Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sevg 10 months ago

I've always been slightly puzzled about why there isn't an easy built-in way to tunnel all traffic (ie, AllowedIPs = 0.0.0.0/0, ::/0) EXCEPT for some specific IPs. You end up having to programmatically generate a massive list of CIDRs that include everything except those specific IPs.

adamcharnock 10 months ago | parent | next [-]

I agree that would be useful. I'm fairly sure it is because all the entries in `AllowedIPs` are just written as-is to the routing table, and the routing logic in the kernel (and most/all routers?) has no facility for 'does not match'.

Instead the solution would be to add a explicit route to state where the excluded CIDR should be sent to. That would would be more specific and would therefore be used for matching packets rather than the 0.0.0.0/0 (or whatever) routed pointed at the wireguard tunnel.

dgl 10 months ago | parent [-]

To me this is actually one of the attractive aspects of Wireguard compared to some other VPNs, it doesn't try to manage everything within the tool and delegates to the host's normal routing mechanisms. However it still by default conflates AllowedIPs and the routing table -- you can actually separate them (Table=off with wg-quick) and then manually add routes.

irunmyownemail 10 months ago | parent [-]

I agree completely with the sentiment, though I never actually mess with the routing tables.

tjoff 10 months ago | parent | prev | next [-]

Calculator for the workaround: https://www.procustodibus.com/blog/2021/03/wireguard-allowed...

mrbluecoat 10 months ago | parent | prev | next [-]

See https://github.com/tailscale/tailscale/issues/11717#issuecom...

ghthor 10 months ago | parent | prev | next [-]

I wonder if you can add a peer to your config and set these excluded ips there, then never connect it.

rudasn 10 months ago | parent | prev | next [-]

Can't you do that with a prerouting firewall rule?

Genuinely asking, never tried myself but seems plausible.

sevg 10 months ago | parent [-]

There are a number of ways you could handle this, but none of them make wireguard seem user friendly for this use case.

If you're using WireGuard for point to point or to access a specific subnet, this isn't an issue.

But a common use case is to use WireGuard like you'd use Mullvad or Nordvpn and tunnel all traffic through it. And if you need exceptions for private address ranges or specific services, you end up having to generate a CIDR list (the WireGuard mobile app can do this for you if you check the "exclude private addresses" checkbox, but no such checkbox exists for wireguard tools on Linux, and it's a hardcoded list anyway), or add routes yourself, or fiddle with firewall rules.

rudasn 10 months ago | parent [-]

Ah right.

Yeah it would be nice to have a negated allowed ips list, or adding an ! to signify "not this one". Wonder how difficult that would be to implement.

10 months ago | parent | prev | next [-]
[deleted]
graton 10 months ago | parent | prev | next [-]

I think you need to use `Table = off`. With that you probably can get what you want.

bsder 10 months ago | parent | prev | next [-]

Or the reverse, most people have specific IPs that they'd like to route traffic through the VPN but mostly don't care about the rest.

Again, you wind up creating a huge list of exact IPs and creating the routing rules is a PITA.

akerl_ 10 months ago | parent [-]

I don't understand. Having a specific list of IPs they want to route over Wireguard is the one that is easy today. It's the inverse (everything except these IPs) that's hard.

pm2222 10 months ago | parent | prev [-]

ip route to blackhole works. ip rule works. ip/nftables works. tc works. ebpf works.