Use regular default route for the tunnel interface on Windows instead of /1 routes

dlon · dlon · commit e914a36e657b · 2025-03-13T17:54:18.000+01:00
This is done for two reasons:

1. This mitigates an issue in our fork of wireguard-nt, which intentionally allows routes
back to the tunnel interface. The fork explicitly disallows this only for routes with a prefix 0,
which means that the /1 routes are not exempted. This can result in an infinite routing loop if
the non-tunnel route to the relay is removed (e.g., if the default interface or its routes
disappear).

2. This simplifies the code and routes. The /1 routes are unnecessary since we're
setting metric on the default route to lowest value anyway, so the OS should always
prefer the tunnel default route. Even when it doesn't, the firewall will prevent
leaks.
diff --git a/talpid-wireguard/src/lib.rs b/talpid-wireguard/src/lib.rs
@@ -746,9 +746,7 @@ impl WireguardMonitor {
         #[cfg(target_os = "android")] cancel_receiver: connectivity::CancelReceiver,
     ) -> Result<WgGoTunnel> {
         #[cfg(all(unix, not(target_os = "android")))]
-        let routes = config
-            .get_tunnel_destinations()
-            .flat_map(Self::replace_default_prefixes);
+        let routes = config.get_tunnel_destinations();
 
         #[cfg(all(unix, not(target_os = "android")))]
         let tunnel = WgGoTunnel::start_tunnel(config, log_path, tun_provider, routes)
@@ -925,7 +923,6 @@ impl WireguardMonitor {
         let iter = config
             .get_tunnel_destinations()
             .filter(|allowed_ip| allowed_ip.prefix() == 0)
-            .flat_map(Self::replace_default_prefixes)
             .map(move |allowed_ip| {
                 if allowed_ip.is_ipv4() {
                     RequiredRoute::new(allowed_ip, node_v4.clone())
@@ -965,24 +962,6 @@ impl WireguardMonitor {
         }
     }
 
-    /// Replace default (0-prefix) routes with more specific routes.
-    #[cfg(not(target_os = "android"))]
-    fn replace_default_prefixes(network: ipnetwork::IpNetwork) -> Vec<ipnetwork::IpNetwork> {
-        #[cfg(windows)]
-        if network.prefix() == 0 {
-            if network.is_ipv4() {
-                vec!["0.0.0.0/1".parse().unwrap(), "128.0.0.0/1".parse().unwrap()]
-            } else {
-                vec!["8000::/1".parse().unwrap(), "::/1".parse().unwrap()]
-            }
-        } else {
-            vec![network]
-        }
-
-        #[cfg(not(windows))]
-        vec![network]
-    }
-
     fn tunnel_metadata(interface_name: &str, config: &Config) -> TunnelMetadata {
         TunnelMetadata {
             interface: interface_name.to_string(),
