nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-29 10:10:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

wireguard: Fix split tunneling

Browse Source 
- Currently, when adding a server, we have an option for 'default route' but
unchecking it does not work. This is due to allowed_peers always containing
::0/0 and 0.0.0.0/0. Fix this by setting the allowed_peers to a value containing
only the IP of the WireGuard network.

Tests:

- When default routing it checked, routing table shows default route for
wireguard device. Traceroute confirms routing through WireGuard network.

- When default routing it unchecked, routing table does not show default route
for wireguard device. Traceroute confirms routing through regular network.

Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
Frederico Gomes 2026-02-16 14:05:14 +00:00 committed by Sunil Mohan Adapa
parent 3be73bad59
commit 57816029e5
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
plinth/modules/wireguard/forms.py
View File

@ -109,6 +109,7 @@ class AddServerForm(forms.Form):
def get_settings(self): def get_settings(self):
"""Return NM settings dict from cleaned data.""" """Return NM settings dict from cleaned data."""
ip_address = self.cleaned_data['ip_address']
settings = { settings = {
'common': { 'common': {
'type': 'wireguard', 'type': 'wireguard',
@ -116,8 +117,8 @@ class AddServerForm(forms.Form):
}, },
'ipv4': { 'ipv4': {
'method': 'manual', 'method': 'manual',
'address': self.cleaned_data['ip_address'], 'address': ip_address,
'netmask': '', 'netmask': '255.255.255.0',
'gateway': '', 'gateway': '',
'dns': '', 'dns': '',
'second_dns': '', 'second_dns': '',
@ -125,6 +126,7 @@ class AddServerForm(forms.Form):
'wireguard': { 'wireguard': {
'peer_endpoint': self.cleaned_data['peer_endpoint'], 'peer_endpoint': self.cleaned_data['peer_endpoint'],
'peer_public_key': self.cleaned_data['peer_public_key'], 'peer_public_key': self.cleaned_data['peer_public_key'],
'ip_address': ip_address,
'private_key': self.cleaned_data['private_key'], 'private_key': self.cleaned_data['private_key'],
'preshared_key': self.cleaned_data['preshared_key'], 'preshared_key': self.cleaned_data['preshared_key'],
'default_route': self.cleaned_data['default_route'], 'default_route': self.cleaned_data['default_route'],

9
plinth/network.py
View File

@ -507,8 +507,13 @@ def _update_wireguard_settings(connection, wireguard):
peer.set_preshared_key_flags(nm.SettingSecretFlags.NONE) peer.set_preshared_key_flags(nm.SettingSecretFlags.NONE)
peer.set_preshared_key(wireguard['preshared_key'], False) peer.set_preshared_key(wireguard['preshared_key'], False)
peer.append_allowed_ip('0.0.0.0/0', False) if wireguard['default_route']:
peer.append_allowed_ip('::/0', False) peer.append_allowed_ip('0.0.0.0/0', False)
peer.append_allowed_ip('::/0', False)
else:
ip_addr = wireguard['ip_address']
peer.append_allowed_ip(f'{ip_addr}/24', False)
settings.clear_peers() settings.clear_peers()
settings.append_peer(peer) settings.append_peer(peer)