Thanks for implementing wireguard in the latest release of LibreElec!
I tried to replace my site-to-site VPN from the addon tinc to wg, but somehow it keeps replacing the default route from eth0 to wg0 even though the AllowedIPs is limited to the remote subnet. If I connmanctl disconnect <vpnname> it properly restores the former default route.
I'm not sure where to look. This is the config file ~/.config/wireguard/wireguard.config:
[provider_wireguard] Type = WireGuard Name = WireGuard VPN Tunnel Host = xy.myfritz.net Domain = myname WireGuard.Address = 10.0.0.1/24 WireGuard.ListenPort = 61820 WireGuard.PrivateKey = kNf1...wk0Q= WireGuard.PublicKey = 1yj3Tam...QWbeHo= WireGuard.AllowedIPs = 192.168.2.0/24 WireGuard.EndpointPort = 61820 WireGuard.PersistentKeepalive = 25
I understood from the docs, that wg would only set the default route to the tunnel, if AllowedIPs would be 0.0.0.0/0 - but it isn't.
After connmanctl connect, the route table looks like this (the other side of the wg-end is not yet configured, so don't mind the missing route for the target subnet):
~/.config/wireguard # ip route default dev wg0 scope link 10.0.0.0/24 dev wg0 scope link src 10.0.0.1 192.168.110.0/24 dev eth0 scope link src 192.168.110.15 192.168.110.100 dev eth0 scope link 255.255.255.255 via 192.168.110.100 dev eth0 ~/.config/wireguard # wg interface: wg0 public key: mIrfDDWUv....mzKH0A= private key: (hidden) listening port: 61820 peer: 1yj3Tamu....1yQWbeHo= endpoint: 84.x.y.z:61820 allowed ips: 192.168.2.0/24 transfer: 0 B received, 148 B sent persistent keepalive: every 25 seconds
The output of wg correctly limits to the configured target subnet.
After "connmanctl disconnect <vpnname>" the ip route looks like this:
I do not understand why it replaced the default route to wg0, the config file does not tell it to do so. Is this maybe a temporary state until the tunnel is established? Because that is not the case at this moment.
Can someone give me a hint where to look?
EDIT: I found there is a file ~/.cache/connman/<vpnname>/settings, which contains this line:
This probably has something to do with it. I can not set it to "true", because it gets overwritten automatically by some other mechanism as soon as I "connmanctl connect <vpnname>". This mechanism probably is hardcoded to forcetunnel (route 0.0.0.0/0) into wireguard, isn't it?