Thanks for implementing wireguard in the latest release of LibreElec!
I tried to replace my site-to-site VPN from the addon tinc to wg, but somehow it keeps replacing the default route from eth0 to wg0 even though the AllowedIPs is limited to the remote subnet. If I connmanctl disconnect <vpnname> it properly restores the former default route.
I'm not sure where to look. This is the config file ~/.config/wireguard/wireguard.config:
- Type = WireGuard
- Name = WireGuard VPN Tunnel
- Host = xy.myfritz.net
- Domain = myname
- WireGuard.Address = 10.0.0.1/24
- WireGuard.ListenPort = 61820
- WireGuard.PrivateKey = kNf1...wk0Q=
- WireGuard.PublicKey = 1yj3Tam...QWbeHo=
- WireGuard.AllowedIPs = 192.168.2.0/24
- WireGuard.EndpointPort = 61820
- WireGuard.PersistentKeepalive = 25
I understood from the docs, that wg would only set the default route to the tunnel, if AllowedIPs would be 0.0.0.0/0 - but it isn't.
After connmanctl connect, the route table looks like this (the other side of the wg-end is not yet configured, so don't mind the missing route for the target subnet):
- ~/.config/wireguard # ip route
- default dev wg0 scope link
- 10.0.0.0/24 dev wg0 scope link src 10.0.0.1
- 192.168.110.0/24 dev eth0 scope link src 192.168.110.15
- 192.168.110.100 dev eth0 scope link
- 255.255.255.255 via 192.168.110.100 dev eth0
- ~/.config/wireguard # wg
- interface: wg0
- public key: mIrfDDWUv....mzKH0A=
- private key: (hidden)
- listening port: 61820
- peer: 1yj3Tamu....1yQWbeHo=
- endpoint: 84.x.y.z:61820
- allowed ips: 192.168.2.0/24
- transfer: 0 B received, 148 B sent
- persistent keepalive: every 25 seconds
The output of wg correctly limits to the configured target subnet.
After "connmanctl disconnect <vpnname>" the ip route looks like this:
I do not understand why it replaced the default route to wg0, the config file does not tell it to do so. Is this maybe a temporary state until the tunnel is established? Because that is not the case at this moment.
Can someone give me a hint where to look?
EDIT: I found there is a file ~/.cache/connman/<vpnname>/settings, which contains this line:
This probably has something to do with it. I can not set it to "true", because it gets overwritten automatically by some other mechanism as soon as I "connmanctl connect <vpnname>". This mechanism probably is hardcoded to forcetunnel (route 0.0.0.0/0) into wireguard, isn't it?