Wireguard - changes the default route although not configured

Thanks for updating the part about routing. As there are many different IPs mentioned in every step, it is very difficult to follow that instructions as it is not clear (for me) which IPs are those mentioned in this part:

ExecStartPost=/usr/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0

In this example code which is which IP?

192.168.2.0 - the remote network I want to reach over VPN?

10.0.0.2 - remote Wireguard VPN network?

64.109.130.11/32 - public IP of the VPN server?

192.168.0.1 - local gateway (where the LE client is)?

ConnMan adds a route to the WireGuard server so you do not need to. All you need is the move-after/move-before connmanctl comands to adjust the interface/service order so WireGuard is not the default route that everything is tunnelled down (and the interface you want to be default, is the default. Run the commands manually to experiment and get things working, then set the same sequence in the .service file.

NB: I also add some static routes in my .service file to e.g. a Tvheadend server that I want to access from the local network and not via the WireGuard tunnel, as WireGuard would add 2,000km to an already 4,500km distant Tvheadend instance.

Quote from chewitt

ConnMan adds a route to the WireGuard server so you do not need to.

The code in my last post is taken from here WireGuard | LibreELEC.wiki (known issues part) so I assumed it needs to be in that wireguard.service file to make the routing as expected: do only route the desired network over VPN and not the whole traffic.

Quote from chewitt

All you need is the move-after/move-before connmanctl comands to adjust the interface/service order so WireGuard is not the default route that everything is tunnelled down (and the interface you want to be default, is the default.

Hmm, is there maybe a typo in the wiki as I only see two "move-after" and not one "move-before" commands in the example from the above mentioned wiki page:

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/bin/sleep 5
ExecStart=/usr/bin/connmanctl connect vpn_service_name
ExecStartPost=/usr/bin/connmanctl move-after vpn_service_name ethernet_b827eb10c45a_cable
ExecStartPost=/usr/bin/connmanctl move-after vpn_service_name ethernet_b827eb10c45a_cable
ExecStartPost=/usr/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0
ExecStop=/usr/bin/connmanctl disconnect vpn_service_name

So this part is not necessary in a common scenario as this is your TVHeadend special?:

ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0

Sorry to bother you about that so much but I want to understand that and make it working "correctly".

Quote from QBJack

Hmm, is there maybe a typo in the wiki as I only see two "move-after" and not one "move-before" commands in the example from the above mentioned wiki page:

Stop blindly copying things from the wiki. It shows general hints not verbatim instructions. Your existing service file results in a connection. You can add move-after or move-before commands to adjust the routing config. You can also run the move-after/before commands from the SSH console to experiment in-situ and see the impact on the routes on your box. Go experiment, figure out what combination you need, then add the same sequence to the file. If you don't need static routes, don't add static routes.

Quote from mglae

QBJack Not possible with connman use wg. See post 14.

Thanks mglae . I used the description in that post and made it working as it should. It has the big benefit, that you can use hostnames / FQDN for the VPN server host.

Quote from chewitt

Stop blindly copying things from the wiki. It shows general hints not verbatim instructions. Your existing service file results in a connection. You can add move-after or move-before commands to adjust the routing config. You can also run the move-after/before commands from the SSH console to experiment in-situ and see the impact on the routes on your box. Go experiment, figure out what combination you need, then add the same sequence to the file. If you don't need static routes, don't add static routes.

Thanks, but a guide like that wiki page is not very helpful for noob linux users like me and I do not have the time and the patience to become a linux networking and routing expert.

Whatever, I made it working as described in post #14. Thanks for your support.