Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sevg 7 months ago

I've always been slightly puzzled about why there isn't an easy built-in way to tunnel all traffic (ie, AllowedIPs = 0.0.0.0/0, ::/0) EXCEPT for some specific IPs. You end up having to programmatically generate a massive list of CIDRs that include everything except those specific IPs.

adamcharnock 7 months ago | parent | next [-]

I agree that would be useful. I'm fairly sure it is because all the entries in `AllowedIPs` are just written as-is to the routing table, and the routing logic in the kernel (and most/all routers?) has no facility for 'does not match'.

Instead the solution would be to add a explicit route to state where the excluded CIDR should be sent to. That would would be more specific and would therefore be used for matching packets rather than the 0.0.0.0/0 (or whatever) routed pointed at the wireguard tunnel.

dgl 7 months ago | parent [-]

To me this is actually one of the attractive aspects of Wireguard compared to some other VPNs, it doesn't try to manage everything within the tool and delegates to the host's normal routing mechanisms. However it still by default conflates AllowedIPs and the routing table -- you can actually separate them (Table=off with wg-quick) and then manually add routes.

irunmyownemail 7 months ago | parent [-]

I agree completely with the sentiment, though I never actually mess with the routing tables.

tjoff 7 months ago | parent | prev | next [-]

Calculator for the workaround: https://www.procustodibus.com/blog/2021/03/wireguard-allowed...

mrbluecoat 7 months ago | parent | prev | next [-]

See https://github.com/tailscale/tailscale/issues/11717#issuecom...

ghthor 7 months ago | parent | prev | next [-]

I wonder if you can add a peer to your config and set these excluded ips there, then never connect it.

rudasn 7 months ago | parent | prev | next [-]

Can't you do that with a prerouting firewall rule?

Genuinely asking, never tried myself but seems plausible.

sevg 7 months ago | parent [-]

There are a number of ways you could handle this, but none of them make wireguard seem user friendly for this use case.

If you're using WireGuard for point to point or to access a specific subnet, this isn't an issue.

But a common use case is to use WireGuard like you'd use Mullvad or Nordvpn and tunnel all traffic through it. And if you need exceptions for private address ranges or specific services, you end up having to generate a CIDR list (the WireGuard mobile app can do this for you if you check the "exclude private addresses" checkbox, but no such checkbox exists for wireguard tools on Linux, and it's a hardcoded list anyway), or add routes yourself, or fiddle with firewall rules.

rudasn 7 months ago | parent [-]

Ah right.

Yeah it would be nice to have a negated allowed ips list, or adding an ! to signify "not this one". Wonder how difficult that would be to implement.

7 months ago | parent | prev | next [-]
[deleted]
graton 7 months ago | parent | prev | next [-]

I think you need to use `Table = off`. With that you probably can get what you want.

bsder 7 months ago | parent | prev | next [-]

Or the reverse, most people have specific IPs that they'd like to route traffic through the VPN but mostly don't care about the rest.

Again, you wind up creating a huge list of exact IPs and creating the routing rules is a PITA.

akerl_ 7 months ago | parent [-]

I don't understand. Having a specific list of IPs they want to route over Wireguard is the one that is easy today. It's the inverse (everything except these IPs) that's hard.

pm2222 7 months ago | parent | prev [-]

ip route to blackhole works. ip rule works. ip/nftables works. tc works. ebpf works.