diff options
| author | Florian Klink <flokli@flokli.de> | 2020-12-20 18:24:05 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2020-12-21 15:47:00 +0900 |
| commit | c6b90e5c5e54e98b6aed38677f77d8491f2e49c8 (patch) | |
| tree | c6251300ff5b1a6cf136639ad49b12d1e1f213a1 /man | |
| parent | 94d982bb6a1330bfc551cb48a75fe9fed5929661 (diff) | |
| download | systemd-c6b90e5c5e54e98b6aed38677f77d8491f2e49c8.tar.gz | |
man/systemd.netdev: clarify the wireguard AllowedIPs= setting
`AllowedIPs=` only affects "routing inside the network interface
itself", as in, which wireguard peer packets with a specific destination
address are sent to, and what source addresses are accepted from which
peer.
To cause packets to be sent via wireguard in first place, a route via
that interface needs to be added - either in the `[Routes]` section on
the `.network` matching the wireguard interface, or outside of networkd.
This is a common cause of misunderstanding, because tools like wg-quick
also add routes to the interface. However, those tools are meant as a
"extremely simple script for easily bringing up a WireGuard interface,
suitable for a few common use cases (from their manpage).
Networkd also should support other usecases - like setting AllowedIPs to
0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more
specific routes (or the user manually setting them).
Reported-In: https://github.com/systemd/systemd/issues/14176
Diffstat (limited to 'man')
| -rw-r--r-- | man/systemd.netdev.xml | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index fffef93aa2..7a5d5cc48d 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1629,9 +1629,16 @@ <listitem> <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to - which outgoing traffic for this peer is directed. The catch-all - 0.0.0.0/0 may be specified for matching all IPv4 addresses, and - ::/0 may be specified for matching all IPv6 addresses. </para> + which outgoing traffic for this peer is directed.</para> + <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, + and ::/0 may be specified for matching all IPv6 addresses.</para> + <para>Note that this only affects "routing inside the network interface itself", + as in, which wireguard peer packets with a specific destination address are sent to, + and what source addresses are accepted from which peer.</para> + <para>To cause packets to be sent via wireguard in first place, a route needs + to be added, as well - either in the <literal>[Routes]</literal> section on the + <literal>.network</literal> matching the wireguard interface, or outside of networkd. + </para> </listitem> </varlistentry> <varlistentry> |