[eduVPN-deploy] Wireguard blocking LAN access

Marc Langer marc.langer at uos.de
Tue Mar 14 08:50:56 CET 2023 

Hi François,
no, sorry, I did not test that with plain wireguard, but got reports 
from our users and was able to replicate the problem on Windows 
(normally I am using Linux). Then I found reports about this kill switch 
in the web.

I am not sure if the routes alone do the trick. I already have a 
excludeRouteList, so that AllowedIPs look like this:

AllowedIPs = 
::/0,0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/2,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3

Perhaps I have to split ::/0, too? I found some older reports in the 
web, that this v6 default route had caused problems for some clients.

The blocked connections in my case were for 192.168.x.x addresses, though.

Regards,
Marc

Am 14.03.23 um 08:40 schrieb François Kooman:
> Hi Marc,
> 
> To be honest, I was not aware of this feature! And it took me a long 
> time to find it in the Windows UI, but I managed, see attachment :-)
> 
> It seems, when defaultGateway is set to true, the WireGuard client 
> configuration contains this:
> 
> AllowedIPs = 0.0.0.0/0, ::/0
> 
> When "Block untunneled traffic (kill-switch)" is *disabled* the 
> configuration is changed to this:
> 
> AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
> 
> My theory is that the WireGuard client behaves differently in the first 
> scenario compared to the latter one.
> 
> It seems that it is (very) easy to implement this in the server, but 
> perhaps the option should not be "wBlockLan", because this option does 
> more than that, it suggests it implements a "kill switch". Perhaps we 
> need to have a wBlockUntunneledTraffic, or wKillSwitch option?
> 
> Do you have any suggestion here? Did you test that the "kill switch" 
> functionality works?
> 
> Regards,
> François
> 
> On 13.03.23 20:17, Marc Langer via eduVPN-deploy wrote:
>> Hi,
>>
>> in the eduVPN config, the oBlockLan option is only available for
>> OpenVPN, but Wireguard is blocking LAN access by default in Windows 10,
>> too. Wireguard has an option " "Block untunneled traffic"", which seems
>> to be activated by default. How can I disable this in my eduVPN profile?
>>
>> Thanks,
>>
>> Marc
>>
>>
>> _______________________________________________
>> eduVPN-deploy mailing list
>> eduVPN-deploy at list.surfnet.nl
>> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy

-- 
Uni Osnabrück
Rechenzentrum
Nelson-Mandela-Str. 4
49076 Osnabrück

Tel. 0541-969-2365
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5974 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20230314/c36cbfa6/attachment.p7s>

More information about the eduVPN-deploy mailing list