I have some problems to get vyos to select the best route. For net 10.2.11.0/24 I have a route that get’s pushed by OpenVPN server (I have no control over that server) and a wireguard tunnel with a corresponding static route.
It chooses the kernel route (by OpenVPN) instead of the static route. How do I get it to use the static route via wireguard?
Any help is appreciated.
$ sh ip ro
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
S>* 0.0.0.0/0 [210/0] via 10.12.4.1, eth0, weight 1, 00:11:39
K>* 10.0.0.0/16 [0/50] via 100.96.2.97, vtun1, 00:04:57
K>* 10.1.0.0/16 [0/50] via 100.96.2.97, vtun1, 00:04:57
K>* 10.2.11.0/24 [0/50] via 100.96.2.97, vtun1, 00:04:57
S 10.2.11.0/24 [1/0] is directly connected, wg1, weight 1, 00:11:36
In the routing table you will see [0/50] and [1/0] after your route. The first number is called the administrative distance (AD). The lower the AD, the more trustworthy the route source is supposed to be. Since OpenVPN is setting kernel routes, it is going to zero. Your static route can change the AD, but you can’t set a value outside of 1-255.
The second number is the metric. This is where you’d usually find a cost analysis between multiple paths to determine the best path within a given routing protocol (static, RIP, OSPF, BGP, EIGRP, ISIS, etc).
You might be able to use some combination of OpenVPN option pull-filter to suppress that specific route, and re-add it as a static route with a AD higher than the AD of the WireGuard route.