0

I'm setting up the routing for my site-to-site wireguard VPN. Everything seems to be working fine but I have noticed that if a remote destination (next-hop) becomes unreachable the Linux kernel doesn't remove the reference to it from the routing table.

root@router:/# ip route
...
10.0.0.0/24 via 192.168.192.10 dev wg0
...

I have tried to define the destination in multiple way e.g. specifying only the output interface

ip add 10.0.0.0/24 dev wg0

or just the next-hop IP

ip add 10.0.0.0/24 via 192.168.192.10

In neither cases if the remote site runs into any issue and the IP 192.168.192.10 becomes unreachable I can still see the references in the local routing table.

Is there any way to have the next-hop reachability tracked (other than me scripting this up a boring list of periodic ping) so that if this becomes unreachable any reference to it is automatically removed from the routing table?

Thanks

rs232
  • 105
  • 1
  • 10
  • FWIW: when using an L3 interface (WireGuard works with IPv4 or IPv6 but without for example an Ethernet layer) the concept of a gateway is moot: there's no lower layer address to resolve. That means that any time there's written "via XXXX dev wg0", "via XXXX" is redundant, ignored and can be removed (but "via XXXX" alone can't be removed: it would have to be replaced with "dev wg0" because the stack can't add it in the route without the former hint). – A.B Mar 20 '23 at 18:56

1 Answers1

1

Add the "monitor" option to the route command when defining the route as follows to enable the monitoring:

ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor

you can also specify the monitoring interval and the minimum number of unsuccessful probes before the next-hop is regarded as being unreachable:

ip route change 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor interval 5 timeout 10

This command will set the monitoring interval to 5 seconds and the timeout for failed probes to 10 seconds.

Hawshemi
  • 302
  • 5
  • Not sure if this is a bug or something but I get an error doing so: ``` root@router:/# ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor Error: either "to" is duplicate, or "monitor" is a garbage. ``` – rs232 Mar 19 '23 at 18:52
  • How about this: ```ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor on``` And for intervals: ```ip route change 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor on interval 5 timeout 10``` – Hawshemi Mar 19 '23 at 19:25
  • 1
    Simply adding "monitor" produces the error as per above. To be mentioned I'm on Kernel 2.6.36.4 (a router with busybox essentially). – rs232 Mar 20 '23 at 13:07
  • Hawshemi I really doubt there's such feature as "ip route add/change ... monitor" or about an interval or timeout of such monitoring. doesn't work here with kernel 6.0. – A.B Mar 20 '23 at 18:45