Skip to content
This repository has been archived by the owner on May 4, 2020. It is now read-only.

route-allowed-ips cannot be enabled #137

Open
valentt opened this issue Jan 27, 2020 · 2 comments
Open

route-allowed-ips cannot be enabled #137

valentt opened this issue Jan 27, 2020 · 2 comments

Comments

@valentt
Copy link

valentt commented Jan 27, 2020

I have Edgerouter X with 2.08 firmware and installed wireguard package, following really simple tutorial via this Github readme causes issues if I use set interfaces wireguard wg0 route-allowed-ips true

when trying to commit this error is shown:
Error: Allowed IP default on interface wg0 peer XXX conflicts with an existing route. route-allowed-ips cannot be enabled.

So only option is to disable it; set interfaces wireguard wg0 route-allowed-ips false

Is this a know issue? What am I loosing without having this feature enabled?
@valentt
Copy link
Author

valentt commented Jan 28, 2020

I switched to 1.10.10 firmware and if wizard is run and eth0 is configured as wan port with nat and default gateway then I still get the same error and can't run "set interfaces wireguard wg0 route-allowed-ips true" only "set interfaces wireguard wg0 route-allowed-ips false" works because default router is already configured or I get this message:

Error: Allowed IP default on interface wg0 peer conflicts with an existing route. route-allowed-ips cannot be enabled.

@dc361
Copy link

dc361 commented Jan 30, 2020
edited
Loading

I worked around this problem by leaving the route-allowed-ips at false adding a static route to use wg0 as the default route, a static route to the host at the other end of the WG tunnel and a static default route with a higher distance so WG can find it way to the internet to set things up. The ER-X is also behind another router (192.168.16.1) so that adds a bit of complexity as well. Here's a couple of configuration snippets from the router.

The WG config:

    wireguard wg0 {
        address 192.168.78.20/24
        description "VPN peer on ubnt-Nicole"
        listen-port 52820
        mtu 1420
        peer j-la-la-la-yada= {
            allowed-ips 192.168.78.0/24
            allowed-ips 192.168.2.0/24
            allowed-ips 0.0.0.0/0
            description "Dave Wireguard VPN Server"
            endpoint somewhere.org:52820
            persistent-keepalive 100
        }
        peer v-another-peer-of-Nicole's-ERX= {
            allowed-ips 192.168.78.40/32
            allowed-ips 192.168.33.0/24
            description ubnt-dc1
        }
        private-key 0abcdef-etc=
        route-allowed-ips false
    }

The statics:

`    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface wg0 {
                distance 150
            }
        }
        route 0.0.0.0/0 {
            next-hop 192.168.16.1 {
                distance 240
            }
        }
        route IP-OF-Other-End/32 {
            next-hop 192.168.16.1 {
                distance 100
            }
        }`

@skynw skynw mentioned this issue Jun 22, 2020
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valentt @dc361