Summary
WireGuard for Windows enables restrictive firewall rules (the "kill-switch") when AllowedIPs contains /0 routes. This interferes with WSL2's virtualized network stack, breaking connectivity. Add an option to generate configs that avoid triggering the kill-switch while maintaining full traffic routing.
Background
When a WireGuard peer has AllowedIPs = 0.0.0.0/0 or ::/0, the Windows client adds firewall rules that:
- Restrict DNS queries to configured servers only
- Block traffic that doesn't match expected patterns
- Can interfere with WSL2's virtual network adapter
This is documented in the official WireGuard Windows netquirk.md.
The Workaround
Per WireGuard's documentation, using split routes achieves the same routing coverage without triggering the kill-switch:
| Current |
Windows-Compatible |
0.0.0.0/0 |
0.0.0.0/1, 128.0.0.0/1 |
::/0 |
::/1, 8000::/1 |
These split routes cover the entire address space but don't activate the firewalling semantics.
Proposed Solution
Add a config option (e.g., windows_compatible_configs: true) that generates WireGuard client configs with split routes instead of /0 routes.
Current (roles/wireguard/templates/client.conf.j2):
AllowedIPs = 0.0.0.0/0,::/0
With option enabled:
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Alternatives Considered
- Change default for everyone: The split routes are functionally equivalent, but this is a behavioral change that could have unexpected effects on other platforms
- Documentation only: Users can manually edit configs, but this defeats Algo's ease-of-use goal
- Generate separate Windows configs: More complex, creates maintenance burden
Related
Summary
WireGuard for Windows enables restrictive firewall rules (the "kill-switch") when
AllowedIPscontains/0routes. This interferes with WSL2's virtualized network stack, breaking connectivity. Add an option to generate configs that avoid triggering the kill-switch while maintaining full traffic routing.Background
When a WireGuard peer has
AllowedIPs = 0.0.0.0/0or::/0, the Windows client adds firewall rules that:This is documented in the official WireGuard Windows netquirk.md.
The Workaround
Per WireGuard's documentation, using split routes achieves the same routing coverage without triggering the kill-switch:
0.0.0.0/00.0.0.0/1, 128.0.0.0/1::/0::/1, 8000::/1These split routes cover the entire address space but don't activate the firewalling semantics.
Proposed Solution
Add a config option (e.g.,
windows_compatible_configs: true) that generates WireGuard client configs with split routes instead of/0routes.Current (
roles/wireguard/templates/client.conf.j2):With option enabled:
Alternatives Considered
Related
::/128instead of::/1, 8000::/1)