-
-
Notifications
You must be signed in to change notification settings - Fork 13.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: unable to route all traffic through interface #51258
Comments
likewise. I can ping the interface with allowedIPs of |
one potential fix for this might be implementing the network user-namespace based approach I've feature requested in #52411 |
I needed to set |
@Moredread, the issue remains. |
I was able to route (almost) all traffic, by either
or
|
What traffic is not routed? |
@tmplt |
I wasn't able to get this working, even after adding a manual route to the wireguard server (through my default gateway and regular eth0). Any suggestions? |
I have the same problem. Doesn't matter whether I use wg-quick or the nixos options approach. Wireguard otherwise works fine when having only specific IP:s allowed, but now I wanted to route all traffic. |
So I solved my specific problem a bit differently. I now move the wireguard interface(s) into a different Linux network namespace and then start my compositor (sway) within that network namespace. This works really well for me with the added benefit of effectively forcing all processes run within sway such as firefox, mail client etc. to use only the wireguard interface(s) (because there aren't any other interfaces). It also prompted me to write this simple utility to do what I need: https://github.com/johnae/netns-exec While not exactly what the wireguard dev suggests (I found it a bit too messy/difficult to launch dhcpd, wpa_supplicant or iwd + wireguard within a different namespace), it's close enough for me. |
Hi @johnae, interesting solution - is there a benefit to your I arrived at a similar solution by taking the existing, (seemingly complete or abandoned) |
@colemickens yeah I saw that one but I wanted a setuid binary so that I could run it as my normal user. The ip command has such a large surface area so I wouldn't want to make that setuid. Also messing around with the gpg-agent service from home-manager as it must run within the same network namespace when you use the gnome3 pinentry variant (this is a socket activated service). I've gotten it to work but it's still a bit wip, nothing committed yet (and certainly no pull req against home-manager, if I ever do one). |
@colemickens I actually found another project today called exactly What that other project did have however was (as a reminder - I've had issues with gpg-agent because of pinentry gnome3 which uses dbus... if you're using some other pinentry variant you probably won't have this issue). |
I have encountered the same issue when I was trying to connect my new NixOS setup to the same wireguard server my other devices are using. Using If anyone else reading this has the same issue: In the end, I found it a lot easier to use networking.wg-quick [see PR #53043 for details) instead of networking.wireguard. With it, everything mostly worked out-of-the-box without me having to add any routes manually. I had to change only a few things in my configuration.nix (for example rename It would be really useful / awesome to have more information on how to set this up in the NixOS Wiki. |
I am facing this issue, and used IIRC, |
I'm using good ol' stateful Wireguard interface configuration on my laptop with interactive
|
client
PS: I just realised that |
@NilsIrl Great, thanks. This may be a bit difficult for me, given I'd like to support mobile devices that may not be able to run commands like that, but I may be able to get it to run on my macOS client. |
The {server ip} as in my suggested update to the wiki https://nixos.wiki/index.php?title=Wireguard&type=revision&diff=5201&oldid=4777 endpoint = "{server ip}:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 |
Should the endpoint route be added by https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix For my part I will test the use of networking.wg-quick.interfaces instead of networking.wireguard.interfaces for configuring my client and report back if that worksforme. |
networking.wg-quick.interfaces worksforme (without setting DNS). I get DNS via my original non wireguarded IP connection. A separate topic for me is to understand the best way of handling DNS in a wireguarded environment. |
This comment has been minimized.
This comment has been minimized.
However, using wg-quick should work. When it comes to debugging individual setups or server configurations, please ask in the Forums or on IRC, closing this issue. |
{
networking.firewall.checkReversePath = false;
} is working, but i prefer to keep Reverse Path Filter enabled against IP spoofing attacks
in bash: server_ip='....' # wireguard server address
dns_server='....' # DNS server address
wireguard_ifname='wg0'
wg-quick up "$wireguard_ifname"
# workaround for rpfilter
has_manual_gateway=false
echo "connection test: ping '$dns_server'"
timeout 1 ping -c1 "$dns_server" >/dev/null || {
gateway="$(ip route list default | awk '{ print $3 }')"
echo "Wireguard server seems blocked by Reverse Path Filter"
echo "set gateway: ip route add '$server_ip' via '$gateway'"
sudo ip route add "$server_ip" via "$gateway"
sleep 0.5 # wait for 'ip route add' to take effect
has_manual_gateway=true
}
if $has_manual_gateway
then echo "To disconnect from VPN, run: wg-quick down $wireguard_ifname; sudo ip route del $server_ip"
else echo "To disconnect from VPN, run: wg-quick down $wireguard_ifname"
fi |
Issue description
I'm unable to route all traffic through a properly configured Wireguard interface using both
networking.wireguard
and wg-quick(8); when usingallowedIPs = [ "0.0.0.0/0" "::/0" ]
I'm unable to ping any system outside my own, except for my router.If some other IP range is allowed, say
10.100.0.0/24
, I am able to ping the interface, but my traffic is not routed through it.Steps to reproduce
/etc/wireguard/wg-test.conf
withAllowedIPs = 0.0.0.0/0,::/0
under[Peer]
.wg-quick up wg-test
.Or alternatively:
networking.wireguard
withallowedIps = [ "0.0.0.0/0" "::/0" ]
.Technical details
The text was updated successfully, but these errors were encountered: