man/systemd.netdev: clarify the wireguard AllowedIPs= setting

`AllowedIPs=` only affects "routing inside the network interface itself", as in, which wireguard peer packets with a specific destination address are sent to, and what source addresses are accepted from which peer. To cause packets to be sent via wireguard in first place, a route via that interface needs to be added - either in the `[Routes]` section on the `.network` matching the wireguard interface, or outside of networkd. This is a common cause of misunderstanding, because tools like wg-quick also add routes to the interface. However, those tools are meant as a "extremely simple script for easily bringing up a WireGuard interface, suitable for a few common use cases (from their manpage). Networkd also should support other usecases - like setting AllowedIPs to 0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more specific routes (or the user manually setting them). Reported-In: https://github.com/systemd/systemd/issues/14176
2020-12-20 18:24:05 +01:00 · 2020-12-20 18:24:05 +01:00 · c6b90e5c5e
parent 94d982bb6a
commit c6b90e5c5e
1 changed files with 10 additions and 3 deletions
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@ -1629,9 +1629,16 @@
        <listitem>
          <para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
          from which this peer is allowed to send incoming traffic and to
-          which outgoing traffic for this peer is directed. The catch-all
-          0.0.0.0/0 may be specified for matching all IPv4 addresses, and
-          ::/0 may be specified for matching all IPv6 addresses. </para>
+          which outgoing traffic for this peer is directed.</para>
+          <para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses,
+          and ::/0 may be specified for matching all IPv6 addresses.</para>
+          <para>Note that this only affects "routing inside the network interface itself",
+          as in, which wireguard peer packets with a specific destination address are sent to,
+          and what source addresses are accepted from which peer.</para>
+          <para>To cause packets to be sent via wireguard in first place, a route needs
+          to be added, as well - either in the <literal>[Routes]</literal> section on the
+          <literal>.network</literal> matching the wireguard interface, or outside of networkd.
+          </para>
        </listitem>
      </varlistentry>
      <varlistentry>