From: Raffaele Spazzoli <rspazzol@redhat.com>
To: "Ivan Labáth" <labawi-wg@matrix-dream.net>
Cc: wireguard@lists.zx2c4.com
Subject: Re: what to do when the peers use different IPs to transmit and receive
Date: Sun, 16 Sep 2018 14:56:04 -0400 [thread overview]
Message-ID: <CACOeLqLN5vc7O9_VwGhipycVE5Yi+phDKKwf2U4VPzZM00KeMw@mail.gmail.com> (raw)
In-Reply-To: <20180916165458.GA31165@matrix-dream.net>
[-- Attachment #1: Type: text/plain, Size: 1712 bytes --]
I'll try to make an example
cluster 1 node 1 has private IP1 and VIP1
cluster 2 node 2 has private IP2 and VIP2
each node uses it's private ip for outbound connections.
each node can receive inbound connection on its VIP.
so the wireguard config file for node1 is going to look like:
[peer]
endpoint: VIP2:port
and for node 2:
[peer]
endpoint: VIP1: port
the problem is that after the handshake, wireguard updates the config to
the following (for example for node2):
[peer]
endpoint: IP1:port
but IP2 cannot route to IP1...
I think a well configured SNAT rule may work, although is not elegant
because it forces the cluster to exchange information about their private
IPs.
This should not be needed and in the cloud private IPs are ephemeral....
anyway thanks for the advice, I am going to try to use it in my prototype.
I still think there is need for a better technical approach for a long term
solution.
Thanks,
Raffaele
Raffaele Spazzoli
Senior Architect - OpenShift <https://www.openshift.com>, Containers
and PaaS Practice <https://www.redhat.com/en/services/consulting/paas>
Tel: +1 216-258-7717
On Sun, Sep 16, 2018 at 12:54 PM, Ivan Labáth <labawi-wg@matrix-dream.net>
wrote:
> Hi,
>
> On Sun, Sep 16, 2018 at 08:21:02AM -0400, Raffaele Spazzoli wrote:
> > ... then the IP that a node uses for its outbound
> > connection is not the same that its peer need to use for its inbound
> > connections.
>
> Who uses what for whose connection? You lost me here.
> Looks like a broken network to me. Does TCP even work?
>
> Anyway, SNAT/DNAT should be able to fix things up, if you want to go
> that route.
>
> Regards,
> Ivan
>
[-- Attachment #2: Type: text/html, Size: 3333 bytes --]
next prev parent reply other threads:[~2018-09-16 18:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-16 12:21 what to do when the peers use different IPs to transmit and receive Raffaele Spazzoli
2018-09-16 16:54 ` Ivan Labáth
2018-09-16 18:56 ` Raffaele Spazzoli [this message]
2018-09-16 23:08 ` Raffaele Spazzoli
2018-09-17 9:16 ` Ivan Labáth
2018-09-17 11:10 ` Raffaele Spazzoli
2018-09-25 21:16 ` Ivan Labáth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACOeLqLN5vc7O9_VwGhipycVE5Yi+phDKKwf2U4VPzZM00KeMw@mail.gmail.com \
--to=rspazzol@redhat.com \
--cc=labawi-wg@matrix-dream.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).