wireguard: Add a custom routing table for peers

This is a dirty hack to make connections to VPN providers actually work.

We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/core/195/filelists/files b/config/rootfiles/core/195/filelists/files
index 75d499f3566b8efa9d2314d66d59d7dbe2884a5a..d8f95ae6c2fcd61b8f33512c1d8a94f6cd89586a 100644 (file)
--- a/config/rootfiles/core/195/filelists/files
+++ b/config/rootfiles/core/195/filelists/files
@@ -1,4 +1,5 @@
 etc/fcron.cyclic/wg-dynamic
+etc/iproute2/rt_tables
 etc/rc.d/init.d/firewall
 etc/rc.d/init.d/networking/functions.network
 etc/rc.d/init.d/wireguard

diff --git a/lfs/iproute2 b/lfs/iproute2
index 6dd3d4c3b8da5b40ffc9d68ed4e843e3b8fcca9c..2c813382d6bf73ecda4074c30e3455cf3f410e56 100644 (file)
--- a/lfs/iproute2
+++ b/lfs/iproute2
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
        # Add table for static routing
        echo "200       static" >> /etc/iproute2/rt_tables
+       echo "201       wg" >> /etc/iproute2/rt_tables
 
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)

diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index ac7438a24840cd5960a1928938282e67e05f1085..7decce2237e6a43ba7ed248ae04d3cca879dcfef 100644 (file)
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -25,6 +25,9 @@
 
 eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
 
+# Mark all packets coming out of the WireGuard interfaces
+WG_MARK="0x00800000"
+
 interfaces() {
        local id
        local enabled
@@ -218,6 +221,7 @@ generate_config() {
                fi
 
                echo "[Interface]"
+               echo "FwMark = ${WG_MARK}"
 
                if [ -n "${privkey}" ]; then
                        echo "PrivateKey = ${privkey}"
@@ -267,6 +271,12 @@ generate_config() {
 
                                ip route add "${args[@]}"
                        done
+
+                       # Add a direct host route to the endpoint
+                       if [ -s "/var/ipfire/red/remote-ipaddress" ]; then
+                               ip route add table wg \
+                                       "${endpoint_addr}" via "$(</var/ipfire/red/remote-ipaddress)"
+                       fi
                fi
 
                # Set keepalive
@@ -306,6 +316,14 @@ reload_firewall() {
 
        # Block all other traffic
        iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
+
+       # Flush any custom routes
+       ip route flush table wg 2>/dev/null
+
+       # Ensure that the table is being looked up
+       if ! ip rule | grep -q "lookup wg"; then
+               ip rule add table wg fwmark "${WG_MARK}"
+       fi
 }
 
 wg_start() {