[Babel-users] IPv6 ULA GUA S2S routing problem
Daniel Gröber
dxld at darkboxed.org
Tue Mar 14 05:53:55 GMT 2023
Hi Jochen,
On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote:
> Yet I cannot communicate. Is it possible that the wireguard tunnel
> itself doesn't have the prefix in its allowed IPs? I always thought
> this allowed_ips parameter is only for seting up the routing, even if
> the name suggests otherwise.
With wg-quick (which OpenWrt is trying to mirror I guess) the AllowedIPs do
double duty as source address ACL and routes. I actually forgot to mention
you'd have to use Table=0 to get rid of the static routes. IIRC the
route_allowed_ips option you found is the equivalent here.
On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote:
> allright I figured it out.
> On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0.
> Then set route_allowed_ips to 0.
Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0 should be
unnecessary.
> This seems to work, yet it is generally recommended not to allow any in
> a wireguard tunnel. I don't see another way right now thogh.
What do you mean? If your AllowedIPs set is empty wireguard will just act
as a big useless black hole.
To see how the OpenWrt stuff maps to wg options see the script handling the
conversion:
https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh
AFAICT it does a straight conversion of the allowed_ips list to the wg
option.
--Daniel
More information about the Babel-users
mailing list