WireGuard Routing

WireGuard can work with both static and dynamic routing, depending on the environment.

Static Routing

Several components go into static routing for WireGuard peer networks.

Automatic

The GUI has a mechanism to automatically setup routes to a WireGuard peer. Networks listed in the Allowed IPs field will automatically get routing table entries which point the listed networks to the proper WireGuard tunnel interface. The exception to that is default style routes (e.g. 0.0.0.0/0) which do not get automatic route entries.

Manual

WireGuard routing can be handled manually as well if there is only one peer per tunnel. To setup routes:

Warning

Before assigning the interface, make sure default gateway for the firewall is not set to Automatic or the firewall may end up using the wg interface as the default gateway, which is unlikely to be the desired outcome.

  • Assign the WireGuard interface for this peer (Assign a WireGuard Interface)

  • Add static routes using the dynamic gateway for the WireGuard tunnel

Dynamic Routing

WireGuard can work with dynamic routing, but there are some special considerations to take into account.

Note

This has only been tested with FRR.

The primary requirement to use dynamic routing with WireGuard is that there can only be one peer per WireGuard tunnel. When more than one peer is connected to a single WireGuard tunnel, WireGuard requires Allowed IPs to decide where to send specific networks. In that case, having to define these networks manually negates the purpose of dynamic routing. Using a single peer allows WireGuard to send any traffic it needs across the interface, including arbitrary networks.

BGP

BGP works without any special configuration. Define the neighbor using the WireGuard interface address of the peer.

OSPF

OSPF works, but needs special settings because it cannot utilize multicast traffic to find neighbors.

In the OSPF settings of FRR:

  • Set the WireGuard interface Network Type to Non-Broadcast mode

  • Add a manual entry on the Neighbors tab using the WireGuard interface address of the peer

Other routing protocols have not been tested. If a routing protocol relies on broadcast or multicast traffic, it is unlikely to work.

Return Routing

When allowing inbound connections from arbitrary remote networks, use rules only on assigned WireGuard interface tabs only to ensure proper return routing.

Assigned WireGuard interfaces get their own individual rule tabs and will only match traffic on that specific tunnel interface. Rules on assigned WireGuard interface tabs also get reply-to which ensures that traffic entering a specific assigned WireGuard interface exits back out the same interface. Without that, return traffic will follow the default gateway.