man/systemd.netdev: clarify the wireguard AllowedIPs= setting

`AllowedIPs=` only affects "routing inside the network interface
itself", as in, which wireguard peer packets with a specific destination
address are sent to, and what source addresses are accepted from which
peer.

To cause packets to be sent via wireguard in first place, a route via
that interface needs to be added - either in the `[Routes]` section on
the `.network` matching the wireguard interface, or outside of networkd.

This is a common cause of misunderstanding, because tools like wg-quick
also add routes to the interface. However, those tools are meant as a
"extremely simple script for easily bringing up a WireGuard interface,
suitable for a few common use cases (from their manpage).

Networkd also should support other usecases - like setting AllowedIPs to
0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more
specific routes (or the user manually setting them).

Reported-In: https://github.com/systemd/systemd/issues/14176

diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index fffef93aa23f3fae5b3d122797207c78bbdd6faa..7a5d5cc48d2c61ebb4c216f6c557edf0a374486a 100644 (file)
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -1629,9 +1629,16 @@
         <listitem>
           <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
           from which this peer is allowed to send incoming traffic and to
-          which outgoing traffic for this peer is directed. The catch-all
-          0.0.0.0/0 may be specified for matching all IPv4 addresses, and
-          ::/0 may be specified for matching all IPv6 addresses. </para>
+          which outgoing traffic for this peer is directed.</para>
+          <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses,
+          and ::/0 may be specified for matching all IPv6 addresses.</para>
+          <para>Note that this only affects "routing inside the network interface itself",
+          as in, which wireguard peer packets with a specific destination address are sent to,
+          and what source addresses are accepted from which peer.</para>
+          <para>To cause packets to be sent via wireguard in first place, a route needs
+          to be added, as well - either in the <literal>[Routes]</literal> section on the
+          <literal>.network</literal> matching the wireguard interface, or outside of networkd.
+          </para>
         </listitem>
       </varlistentry>
       <varlistentry>