|
|
|
|
|
|
by rfoo
1544 days ago
|
|
|
Are you sure what you described works? Last I tried it didn't work, and this is explicitly stated on wireguard.com: > In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table, and when receiving packets, the list of allowed IPs behaves as a sort of access control list. > This is what we call a Cryptokey Routing Table: the simple association of public keys and allowed IPs. Which is, I believe, also why zx2c4 called to revert the whole systemd-networkd feature. I would really want it to work as it would simplify my network configuration by a bit. Please share a working example if you are able to make it work, thanks! Last I tried that I used iproute 2 to manually setup interfaces, use wg setconf to load WireGuard configurations. So I don't think it's my tool to blame. |
|
|
If we're talking simply about decoupling routing from AllowedIPs, yes, using that right now and set it up several times. For redundant routers, see below.
> > In other words, when sending packets, the list of allowed IPs behaves as a sort of routing table
This does seem in conflict with my understanding... Depending on exactly what devil-details go into that "sort of", of course. Not deep enough into it to tell you, though.
> Which is, I believe, also why zx2c4 called to revert the whole systemd-networkd feature.
Rather the opposite AIUI; To allow for setting routes explicitly (which introducing the wg-quick behavior broke[0]).
What started making it click for me was this ArchWiki section[1]. The discussion under this GH issue may also provide some pointers[2]. Also [3]. IIRC I did get multiple outbound redundant routers with failover in the end. There may be WG-specific gremlins I glanced over but ascribed it to not fully grokking the Linux IP stack and issues with *tables in general at the time - the goal I had is hairy enough without Wireguard in the mix. Please report back here on your progress if you have the time :)
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003955
[1]: https://wiki.archlinux.org/title/WireGuard#systemd-networkd:...
[2]: https://github.com/systemd/systemd/issues/14176
[3]: https://www.eisfunke.com/article/docker-wireguard-systemd.ht...
-----
EDIT: Went back to take a look and I never did get proper HA routing sorted - ended up "solving" it with a script regularly checking reachability and bringing routes up/down accordingly. No need to bring the actual WG interfaces or IP assignments up/down for that, though.