Join Log in
Score:0
user3018558 avatar Server

Linux: Automatically remove routing reference when next-hop is unreachable

ca flag
user3018558

I'm setting up the routing for my site-to-site wireguard VPN. Everything seems to be working fine but I have noticed that if a remote destination (next-hop) becomes unreachable the Linux kernel doesn't remove the reference to it from the routing table.

root@router:/# ip route
...
10.0.0.0/24 via 192.168.192.10 dev wg0
...

I have tried to define the destination in multiple way e.g. specifying only the output interface

ip add 10.0.0.0/24 dev wg0

or just the next-hop IP

ip add 10.0.0.0/24 via 192.168.192.10

In neither cases if the remote site runs into any issue and the IP 192.168.192.10 becomes unreachable I can still see the references in the local routing table.

Is there any way to have the next-hop reachability tracked (other than me scripting this up a boring list of periodic ping) so that if this becomes unreachable any reference to it is automatically removed from the routing table?

Thanks

224
1 + 1
A.B avatar
cl flag
A.B
FWIW: when using an L3 interface (WireGuard works with IPv4 or IPv6 but without for example an Ethernet layer) the concept of a gateway is moot: there's no lower layer address to resolve. That means that any time there's written "via XXXX dev wg0", "via XXXX" is redundant, ignored and can be removed (but "via XXXX" alone can't be removed: it would have to be replaced with "dev wg0" because the stack can't add it in the route without the former hint).
0
Reply
Score:1
Hawshemi avatar Server
kz flag
Hawshemi

Add the "monitor" option to the route command when defining the route as follows to enable the monitoring:

ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor

you can also specify the monitoring interval and the minimum number of unsuccessful probes before the next-hop is regarded as being unreachable:

ip route change 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor interval 5 timeout 10

This command will set the monitoring interval to 5 seconds and the timeout for failed probes to 10 seconds.

+ 4
user3018558 avatar
ca flag
user3018558
Not sure if this is a bug or something but I get an error doing so: ``` root@router:/# ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor Error: either "to" is duplicate, or "monitor" is a garbage. ```
0
Reply
Hawshemi avatar
kz flag
Hawshemi
How about this: ```ip route add 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor on``` And for intervals: ```ip route change 10.0.0.0/24 via 192.168.192.10 dev wg0 monitor on interval 5 timeout 10```
0
Reply
user3018558 avatar
ca flag
user3018558
Simply adding "monitor" produces the error as per above. To be mentioned I'm on Kernel 2.6.36.4 (a router with busybox essentially).
1
Reply
A.B avatar
cl flag
A.B
Hawshemi I really doubt there's such feature as "ip route add/change ... monitor" or about an interval or timeout of such monitoring. doesn't work here with kernel 6.0.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.