0

At start I have:

[root@client ~]# ip ro | grep default
default via 10.0.2.2 dev eth0 proto dhcp metric 100

When i say

nmcli connection import type wireguard file /etc/wireguard/wg0.conf

I get

[root@client ~]# ip ro | grep default
default dev wg0 proto static scope link metric 50 
default via 10.0.2.2 dev eth0 proto dhcp metric 100

At this moment I lost connection to remote host.

What can I do to avoid this behavior?

Sebastian Pereira
  • 1
  • Don't import it into NetworkManager. – Michael Hampton Feb 16 '21 at 13:42
  • So, what is the correct way to create and up wg-interface without using wg-quick? – Sebastian Pereira Feb 17 '21 at 08:42
  • 1
    What do you mean by "without using wg-quick"? That is how you do it. – Michael Hampton Feb 17 '21 at 15:49
  • Nope. I don't use wg-quick. Instead of it I just use nmcli for import wg-interface, then nmcli connection modify and then nmcli connection up wg0. – Sebastian Pereira Feb 18 '21 at 05:43
  • I gave up wq-quick, just because it creating his own routes, that doesn't work for me. Nmcli is the way, I hope, that will let me do more control over routes. May be there's another, more suitable, way? – Sebastian Pereira Feb 18 '21 at 05:50
  • If you don't want a route, then do not put it in AllowedIPs. – Michael Hampton Feb 18 '21 at 15:27
  • If I comment AllowedIPs in server config in Peer section and send ```wg syncconf...```, i get this (from server): ```ping 10.112.0.6 PING 10.112.0.6 (10.112.0.6) 56(84) bytes of data. From 10.112.0.1 icmp_seq=1 Destination Host Unreachable ping: sendmsg: Required key not available ``` And no handshakes. But when I uncomment it back again and resync config, it start work: ```ping 10.112.0.6 PING 10.112.0.6 (10.112.0.6) 56(84) bytes of data. 64 bytes from 10.112.0.6: icmp_seq=1 ttl=64 time=7.26 ms 64 bytes from 10.112.0.6: icmp_seq=2 ttl=64 time=47.8 ms``` – Sebastian Pereira Feb 19 '21 at 20:36
  • That sounds like it is working correctly. – Michael Hampton Feb 19 '21 at 22:39

1 Answers1

0

That doesn't sound right. Are you using a rather old version of NetworkManager? Which?

Seems you have a 0.0.0.0/0 route as AllowedIPs. That is fine (if that is what you want). NetworkManager should configure the routes as wg-quick would, and as described in https://www.wireguard.com/netns/#improved-rule-based-routing.

In particular, check all the routes with ip route show table all and the corresponding routing rules with ip rule.

This automatism is controlled by the wireguard.ip4-auto-default-route setting in the (imported) profile. You can inspect the imported profile with nmcli con show wg0.

But it also depends on your actual settings. For example, if wg0.conf has Table=off or a fixed table number, then this is different (both with wg-quick and with the profile that you imported in NetworkManager). It would be better to show the complete configuration (after masking private data!!), otherwise it's just guess work what happens.

thaller
  • 159
  • 1