From 43867c1e070fc96420a666b0bb21182eff16787b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 27 Apr 2025 18:30:59 +0200
Subject: [PATCH] wireguard: Add a custom routing table for peers

This is a dirty hack to make connections to VPN providers actually work.

We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/195/filelists/files |  1 +
 lfs/iproute2                              |  1 +
 src/initscripts/system/wireguard          | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/config/rootfiles/core/195/filelists/files b/config/rootfiles/core/195/filelists/files
index 75d499f35..d8f95ae6c 100644
--- a/config/rootfiles/core/195/filelists/files
+++ b/config/rootfiles/core/195/filelists/files
@@ -1,4 +1,5 @@
 etc/fcron.cyclic/wg-dynamic
+etc/iproute2/rt_tables
 etc/rc.d/init.d/firewall
 etc/rc.d/init.d/networking/functions.network
 etc/rc.d/init.d/wireguard
diff --git a/lfs/iproute2 b/lfs/iproute2
index 6dd3d4c3b..2c813382d 100644
--- a/lfs/iproute2
+++ b/lfs/iproute2
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Add table for static routing
 	echo "200	static" >> /etc/iproute2/rt_tables
+	echo "201	wg" >> /etc/iproute2/rt_tables
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index ac7438a24..7decce223 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -25,6 +25,9 @@
 
 eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
 
+# Mark all packets coming out of the WireGuard interfaces
+WG_MARK="0x00800000"
+
 interfaces() {
 	local id
 	local enabled
@@ -218,6 +221,7 @@ generate_config() {
 		fi
 
 		echo "[Interface]"
+		echo "FwMark = ${WG_MARK}"
 
 		if [ -n "${privkey}" ]; then
 			echo "PrivateKey = ${privkey}"
@@ -267,6 +271,12 @@ generate_config() {
 
 				ip route add "${args[@]}"
 			done
+
+			# Add a direct host route to the endpoint
+			if [ -s "/var/ipfire/red/remote-ipaddress" ]; then
+				ip route add table wg \
+					"${endpoint_addr}" via "$(</var/ipfire/red/remote-ipaddress)"
+			fi
 		fi
 
 		# Set keepalive
@@ -306,6 +316,14 @@ reload_firewall() {
 
 	# Block all other traffic
 	iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
+
+	# Flush any custom routes
+	ip route flush table wg 2>/dev/null
+
+	# Ensure that the table is being looked up
+	if ! ip rule | grep -q "lookup wg"; then
+		ip rule add table wg fwmark "${WG_MARK}"
+	fi
 }
 
 wg_start() {
-- 
2.39.5