[Bug 272842] Missing WireGuard integration into the base system rc.d scripts
Date: Thu, 26 Oct 2023 14:09:14 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272842 --- Comment #8 from crest@rlwinm.de --- Just to spell out the implications of calling /etc/rc.d/netif from the wireguard rc.d script: Static routing works for WireGuard tunnels like any other interface via rc.conf. If you need just three routes you can use something like this: sysrc static_routes+=" route1:wg0 route2:wg0 route3:wg0" sysrc route_route1="10.10.10.103/32 -iface wg0" sysrc route_route2="172.17.6.0/24 -iface wg0" sysrc route_route3="10.17.6.0/24 -iface wg0" to have netif call routing to set up static routes tied to a specific interface. The routes only need a next hop interface because from kernel IP stack point of view WireGuard interfaces are point to point interfaces. The next hop resolution on among the peers is done according to the peer AllowedIPs configuration. The details of this so call cryptokey routing are documented in the WireGuard whitepaper. It may be a layering violation offending purists, but I prefer it over the complicated fragile Cisco style DM-VPN with NHRP providing dynamic multi-point GRE next-hop resolution (or not). -- You are receiving this mail because: You are the assignee for the bug.