"RouteTable=1000" is not ideal.
Let me explain why "RouteTable=1000" is not ideal. Firstly, "RouteTable=1000" doesn't align with the WireGuard documentation (see https://www.wireguard.com/netns/). The WireGuard documentation tells us that we should add the default route on the alternative routing table (table 1000). "RouteTable=1000" does something different. "RouteTable=1000" will add every entry in AllowedIPs as a static route to table 1000. If AllowedIPs is a long list, then routing table 1000 will be a long list too. This is totally unnecessary because the wg0 interface already handles the AllowedIPs by itself, and it doesn't need systemd-networkd to add all these static routes. The only purpose of table 1000 is to hand every package over to the wg0 interface.
In my edit I removed "RouteTable=1000", so systemd-networkd will never clutter table 1000 with all those unnecessary entries. I added a [Route] section to actually add the default route to table 1000. In this case, table 1000 will always only contain the default route, as it should. Barrelrider (talk) 13:51, 24 August 2025 (UTC)
- WireGuard#systemd-networkd: routing all traffic over WireGuard uses
RouteTable=1000in the[WireGuardPeer]section of a peer that has onlyAllowedIPs=0.0.0.0/0. No other routes will be created in this case. The advantage ofRouteTable=is that you don't have to hardcode any routes in .network files. -- nl6720 () 05:55, 25 August 2025 (UTC)- The only route you have to hardcode in the .network file is the default route. While the example only specifies AllowedIPs=0.0.0.0/0, individuals may desire a configuration that varies from the one presented. As a result, they will modify the AllowedIPs, leading to additional routes in table 1000. This also signifies that the behavior will not be the same. If RouteTable is set to 1000, any package not included in the AllowedIPs list will be directed to the main routing table. As a result, the package is transmitted outside the VPN tunnel. In my setup using [Route], the package will be dropped if it isn't included in AllowedIPs. Barrelrider (talk) 23:46, 25 August 2025 (UTC)
- The section is called "routing all traffic over WireGuard", so it makes no sense to omit
0.0.0.0/0fromAllowedIPswithin the[WireGuardPeer]section of the peer you want to direct all traffic to. -- nl6720 () 10:03, 26 August 2025 (UTC)
- The section is called "routing all traffic over WireGuard", so it makes no sense to omit
- The only route you have to hardcode in the .network file is the default route. While the example only specifies AllowedIPs=0.0.0.0/0, individuals may desire a configuration that varies from the one presented. As a result, they will modify the AllowedIPs, leading to additional routes in table 1000. This also signifies that the behavior will not be the same. If RouteTable is set to 1000, any package not included in the AllowedIPs list will be directed to the main routing table. As a result, the package is transmitted outside the VPN tunnel. In my setup using [Route], the package will be dropped if it isn't included in AllowedIPs. Barrelrider (talk) 23:46, 25 August 2025 (UTC)