <http://1.2.3.4/32> via 10.0.0.1 dev eth0* - specific route to
wireguard endpoint (1.2.3.4 here) through ethernet *which is missing*

*10.0.0.0/24 <http://10.0.0.0/24> dev eth0*

Right now the only workaround is manually calculating AllowedIPs CIDRs
excluding the endpoint address. I assume this is not by design and should
be fixed by either creating a route to wg endpoint through default gateway
or excluding endpoint IP from AllowedIPs without having to do it manually
in the config.

[-- Attachment #1.2: Type: text/html, Size: 1729 bytes --]

<div dir="ltr">Hi<div><br></div><div>I have been using wireguard for a while now and discovered an issue with routes created by macOS and iOS GUI clients. The issue is that wireguard does not create a route to the endpoint via a default route. So when you specify AllowedIPs = <a href="http://0.0.0.0/0">0.0.0.0/0</a> (excluding private IPs does not change anything) on a client, everything just stops working because <a href="http://0.0.0.0/0">0.0.0.0/0</a> is now reachable only through wireguard tunnel, which is obviously not reachable as there is no route to it through normal internet connection.</div><div><br></div><div>Pretty much, the routes look like this:</div><div><b>default via 10.80.0.1 dev wg0</b> - default route through wg</div><div><b>default via 10.0.0.1 dev eth0</b> - old default route through ethernet</div><div><b><a href="http://10.0.0.0/24">10.0.0.0/24</a> dev eth0</b></div><div><br></div><div>When they have to look like this:</div><div><b>default via 10.80.0.1 dev wg0 </b>- default route through wg</div><div><b>default via 10.0.0.1 dev eth0</b> - old default route through ethernet</div><div><b><u><a href="http://1.2.3.4/32">1.2.3.4/32</a> via 10.0.0.1 dev eth0</u></b> - specific route to wireguard endpoint (1.2.3.4 here) through ethernet <b>which is missing</b></div><div><b><a href="http://10.0.0.0/24">10.0.0.0/24</a> dev eth0<br></b></div><div><b><br></b></div><div>Right now the only workaround is manually calculating AllowedIPs CIDRs excluding the endpoint address. I assume this is not by design and should be fixed by either creating a route to wg endpoint through default gateway or excluding endpoint IP from AllowedIPs without having to do it manually in the config.</div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-30 11:34 Issue with Apple clients when routing all traffic through Wireguard Dmitry Kovalenko

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox