Re: mesh VPN with wireguard?

From: Roman Mamedov <rm@romanrm.net>
To: Tomasz Chmielewski <mangoo@wpkg.org>
Cc: wireguard@lists.zx2c4.com
Subject: Re: mesh VPN with wireguard?
Date: Sat, 6 Apr 2019 18:01:55 +0500	[thread overview]
Message-ID: <20190406180155.674f40bb@natsu> (raw)
In-Reply-To: <bf1d3b6ac8dc6a31c82042b363db3bf3@wpkg.org>

On Thu, 28 Mar 2019 23:22:45 +0900
Tomasz Chmielewski <mangoo@wpkg.org> wrote:

> Does Wireguard allow to set up mesh VPN with "relative ease"?
> 
> Say, we have 10 servers with public IPs, we want them all to create a 
> VPN network with private subnet 10.11.12.0/24, and have all 10 servers 
> communicate directly with each other.
> Then a year later, expand it to 100 servers.

Sure.

But note that in this case unlike Tinc you cannot have some servers exit to
the outside world via some other servers (with AllowedIP 0.0.0.0/0). There has
to be just one such exit point per a WG network.

If it's purely for communication between servers, then of course no issue.

> Something in the line of: https://www.tinc-vpn.org/

Another limitation compared to Tinc is that Tinc will autoheal the partially
disconnected mesh and will have some nodes forwarding for the others, in case
direct communication between some of them gets cut (e.g. due to a peering or
routing issue on the underlying Internet -- this saved me a few times).

WG will do no such thing, and node-to-node communication working will depend
on both nodes always having direct connectivity to each other.

-- 
With respect,
Roman
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard