Multiple WireGuard routes

asymmetric · May 18, 2021, 6:55pm

I have the impression that the order in which the IPs in networking.wireguard.interfaces.wg0.ips are declared influences the routing of packets, in a way that makes it impossible (for me) to have multiple WireGuard routes active at the same time

These are the relevant parts of my configuration:
I have an issue with the following configuration, where packets from a subnet are sent with an IP belonging to a different subnet, resulting in the packets being refused by the other WireGard peer.

    wireguard.interfaces.wg0 = {
      ips = [
       # some.network
        "10.10.10.2/24"

        # foo-dev
        "10.1.1.3/24"
        # foo-prod
        "10.1.2.3/24"
      ];

      peers = [
        {
          # monitor@some.network
          publicKey = "CHWcz79zr4cfg7z3qNl+lnqpnKIek+QlRSkyFR9h6C8=";
          allowedIPs = [ "10.10.10.1/32" ];
          endpoint = "monitor.some.network:51820";
          persistentKeepalive = 25;
        }

        {
          # wireguard-gateway-dev@foo
          publicKey = "o8o8C7vnT2w1Di5l2uTv1Ie5wqxlJpDVaBozmbmsPzc=";
          allowedIPs = [
            # gateway
            "10.1.1.2"
            # internal ips
            "10.156.1.0/24"
            # k8s: foo-dev
            "35.232.x.y"
            # k8s: spinnaker-dev
            "35.158.x.y"
          ];
          endpoint = "35.113.x.y:51820";
          persistentKeepalive = 25;
        }
        {
          # wireguard-gateway-prod@foo
          publicKey = "0yaXw8ctH+D50JAY2dFHRulFi4Ss8Hpvqe5qUcz76SY=";
          allowedIPs = [
            # gateway
            "10.1.2.2"
          ];
          endpoint = "34.107.x.y:51820";
          persistentKeepalive = 25;
        }

What happens here is that if I try to ping 10.1.1.2, the peer at that end says:

wireguard: wg0: Packet has unallowed src IP (10.10.10.2) from peer 3 (my.laptop.ip.addr:42211)

Running ping 10.10.10.1 (which matches the first IP in the list) works fine.

If I switch the order like so:

      ips = [
        "10.1.1.3/24"
        "10.10.10.2/24"
        "10.1.2.3/24"
      ];

Now I can ping 10.1.1.2, but cannot ping 10.10.10.1 anymore

wireguard: wg0: Packet has unallowed src IP (10.1.1.3) from peer 21 (my.laptop.ip.addr:38867)

The routes look fine to my untrained eye:

❯ ip r
default via 192.168.4.1 dev wlp3s0 proto dhcp metric 600
10.0.0.1 dev wg0 scope link
10.1.1.0/24 dev wg0 proto kernel scope link src 10.1.1.3
10.1.1.2 dev wg0 scope link
10.1.2.0/24 dev wg0 proto kernel scope link src 10.1.2.3
10.1.2.2 dev wg0 scope link
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.2
10.10.10.1 dev wg0 scope link
10.10.10.11 dev wg0 scope link
10.10.10.12 dev wg0 scope link
10.156.1.0/24 dev wg0 scope link
35.158.x.y dev wg0 scope link
35.232.x.y dev wg0 scope link
192.168.4.0/24 dev wlp3s0 proto kernel scope link src 192.168.4.188 metric 600