undefined | Better HN

0 pointsagwa2y ago0 comments

In general, rule-based solutions are good if they use fwmark, but this gives me pause:

> And finally we add a convenience feature for still accessing the local network, whereby we allow packets without the fwmark to use the main routing table, not the WireGuard interface's routing table, if it matches any routes in it with a prefix length greater than zero, such as non-default local routes. [https://www.wireguard.com/netns/#improved-rule-based-routing]

Doesn't that completely neutralize the protection against a DHCP server sending malicious routes or a gigantic subnet mask?

0 comments

zokier2y ago

its just a default convenience feature from wg-quick, its not intended to be something that fits all usecases; on trusted networks split-tunneling like that makes lot of sense

j / k navigate · click thread line to collapse

0 comments

zokier2y ago

its just a default convenience feature from wg-quick, its not intended to be something that fits all usecases; on trusted networks split-tunneling like that makes lot of sense

j / k navigate · click thread line to collapse