wireguard route metric

AVM added wireguard support in FRITZ!OS 7.50

I use and like wireguard since years, so I was curious and just gave the FRITZ!OS variant a try...

First thing to note ist, the FRITZ!OS gives you a normal client IP from the LAN segment for the wireguard interface. So if you use the wireguard vpn as a 'always on' variant, you will have all traffic targeting the LAN via wireguard:

# wg show wgfritz allowed-ips
rw638GD8ZmvsXGK8YXYM3htUwHoXqoBPhK6iuBomNkc=    192.168.100.0/24

# ip r get 192.168.100.1
192.168.100.1 dev wgfritz src 192.168.100.200 uid 0 
    cache

In order to avoid this, you will need to set a metric on the route, so from insight your packages targeting the LAN IPs will go directly via your lan or wifi interface.

# apt install ifmetric

# cat /etc/network/interfaces.d/wgfritz

iface wgfritz inet static
    address 192.168.100.200
    netmask 255.255.255.0
    metric 800
    pre-up ip link add $IFACE type wireguard
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
    post-down ip link del $IFACE

# ifup wgfritz
# wg show wgfritz allowed-ips
rw638GD8ZmvsXGK8YXYM3htUwHoXqoBPhK6iuBomNkc=    192.168.100.0/24
# ip r get 192.168.100.1
192.168.100.1 dev enxc8f750dda8c9 src 192.168.100.39 uid 0 
    cache

Here I use a metric of 800, as my wifi connection uses 600 and my lan 100. So the metric for the wireguard interface should be higher then both of them:

# ip r | grep 192.168.100.0
192.168.100.0/24 dev enxc8f750dda8c9 proto kernel scope link src 192.168.100.39 metric 100 
192.168.100.0/24 dev wlp2s0 proto kernel scope link src 192.168.100.30 metric 600 
192.168.100.0/24 dev wgfritz proto kernel scope link src 192.168.100.200 metric 800
linux
vpn
wireguard
fritzos
routing