Wireguard / connman default route issues

pbogu · September 11, 2022 at 11:56 AM

Hi,

My first post and issue. Decided to post after trying to get WireGuard up on LibreELEC 10.0.2 running on RPi4.

Asking chewitt to join discussion as he was active in similar threads.

So I have configured everything according to a guide:

WireGuard on LibreELEC.Wiki

I have also read through the threads:

Wireguard - changes the default route although not configured

Enabling Wireguard for a 10.x.x.x network only breaks all internet access

So basically the issue seems to be coming from connman forcing full tunneling of traffic through VPN.

Checking your connman wireguard connection via:

Code

connmanctl services --properties vpn_XXX

will show one of the fields as:

Code

Provider = [ Host=XXX, Type=wireguard, SplitRouting=False ]

Digging through the Internet and connman man pages it seems that SplitRouting should be possible to set via connman provider config file (your *.config according to the guide above).

Code

[provider_wireguard]
Type = WireGuard
Name = XXX
Host = XXX
SplitRouting = True

This was not in place when listed discussions were taking place (starting in May 2020) as I have found commits adding that functionality on 11 Dec 2020.

vpn-provider: Support SplitRouting option from connmand

vpn: Support SplitRouting in D-Bus variables, improve route code

So the variable should be functional (it's enumerated in Properties and defaults to False) when a route is provided for provider as per below from the commits:

Quote

Improve check_route() by also checking that the split routed VPN has
more than the default route set. A VPN cannot be set split routed if it
does not have at least one route set.

The problem I have is I can't find how the config should look like when defining routes.

According to vpn-config-format.txt SplitRouting does not exist yet.

It mentions "Networks" parameter however in my testing I didn't see any difference with it being present or not.

I have also found "UserRoutes" parameter mentioned in vpn-connection-api.txt but details and/or examples are missing.

So in conclusion - does anyone know how SplitRouting for connman should be configured? My C skills are a bit lacking to get through connman source code in place of missing docs.

elonesna · September 12, 2022 at 9:41 AM

WireGuard connman for LE is not at all flexible, on VPN connections it requires static IP addresses and tunnels all communications to the VPN server.

How do I solve the problem when I want to do split routing?

With LE I think there is only one solution: use ZeroTier VPN networks (through docker services) instead of WireGuard, because they allow flexible routing.

On my CoreELEC devices I tend to use Entware WireGuard to not route all traffic to the VPN server, but this is not easy to do on LibreELEC.

**chewitt** · September 12, 2022 at 3:41 PM

LE's implementation was done by me to suit my use-case, which is remote access to home from whatever hotel I'm working from this week with all traffic tunnelled. If people have other use-cases; pull requests on GitHub that improve functionality without complex or onerous configuration are welcomed. Note that few people on staff use WireGuard and I have very little time for anything at the moment; so don't expect a particularly quick merge on the submission.

I'm personally liking Tailscale these days, as the setup is super-trivial (when there's a GUI) but packaging it into an add-on requires more time/effort than I currently have. I'd pay a bounty for someone to add it with a simple GUI to handle initial setup.

Wireguard / connman default route issues

Similar Threads

Pi4 and LibreELEC-settings