[Wireguard] Traffic not routed if IP not in Allowed IPs

[lichenscon]

I am using a Wireguard VPN to connect to my home and Tailscale/Headscale network. Therefor i only want specific subnets routed via Wireguard (in my example 100.64.0.0/10). This is working in official Wireguard app by adding only this subnet to the allowed IPs so no other traffic is routed via VPN.

When using Rethink also only the allowed traffic is routed via VPN, but other traffic is blocked silently. If i am changing the allowed IPs to 100.64.0.0/0, all traffic is routed through VPN as expected. Therefor my public IP-adress is the one of my peer, which is static and would give me less privacy.
I think this behavior could also be a feature, but the user must be able to turn it off.

[ignoramous]

I am surprised Tailscale works with default WireGuard as-is? We've have an open issue on it #1047

When using Rethink also only the allowed traffic is routed via VPN, but other traffic is blocked silently. f i am changing the allowed IPs to 100.64.0.0/0, all traffic is routed through VPN as expected.

I think I understand what you mean (and we could fix it)... but can you reword this / be more clear so I know for sure?

[lichenscon]

I am surprised Tailscale works with default WireGuard as-is? We've have an open issue on it #1047

No, I am using a seperate Wireguard-Server as a Tailscale-Gateway because of too high battery drain of Tailscale.

When using Rethink also only the allowed traffic is routed via VPN, but other traffic is blocked silently. f i am changing the allowed IPs to 100.64.0.0/0, all traffic is routed through VPN as expected.

I think I understand what you mean (and we could fix it)... but can you reword this / be more clear so I know for sure?

If I am setting the allowed IPs in my Wireguard config to 100.64.0.0/10 and an app is trying to connect to 188.114.96.3, the traffic is blocked and neither routed via Wireguard or my local network connection. Connections to 100.64.0.45 are routed via WG as expected. So only traffic that is allowed to pass the VPN is routed (via the VPN), all other traffic (that should be routed via local network) is discarded.

[ignoramous]

Gotcha. This has been fixed in the upcoming version v055b (we'll release it in a week or so once we get to the bottom of a frequent crash in our network engine, that thus far remains elusive).

[ignoramous]

Fixed in v055b.

rethink-app/app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt

Line 2699 in 02c16a9

if (WireguardManager.canRouteIp(id, connTracker.destIP) && hasProxy(proxyId)) {

[hegdenischay]

Hi, I have this same issue. It works on the android wireguard client, same as the OP, but doesn't work on RethinkDNS. Any way I can test this on my machine?

Version: 0.5.5n (fdroid)

[ignoramous]

It works on the android wireguard client, same as the OP, but doesn't work on RethinkDNS.

What works?

[hegdenischay]

I'm using this kind of config in RethinkDNS:

[Interface]
Address = 192.168.13.2/24
PrivateKey = <redacted>

[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.13.0/24
Endpoint = <server>:<port>
PersistentKeepalive=10

But it looks like it's routing all traffic through the wireguard endpoint instead of just IPs like 192.168.13.1. The same configuration works on the official wireguard app, it routes just these IPs.

Not sure if I'm doing something wrong here.

[ignoramous]

But it looks like it's routing all traffic through the wireguard endpoint instead of just IPs like 192.168.13.1.

1. Are you running WireGuard in Simple mode or Advanced mode?
2. Can you check Configure -> Logs -> Network Log to see if traffic to other IPs are also sent through "Proxy" (tap on the entries in Network Log and in the bottomsheet that comes up, the top right-hand corner should show a label "Proxy" for any connection that's being proxied over any WireGuard or SOCKS5 or HTTP tunnel).
3. If you're technical enough, can you switch to Very verbose in Configure -> Settings -> Log level and tail adb logcat | grep -iE "(vpnlife|golog)" output to see what it prints (or share it with me over email mz at celzero dot com)?

[hegdenischay]

Thanks for the specific adb logs that I needed to troubleshoot this. It turns out that I wasn't tunnelling the DNS IP through the wireugard AllowedIPs section (note the lack of 1.1.1.1/32 in there). So now connections outside the VPN work well. However, I'm not able to connect to any of the 192.168.13.0/24 IPs now.

To answer the rest of your questions, I'm using Simple mode, and it appears that DNS is tunnelled through the VPN regardless of whether AllowedIPs is 0.0.0.0/0 or not.

Just to note, I wasn't able to connect to them before either, so this part isn't a regression. I am still able to access them with Wireguard on Android just fine, so this might be due to some kind of tweaking that that app does.

My current config is something like this now:

[Interface]
Address = 192.168.13.2/24
PrivateKey = <redacted>

[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.13.0/24, 1.1.1.1/32
Endpoint = <server>:<port>
PersistentKeepalive=10

[hegdenischay]

I finally figured it out! I had set "Do not route Private IPs" in the Network settings. That + allowing DNS through the VPN fixes my issues.

[ignoramous]

Thanks for the reporting back. Glad it works the way you expect it to.

Rethink has many footguns...

Btw, you could consider removing the KeepAlive for power/battery reasons.