routing to the full address space with wireguard does not work #26

New issue

Closed

opened 2021-01-19 10:35:06 +01:00 by simon · 1 comment

simon commented

2021-01-19 10:35:06 +01:00

Owner

My mullvad configuration (managed with wg-quick and stored outside of this repository, since there is no stable way of getting the servers) does not work anymore. This is a regression introduced by 126a0dad4b (Enable firewall by default). wg-home (set up by the wireguard nixos module) is not affected for some reason (Edit: because it only routes a specific subnet).

Setting AllowedIPs to 0.0.0.0/1,127.0.0.0/1 worked, which indicates that it is due to routing the IPv4 address range. IPv6 did not seem to be affected (but since mullvad only provides an IPv4 nameserver, nothing worked).

As described in https://github.com/NixOS/nixpkgs/issues/51258#issuecomment-448005659, a workaround is to set networking.firewall.checkReversePath = "loose";. This disables some checks to detect IP address spoofing.

My mullvad configuration (managed with `wg-quick` and stored outside of this repository, since there is no stable way of getting the servers) does not work anymore. This is a regression introduced by 126a0dad4b81f1204de31411d70e50b0b6190614 (Enable firewall by default). `wg-home` (set up by the wireguard nixos module) is not affected for some reason (**Edit**: because it only routes a specific subnet). Setting `AllowedIPs` to `0.0.0.0/1,127.0.0.0/1` worked, which indicates that it is due to routing the IPv4 address range. IPv6 did not seem to be affected (but since mullvad only provides an IPv4 nameserver, nothing worked). As described in https://github.com/NixOS/nixpkgs/issues/51258#issuecomment-448005659, a workaround is to set `networking.firewall.checkReversePath = "loose";`. This disables some checks to detect IP address spoofing.

simon added the

labels 2021-01-19 10:35:30 +01:00

simon changed title from ~~Mullvad does not work~~ to wg-quick does not work

2021-01-24 13:51:09 +01:00

simon changed title from ~~wg-quick does not work~~ to routing to the full address space with wireguard does not work

2021-01-24 13:56:06 +01:00

simon referenced this issue from a commit

2021-01-24 14:48:34 +01:00

Make routing all traffic over wireguard tunnel work

simon closed this issue

2021-01-24 14:48:34 +01:00

simon removed the

type

bug

label 2021-01-31 22:35:12 +01:00

simon commented

2021-02-02 21:28:48 +01:00

Author

Owner

Possibly related to this:

When tunneling all traffic through a tunnel for some amount of times (a few minutes are enough), the following line begins to appear a lot in dmesg:

Route cache is full: consider increasing sysctl net.ipv[4|6].route.max_size.

As a consequence of the problem, IPv6 does not work anymore (even after disabling the wireguard tunnel).

Maybe setting

networking.firewall.checkReversePath = false;

like the wg-quick nixos module does will fix this issue.

Possibly related to this: When tunneling all traffic through a tunnel for some amount of times (a few minutes are enough), the following line begins to appear **a lot** in `dmesg`: Route cache is full: consider increasing sysctl net.ipv[4|6].route.max_size. As a consequence of the problem, IPv6 does not work anymore (even after disabling the wireguard tunnel). Maybe setting ```nix networking.firewall.checkReversePath = false; ``` like [the `wg-quick` nixos module does](https://github.com/NixOS/nixpkgs/blob/4e92b613cce1584c2a20c05be242c709e2276204/nixos/modules/services/networking/wg-quick.nix#L309) will fix this issue.

simon reopened this issue

2021-02-02 21:28:49 +01:00

simon referenced this issue from a commit

2021-02-02 21:41:55 +01:00

firewall: Entirely disable reverse path checking

simon closed this issue

2021-02-02 21:41:55 +01:00