[Babel-users] IPv6 ULA GUA S2S routing problem
Jochen Demmer
jochen at winteltosh.de
Tue Mar 14 08:28:48 GMT 2023
Hi Daniel,
Am Dienstag, dem 14.03.2023 um 06:53 +0100 schrieb Daniel Gröber:
> Hi Jochen,
>
> On Mon, Mar 13, 2023 at 10:43:02PM +0100, Jochen Demmer wrote:
> > Yet I cannot communicate. Is it possible that the wireguard tunnel
> > itself doesn't have the prefix in its allowed IPs? I always thought
> > this allowed_ips parameter is only for seting up the routing, even
> > if
> > the name suggests otherwise.
>
> With wg-quick (which OpenWrt is trying to mirror I guess) the
> AllowedIPs do
> double duty as source address ACL and routes. I actually forgot to
> mention
> you'd have to use Table=0 to get rid of the static routes. IIRC the
> route_allowed_ips option you found is the equivalent here.
>
> On Tue, Mar 14, 2023 at 02:09:27AM +0100, Jochen Demmer wrote:
> > allright I figured it out.
> > On both sides I needed to set allowed-ips to 0.0.0.0/0 and ::/0.
> > Then set route_allowed_ips to 0.
>
> Are you sending any v4 traffic over the tunnel? If not 0.0.0.0/0
> should be
> unnecessary.
>
> > This seems to work, yet it is generally recommended not to allow
> > any in
> > a wireguard tunnel. I don't see another way right now thogh.
>
> What do you mean? If your AllowedIPs set is empty wireguard will just
> act
> as a big useless black hole.
Well there were several blog posts and texts that said running
wireguard without a filter to IPs was a bad idea. I do not concur
that's why I implemented it without a filter and I'm happy with it :-)
>
> To see how the OpenWrt stuff maps to wg options see the script
> handling the
> conversion:
>
>
> https://github.com/openwrt/openwrt/blob/master/package/network/utils/wireguard-tools/files/wireguard.sh
>
> AFAICT it does a straight conversion of the allowed_ips list to the
> wg
> option.
>
> --Daniel
More information about the Babel-users
mailing list