fwmark not applying when using AllowedIPs = 0.0.0.0/0

[rusty-eagle]

So when I run wg-quick, everything looks normal:

$ sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun WG_SUDO=1 wg-quick up ./wg0.conf
[#] boringtun wg0
BoringTun started successfully
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.3/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

But, using wg show, the fwmark option isn't there.

$ sudo wg show
interface: wg0
public key: <PUBLIC_KEY>
private key: (hidden)
listening port: 56761

The fwmark setting is usually listed here

peer: <PEER_PUBLIC_KEY>
endpoint: <ENDPOINT_IP>:<ENDPOINT_PORT>
allowed ips: 0.0.0.0/0
latest handshake: 14 seconds ago
transfer: 456 B received, 9.21 KiB sent
persistent keepalive: every 21 seconds

As a result, I am not able to use this to emerge via my endpoint. Nor am I able to access SSH on that endpoint server via its VPN IP address.

I have also set the caps:

boringtun = cap_net_admin+eip

However, if I use wireguard-go, this does work:

$ sudo wg show
interface: wg0
public key: <PUBLIC_KEY>
private key: (hidden)
listening port: 43448
fwmark: 0xca6c

peer: <PEER_PUBLIC_KEY>
endpoint: <ENDPOINT_IP>:<ENDPOINT_PORT>
allowed ips: 0.0.0.0/0
transfer: 0 B received, 296 B sent
persistent keepalive: every 21 seconds

And I am able to route via my endpoint.

I am using Gentoo:

Linux gentoo 5.4.28-gentoo-x86_64 #1 SMP Mon Apr 27 14:39:46 -00 2020 x86_64 Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz GenuineIntel GNU/Linux

[def324]

I have the exact same problem running with the same options in a alpine based docker container. Any help would be appreciated.

[RammusXu]

+1

Expect: (wireguard-go)

interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: (hidden)
  endpoint: (hidden)
  allowed ips: 0.0.0.0/0
  latest handshake: 3 minutes, 55 seconds ago
  transfer: 1.61 KiB received, 1.01 KiB sent

Actual: (boringtun)

interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  endpoint: 130.211.245.15:51820
  allowed ips: 0.0.0.0/0

[mikma]

The wg tool can't display the fwmark since fwmark is written as part of each peer, when fwmark should be written before the peers. This is a bug in boringtun.

boringtun/src/device/api.rs

Line 143 in 0fb1891

writeln!(writer, "fwmark={}", fwmark);

But this particular bug shouldn't change how fwmark are used on WireGuard packets in boringtun.