diff options
| author | Florian Klink <flokli@flokli.de> | 2020-12-20 18:24:05 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-02-02 17:31:44 +0100 |
| commit | 0a3dd3db1fbd745dc07987d66713f7884c3fd26a (patch) | |
| tree | 849a2e43e1e97401982d2d1b555226002e7bbfa6 | |
| parent | b131683b00a80b2416e9add30c344d2802f969c1 (diff) | |
| download | systemd-0a3dd3db1fbd745dc07987d66713f7884c3fd26a.tar.gz | |
man/systemd.netdev: clarify the wireguard AllowedIPs= setting
`AllowedIPs=` only affects "routing inside the network interface
itself", as in, which wireguard peer packets with a specific destination
address are sent to, and what source addresses are accepted from which
peer.
To cause packets to be sent via wireguard in first place, a route via
that interface needs to be added - either in the `[Routes]` section on
the `.network` matching the wireguard interface, or outside of networkd.
This is a common cause of misunderstanding, because tools like wg-quick
also add routes to the interface. However, those tools are meant as a
"extremely simple script for easily bringing up a WireGuard interface,
suitable for a few common use cases (from their manpage).
Networkd also should support other usecases - like setting AllowedIPs to
0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more
specific routes (or the user manually setting them).
Reported-In: https://github.com/systemd/systemd/issues/14176
(cherry picked from commit c6b90e5c5e54e98b6aed38677f77d8491f2e49c8)
(cherry picked from commit 14475e0e793be33bfad371c6d3545c7448f78730)
| -rw-r--r-- | man/systemd.netdev.xml | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 7b12c20035..456ac35c8f 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1588,9 +1588,16 @@ <listitem> <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to - which outgoing traffic for this peer is directed. The catch-all - 0.0.0.0/0 may be specified for matching all IPv4 addresses, and - ::/0 may be specified for matching all IPv6 addresses. </para> + which outgoing traffic for this peer is directed.</para> + <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, + and ::/0 may be specified for matching all IPv6 addresses.</para> + <para>Note that this only affects "routing inside the network interface itself", + as in, which wireguard peer packets with a specific destination address are sent to, + and what source addresses are accepted from which peer.</para> + <para>To cause packets to be sent via wireguard in first place, a route needs + to be added, as well - either in the <literal>[Routes]</literal> section on the + <literal>.network</literal> matching the wireguard interface, or outside of networkd. + </para> </listitem> </varlistentry> <varlistentry> |