Ethernet interface with AirVPN suite

[lexsilico 0]

Hi,

I'm using the AirVPN Suite for Linux 2.0.0 installed on my raspberry, with wireguard.
Everything works fine, but I noticed that it seems that when mounting tun0, bluetit is choosing my wifi interface instead of my wired interface for routing.

From the logs I can see : 
 Network gateway is IPv4 192.168.1.254/32 via interface wlan0
 Added route IPv4 141.98.XXX.XXX/32 via 192.168.1.254 dev wlan0
 Successfully initialized WireGuard device tun0

I have both interfaces enabled on my raspberry (wired : end0 and wifi wlan0), but my wired interface has a lower metric for routing, so I was expecting bluetit to use end0 instead of wlan0.

I would prefer to use end0 instead of wlan0 for my vpn.

Can you help me to use wlan0 as a first choice ? (btw I don't want to disable wifi interface).

Thx
 

[Staff 10515]

@lexsilico

Hello!

Please note that neither Bluetit nor WireGuard directly control the routing decision; they rely on the kernel's routing stack. The behavior of the underlying OS and the routing configuration can cause issues with your configuration. The operating system may prioritize an interface based on its state or link-local address availability. If one interface with the higher metric is perceived to be more reliable (even if its metric is higher), the system might route traffic through the interface whose routes have a higher metrics in any case for certain types of traffic.

More in general, when you configure two interfaces to use the same default gateway and they are both in the same subnet, you're telling the system that both interfaces can reach the same destination (the gateway), which can cause path ambiguity if both interfaces are active, regardless of the routes metrics. Certain types of traffic might end up using the higher metrics interface because of various situations: a race condition, a connection state mismatch, any possible (even temporary) issue with the routing etc. Furthermore this setup paves the way to asymmetric routing problems, which are quite serious.

You still have the option to configure policy-based routing using ip to force WireGuard traffic to go through a specific interface, regardless of the default gateway metric. This specific configuration must be created by you as you have no options to force Bluetit to bypass WireGuard (kernel) decisions, and you have no option to tell WireGuard to do the same. You can add your command(s) on the PostUp and PostDown directives to ensure the correct interface is used during the WireGuard connection lifecycle. Note that in this case you will have to use your own profile with Hummingbird (or with Bluetit and Goldcrest), and not the AirVPN integrated Bluetit/Goldcrest connection mode.

We will also consult with the Suite development team to study your case in more details and we will update this thread if necessary. We do not rule out the possibility to add in the future special options to compile PostUp and PostDown commands directly from within Bluetit run control file (possibly not via Goldcrest because WireGuard runs PostUp and PostDown specified executable files with root privileges).

Kind regards