debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #08503
[Bug 2126614] [NEW] wireguard.peer-routes: "true" causes Network Manager to route endpoint address through the tunnel
Public bug reported:
When "Add Peer Routes" is enabled on a Wireguard tunnel in network
manager (meaning wireguard.peer-routes: "true" is enabled), this causes
the Allowed IPs for a tunnel to be added to the routing. For general
purpose tunnels, though (where the intention is for the tunnel to route
substantially all traffic), this has the added consequence of causing
the endpoint address to also be routed INTO the tunnel.
It is never desirable for a peer's endpoint address to be routed into
its own tunnel. This always creates a tunnel Klein bottle, which always
renders the tunnel unusable.
Currently the only remedies are to either:
1) Enter endpoint's IP address into a manual routing entry for the WiFi or wired connection, or
2) Manually create a long Allowed IP list of ranges for the peer that surgically exclude the peer's own endpoint IP.
Neither of these options are good, as they effectively prevent the use
of a hostname for an endpoint, and will cause the connection to fail if
the endpoint's IP changes. They also both require substantial
configuration and essentially render Network Manager useless to the
majority of users to create a Wireguard tunnel.
The expectation is that Network Manager will automatically exclude the
endpoint's resolved IP address at tunnel activation time from any peer
routes that are dynamically created. Making this change will have no
adverse effect, since there is no possible use case for the above
described Klein bottle routing.
This problem has existed since at least Unbuntu v22.
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Tags: endpoint wireguard
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2126614
Title:
wireguard.peer-routes: "true" causes Network Manager to route endpoint
address through the tunnel
Status in network-manager package in Ubuntu:
New
Bug description:
When "Add Peer Routes" is enabled on a Wireguard tunnel in network
manager (meaning wireguard.peer-routes: "true" is enabled), this
causes the Allowed IPs for a tunnel to be added to the routing. For
general purpose tunnels, though (where the intention is for the tunnel
to route substantially all traffic), this has the added consequence of
causing the endpoint address to also be routed INTO the tunnel.
It is never desirable for a peer's endpoint address to be routed into
its own tunnel. This always creates a tunnel Klein bottle, which
always renders the tunnel unusable.
Currently the only remedies are to either:
1) Enter endpoint's IP address into a manual routing entry for the WiFi or wired connection, or
2) Manually create a long Allowed IP list of ranges for the peer that surgically exclude the peer's own endpoint IP.
Neither of these options are good, as they effectively prevent the use
of a hostname for an endpoint, and will cause the connection to fail
if the endpoint's IP changes. They also both require substantial
configuration and essentially render Network Manager useless to the
majority of users to create a Wireguard tunnel.
The expectation is that Network Manager will automatically exclude the
endpoint's resolved IP address at tunnel activation time from any peer
routes that are dynamically created. Making this change will have no
adverse effect, since there is no possible use case for the above
described Klein bottle routing.
This problem has existed since at least Unbuntu v22.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2126614/+subscriptions
